{
  config,
  lib,
  flakeSelf,
  ...
}: let
  hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
in {
  age.secrets = {
    forgejo-host-key = {
      file = hostSecrets + "forgejoPrivateKey.age";
      mode = "0400";
      owner = "forgejo";
      group = "forgejo";
    };
    "forgejo-host-key.pub" = {
      file = hostSecrets + "forgejoPublicKey.age";
      mode = "0400";
      owner = "forgejo";
      group = "forgejo";
    };
  };

  specialisation.forgejoEnableRegistration.configuration.services.forgejo.settings.service.DISABLE_REGISTRATION = false;
  services.forgejo = {
    enable = true;
    settings = {
      service = {
        DISABLE_REGISTRATION = lib.mkDefault true;
      };
      server = {
        OFFLINE_MODE = false;
        ROOT_URL = "http://git.everest.sable-pancake.ts.net";
        START_SSH_SERVER = true;
        SSH_PORT = 4222;
        SSH_SERVER_HOST_KEYS = config.age.secrets.forgejo-host-key.path;
        SSH_SERVER_HOST_KEY = "forgejo-host-key";
      };
      repository = {
        ENABLE_PUSH_CREATE_USER = true;
        DEFAULT_PUSH_CREATE_PRIVATE = true;
        DEFAULT_BRANCH = "main";
      };
    };
  };

  # Add a cname for forgejo
  services.dnsmasq.settings.cname = ["git.everest.sable-pancake.ts.net,everest"];

  # Set up traefik as the reverse proxy for Forgejo
  services.traefik = {
    dynamicConfigOptions = {
      http = {
        routers = {
          forgejo-subpath = {
            rule = "Host(`git.everest.sable-pancake.ts.net`)";
            service = "forgejo";
          };
        };
        services.forgejo.loadBalancer.servers = [
          {url = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";}
        ];
      };
    };
  };
}