{
  config,
  lib,
  pkgs,
  ...
}: {
  sops.secrets = let
    owner = config.services.forgejo.user;
    group = config.services.forgejo.group;
  in {
    "forgejoHostKey/private" = {
      inherit owner group;
      name = "id_forgejo";
    };
    "forgejoHostKey/public" = {
      inherit owner group;
      name = "id_forgejo.pub";
    };
  };

  specialisation.forgejoEnableRegistration.configuration.services.forgejo.settings.service.DISABLE_REGISTRATION = false;
  services.forgejo = {
    enable = true;
    package = pkgs.forgejo-lts;
    settings = {
      service = {
        DISABLE_REGISTRATION = lib.mkDefault true;
      };
      server = {
        OFFLINE_MODE = false;
        PROTOCOL = "http+unix";
        ROOT_URL = "https://git.toast003.xyz";
        START_SSH_SERVER = true;
        SSH_PORT = 4222;
        SSH_SERVER_HOST_KEYS = config.sops.secrets."forgejoHostKey/private".path;
        SSH_SERVER_HOST_KEY = "id_forgejo";
      };
      repository = {
        ENABLE_PUSH_CREATE_USER = true;
        DEFAULT_PUSH_CREATE_PRIVATE = true;
        DEFAULT_BRANCH = "main";
      };
      indexer = {
        REPO_INDEXER_ENABLED = true;
      };
    };
  };

  networking.firewall.allowedTCPPorts = with config; [
    services.forgejo.settings.server.SSH_PORT
  ];

  catppuccin.forgejo = {
    enable = true;
  };

  # Set up caddy as the reverse proxy for Forgejo
  services.caddy.virtualHosts.forgejo = {
    hostName = "git.toast003.xyz";
    extraConfig = ''
      reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR}
    '';
  };
}