{config, ...}: let
  domain = "gitea.${config.services.nginx.domain}";
in {
  services.gitea = {
    inherit domain;
    enable = true;

    httpAddress = "127.0.0.1";
    database.type = "postgres";

    ssh.clonePort = 2222;
    rootUrl = "https://${domain}/";
    cookieSecure = true;

    appName = "Gitea: Git with a cup of tea";
    disableRegistration = true;
  };

  # Set up SSL
  services.nginx.virtualHosts."${domain}" = let
    inherit (config.services.gitea) httpAddress httpPort;
  in {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
    '';

    locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
  };
}