{config, ...}: let
  forgejoPort = 8082;
in {
  age.secrets."hidden_service/forgejo" = {
    file = ../secrets/hidden_service/forgejo;
  };

  services.forgejo = {
    enable = true;
    lfs.enable = false;
    settings = { 
      server = {
        DOMAIN = "git.distrust.network";
        HTTP_PORT = forgejoPort;
        ROOT_URL = "https://git.distrust.network/";
        SSH_PORT = builtins.head config.services.openssh.ports;
      };
      "service.explore".DISABLE_USERS_PAGE = true;
    };
  };

  distrust.services."forgejo" = {
    url = "https://git.distrust.network";
    onion = {
      url = "http://cr27k6asjs7skvjxs6smhqfam3wlvmft2f3iins44k6p6rmmfyolobqd.onion";
      secretKey = config.age.secrets."hidden_service/forgejo".path;
    };
    virtualHostConfig = ''
      reverse_proxy localhost:${toString forgejoPort}
    '';
    backup = {
      enable = true;
      paths = [
        "/var/lib/forgejo"
      ];
    };
  };
}