{ config, lib, pkgs, ... }: {
  # Forgejo: self-hosted git, accessed at https://git.tyrolize.ch (Caddy
  # reverse-proxies to 127.0.0.1:3000 — vhost lives in modules/website.nix)
  # and ssh://git@git.tyrolize.ch:2222 for repo push/pull.

  services.forgejo = {
    enable = true;

    # Single-user scale — sqlite is plenty and simplifies backups.
    database.type = "sqlite3";

    # Daily compressed dump of repos + config + DB into /var/lib/forgejo/dump.
    # Restic will pick it up later.
    dump = {
      enable = true;
      type = "tar.gz";
    };

    lfs.enable = true;

    settings = {
      server = {
        DOMAIN = "git.tyrolize.ch";
        ROOT_URL = "https://git.tyrolize.ch/";
        # Listen on loopback only; Caddy provides public TLS.
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 3000;
        # Built-in SSH server — separate from system sshd on :22.
        START_SSH_SERVER = true;
        SSH_DOMAIN = "git.tyrolize.ch";
        SSH_LISTEN_HOST = "0.0.0.0";
        SSH_PORT = 2222;
        SSH_LISTEN_PORT = 2222;
        LANDING_PAGE = "explore";
      };

      service = {
        DISABLE_REGISTRATION = true;
        # Allow admin to create users via the CLI / UI (defaults are fine).
        REQUIRE_SIGNIN_VIEW = false;
      };

      session.COOKIE_SECURE = true;
      log.LEVEL = "Info";

      # Allow embedding of the Forgejo UI from itself only (default), and
      # tighten a couple of small things.
      "ui.meta" = {
        AUTHOR = "tyrolize";
        DESCRIPTION = "tyrolize's git";
      };

      # Disable the install wizard — NixOS provides the config.
      security.INSTALL_LOCK = true;
    };
  };

  networking.firewall.allowedTCPPorts = [ 2222 ];
}