{
  pkgs,
  lib,
  config,
  ...
}:
let
  conf = config.mod.gitea;
  gitDomain = "git.${conf.baseDomain}";

  nginxEnable = config.mod.nginx.enable;
in
{
  options = {
    mod.gitea = {
      enable = lib.mkEnableOption "Enable gitea";

      baseDomain = lib.mkOption {
        type = lib.types.str;
        default = "";
        description = ''
          The base domain that will be used to
          - create https://git.<base domain> which will host the frontend of gitea
          - host the webfinger

          Note: A cert is required for this domain and "git.<base domain>".
        '';
      };

      webfingerEnable = lib.mkEnableOption "Enable webfinger pointing to gitea";

      webfingerAccounts = lib.mkOption {
        type = lib.types.listOf lib.types.str;
        default = [ ];
        description = "The accounts that should be listed";
      };
    };
  };

  config = lib.mkIf (conf.enable && nginxEnable) {
    assertions = [
      {
        assertion = conf.baseDomain != "";
        message = "Option 'mod.gitea.baseDomain' cannot be empty";
      }
      {
        assertion = conf.webfingerEnable && conf.webfingerAccounts != [ ];
        message = "Option 'mod.gitea.webfingerAccounts' cannot be empty";
      }
    ];

    services.gitea = {
      enable = true;

      settings = {
        service = {
          DISABLE_REGISTRATION = true;
        };

        server = {
          DOMAIN = gitDomain;
          ROOT_URL = "https://${gitDomain}";

          SSH_PORT = 1122; # see `ssh` module
        };

        database = {
          type = "sqlite3";
          passwordFile = config.age.secrets.gitea-dbpassword.path;
        };

        session = {
          COOKIE_SECURE = true;
        };
      };
    };

    services.nginx = {
      virtualHosts."${conf.baseDomain}" =
        let
          mkWebfinger =
            account:
            pkgs.writeTextDir (lib.escapeURL "acct:${account}") (
              lib.generators.toJSON { } {
                subject = "acct:${account}";
                links = [
                  {
                    rel = "http://openid.net/specs/connect/1.0/issuer";
                    href = "https://${gitDomain}";
                  }
                ];
              }
            );

          webfingerRoot = pkgs.symlinkJoin {
            name = "${gitDomain}-webfinger";
            paths = builtins.map mkWebfinger conf.webfingerAccounts;
          };
        in
        lib.mkIf conf.webfingerEnable {
          forceSSL = true;
          useACMEHost = conf.baseDomain;

          locations."/.well-known/webfinger" = {
            root = webfingerRoot;

            extraConfig = ''
              add_header Access-Control-Allow-Origin "*";
              default_type "application/jrd+json";
              types { application/jrd+json json; }
              if ($arg_resource) {
                rewrite ^(.*)$ /$arg_resource break;
              }
              return 400;
            '';
          };
        };

      virtualHosts."${gitDomain}" = {
        forceSSL = true;
        useACMEHost = gitDomain;

        locations."/" = {
          proxyPass = "http://0.0.0.0:3000";
          proxyWebsockets = true;
        };
      };
    };

    age.secrets = {
      "gitea-dbpassword".file = ../../../../secrets/tadpole/gitea-dbpassword.age;
    };
  };
}