{config, ...}: let
  forgejoPort = 8082;
in {
  age.secrets."hidden_service/forgejo" = {
    file = ../secrets/hidden_service/forgejo;
  };

  services = {
    forgejo = {
      enable = true;
      lfs.enable = false;
      settings.server = {
        DOMAIN = "git.distrust.network";
        HTTP_PORT = forgejoPort;
        ROOT_URL = "https://git.distrust.network/";
        SSH_PORT = builtins.head config.services.openssh.ports;
      };
    };
    borgbackup.jobs."forgejo" = {
      repo = "ssh://u506783@u506783.your-storagebox.de:23/./forgejo";
      environment = {
        BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
      };
      paths = [
        "/var/lib/forgejo"
      ];
      encryption = {
        mode = "keyfile";
        passCommand = "cat ${config.age.secrets."borg_pass".path}";
      };
      compression = "auto,lzma";
      startAt = "daily";
      prune.keep = {
        daily = 7;
        weekly = 4;
        monthly = -1;
      };
    };
  };

  distrust.services."forgejo" = {
    url = "https://git.distrust.network";
    onion = {
      url = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion";
      secretKey = config.age.secrets."hidden_service/forgejo".path;
    };
    virtualHostConfig = ''
      reverse_proxy localhost:${toString forgejoPort}
    '';
  };
}