{
  config,
  lib,
  pkgs,
  ...
}:

let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
in
{

  security.acme = {
    acceptTerms = true;
    defaults.email = "mail@kempinger.xyz";
    certs."kempinger.at".domain = "*.kempinger.at";
  };

  services.resolved.enable = true;
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    virtualHosts."192.168.69.69" = {
      default = true;
      root = "/srv/website/public_html";
      locations."/" = {
        index = "index.html";
      };
    };
    virtualHosts."kempinger.at" = {
      root = "/srv/website/public_html";
      locations."/" = {
        index = "index.html";
      };
      forceSSL = true;
      enableACME = true;
    };
    virtualHosts.${cfg.settings.server.DOMAIN} = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        client_max_body_size 512M;
      '';
      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
    };
  };
  services.forgejo = {
    enable = true;
    database.type = "postgres";
    # Enable support for Git Large File Storage
    lfs.enable = true;
    settings = {
      server = {
        DOMAIN = "git.kempinger.at";
        # You need to specify this to remove the port from URLs in the web UI.
        ROOT_URL = "https://${srv.DOMAIN}/";
        HTTP_PORT = 3000;
        DISABLE_SSH = false;
        SSH_PORT = 2222;
        START_SSH_SERVER=true;
      };

      # You can temporarily allow registration to create an admin user.
      service.DISABLE_REGISTRATION = true;
      # Add support for actions, based on act: https://github.com/nektos/act
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "github";
      };
      # Sending emails is completely optional
      # You can send a test email from the web UI at:
      # Profile Picture > Site Administration > Configuration >  Mailer Configuration
      # mailer = {
      #   ENABLED = true;
      #   SMTP_ADDR = "mail.kempinger.at";
      #   FROM = "noreply@${srv.DOMAIN}";
      #   USER = "noreply@${srv.DOMAIN}";
      # };
    };
  };

  # systemd.services.forgejo.preStart =
  #   ''
  #     ${lib.getExe cfg.package} admin user create --admin --email "root@localhost" --username crazychaoz --password temp123 || true
  #     '';

  #services.vscode-server.enable = true;

  # Virtualisation
  virtualisation = {
    containers.enable = true;
    podman = {
      enable = true;
      dockerCompat = true;
      defaultNetwork.settings.dns_enabled = true; # Required for containers under podman-compose to be able to talk to each other.
    };
  };

  virtualisation.oci-containers = {
    backend = "podman";
    containers.homeassistant = {
      #autoStart = true;
      volumes = [ 
        "home-assistant:/config" 
        "/run/dbus:/run/dbus:ro"
      ];
      environment.TZ = "Europe/Berlin";
      # Note: The image will not be updated on rebuilds, unless the version label changes
      image = "ghcr.io/home-assistant/home-assistant:stable";
      extraOptions = [
        # Use the host network namespace for all sockets
        "--network=host"
        # Pass devices into the container, so Home Assistant can discover and make use of them
        #"--device=/dev/ttyACM0:/dev/ttyACM0"
        "--privileged"
      ];
    };
  };
}