{
  config,
  pkgs,
  ...
}: let
  vars = import ../../../../vars.nix;
in {
  virtualisation.arion = {
    projects.git.settings = {
      imports = [./arion-compose.nix];
    };
  };

  sops.secrets."forgejo/db_password" = {
    owner = vars.user;
  };
  sops.secrets."forgejo/db_user" = {
    owner = vars.user;
  };
  sops.secrets."forgejo/db_database" = {
    owner = vars.user;
  };
  sops.secrets."forgejo/runner_token" = {
    owner = vars.user;
  };

  sops.templates."forgejo.env" = {
    path = "/home/${vars.user}/.docker/git/forgejo.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      GITEA__database__NAME="${config.sops.placeholder."forgejo/db_database"}"
      GITEA__database__USER="${config.sops.placeholder."forgejo/db_user"}"
      GITEA__database__PASSWD="${config.sops.placeholder."forgejo/db_password"}"
    '';
  };

  sops.templates."forgejo-db.env" = {
    path = "/home/${vars.user}/.docker/git/forgejo-db.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      POSTGRES_DB="${config.sops.placeholder."forgejo/db_database"}"
      POSTGRES_USER="${config.sops.placeholder."forgejo/db_user"}"
      POSTGRES_PASSWORD="${config.sops.placeholder."forgejo/db_password"}"
    '';
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.default = {
      enable = true;
      name = config.networking.hostName;
      url = "https://git.ghoscht.com";
      # tokenFile = "/home/${vars.user}/.docker/git/forgejo-runner.env";
      tokenFile = config.sops.secrets."forgejo/runner_token".path;
      labels = [
        "ubuntu-latest:docker://node:22-bookworm"
      ];
    };
  };

  # enable cache actions https://forgejo.org/docs/latest/admin/runner-installation/
  networking.firewall.trustedInterfaces = ["br-+"];
}