{
  project.name = "git";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  networks.transport = {};

  services = {
    forgejo.service = {
      image = "codeberg.org/forgejo/forgejo:9.0.3";
      container_name = "forgejo";
      useHostStore = true;
      labels = {
        "traefik.enable" = "true";
        "diun.enable" = "true";
        "traefik.docker.network" = "dmz";

        "traefik.http.services.forgejo.loadbalancer.server.port" = "3000";
        "traefik.http.routers.forgejo.service" = "forgejo";
        "traefik.http.routers.forgejo.entrypoints" = "websecure";
        "traefik.http.routers.forgejo.rule" = "Host(`git.ghoscht.com`)";
        "traefik.http.routers.forgejo.tls" = "true";
        "traefik.http.routers.forgejo.tls.certresolver" = "letsencrypt";

        "traefik.http.services.forgejo-external.loadbalancer.server.port" = "3000";
        "traefik.http.routers.forgejo-external.service" = "forgejo-external";
        "traefik.http.routers.forgejo-external.rule" = "Host(`git.ghoscht.com`)";
        "traefik.http.routers.forgejo-external.entrypoints" = "websecure-external";
        "traefik.http.routers.forgejo-external.tls" = "true";
        "traefik.http.routers.forgejo-external.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/home/ghoscht/.docker/git/forgejo_data:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      ports = [
        "2222:22"
      ];
      environment = {
        USER_UID = 1000;
        USER_GID = 1000;
        GITEA__database__DB_TYPE = "postgres";
        GITEA__database__HOST = "git-db:5432";
      };
      env_file = [
        "/home/ghoscht/.docker/git/forgejo.env"
      ];
      restart = "unless-stopped";
      networks = [
        "dmz"
        "transport"
      ];
    };
    git-db.service = {
      image = "postgres:15.3-bullseye";
      env_file = [
        "/home/ghoscht/.docker/git/forgejo-db.env"
      ];
      volumes = [
        "/home/ghoscht/.docker/git/forgejo_db:/var/lib/postgresql/data"
      ];
      restart = "unless-stopped";
      networks = [
        "transport"
      ];
    };
  };
}