{ config, ... }:
{
  services.nginx.virtualHosts."git.my-domain.tld" = {
    enableACME = false;
    forceSSL = false;
    locations."/" = {
      proxyPass = "http://localhost:3001/";
    };
  };

  services.postgresql = {
    ensureDatabases = [ config.services.gitea.user ];
    ensureUsers = [
      {
        name = config.services.gitea.database.user;
        ensureDBOwnership = true;
      }
    ];
  };

  #sops.secrets."postgres/gitea_dbpass" = {
  #  sopsFile = ../.secrets/postgres.yaml; # bring your own password file
  #  owner = config.services.gitea.user;
  #};

  services.gitea = {
    enable = true;
    appName = "My awesome Gitea server"; # Give the site a name
    database = {
      type = "postgres";
      password = "password"; # config.sops.secrets."postgres/gitea_dbpass".path
    };
    settings.server = {
      DOMAIN = "git.my-domain.tld";
      ROOT_URL = "https://git.my-domain.tld/";
      HTTP_PORT = 3001;
    };
  };
}