{
  config,
  pkgs,
  lib,
  ...
}:
let
  domain = "git.olexsmir.xyz";
in
{
  services.caddy.virtualHosts.${domain}.extraConfig = ''
    reverse_proxy http://localhost:3001
  '';

  services.forgejo = {
    enable = true;
    database.type = "sqlite3";
    settings = {
      server = {
        DOMAIN = domain;
        ROOT_URL = "https://${domain}/";
        HTTP_PORT = 3001;
        LANDING_PAGE = "explore";
      };
      DEFAULT.APP_NAME = "my git";
      repository.DISABLE_STARS = true;
      service.DISABLE_REGISTRATION = true;
      ui.DEFAULT_THEME = "forgejo-dark";
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "https://${domain}";
      };
    };
  };

  # automatically setup user
  age.secrets.forgejo-admin-password = {
    file = ../secrets/forgejo-admin-password.age;
    owner = "forgejo";
    group = "forgejo";
  };

  systemd.services.forgejo.preStart =
    let
      adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
      passwordFile = config.age.secrets.forgejo-admin-password.path;
      user = "olexsmir";
    in
    ''
      ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${passwordFile})" || true
      ## uncomment this line to change an admin user which was already created
      # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${passwordFile})" || true
    '';

  # TODO: setup workers
  # ideally it would get a token automatically

}