{
  config,
  lib,
  ...
}: let
  cfg = config.hive.gitea-instance;
in {
  options.hive.gitea-instance = {
    enable = lib.mkEnableOption "Enable the Gitea instance";

    instanceFQDN = lib.mkOption {
      type = lib.types.singleLineStr;
      example = "git.example.com";
      description = "Fully qualified domain name of the Gitea instance";
    };

    databasePasswordFile = lib.mkOption {
      type = lib.types.path;
      example = "/etc/gitea-db-pass.txt";
      description = "Path to the file containing the Gitea database password";
    };
    nativeRunner = lib.mkOption {
      type = lib.types.bool;
      description = "Install a gitea act_runner using the native nix store";
      default = false;
    };
  };

  config = lib.mkIf cfg.enable {
    # Gitea instance
    services.gitea = {
      enable = true;
      lfs.enable = true;
      appName = "Git yourself some Tea!";
      database = {
        name = "gitea";
        type = "postgres";
        passwordFile = cfg.databasePasswordFile;
      };
      settings = {
        server.PROTOCOL = "http+unix";
        server.ROOT_URL = "https://${cfg.instanceFQDN}/";
        server.DOMAIN = cfg.instanceFQDN;
        service.DISABLE_REGISTRATION = true;
      };
    };

    # Fallback server with only 403
    services.nginx.virtualHosts.${config.networking.domain} = lib.mkDefault {
      default = true;
      locations."/".return = 403;
      forceSSL = true;
      enableACME = true;
    };

    # Virtual host for gitea
    services.nginx.virtualHosts."${cfg.instanceFQDN}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://unix:/run/gitea/gitea.sock";
      };
    };

    # Database setup
    services.postgresql = {
      enable = true;
      ensureDatabases = [config.services.gitea.user];
      ensureUsers = [
        {
          name = config.services.gitea.database.user;
          ensureDBOwnership = true;
        }
      ];
    };

    # act_runner
    services.gitea-actions-runner = lib.mkIf cfg.nativeRunner {
      instances.nixos-host = {
        enable = true;
        name = "nixos-host-runner";
        url = "https://${cfg.instanceFQDN}";
        tokenFile = "/var/lib/gitea-registration/nixos-host";

        labels = ["nixos:host"];

        settings = {
          runner = {
            capacity = 1;
          };
        };
      };
    };
    systemd.services.gitea-runner-nixos-host = lib.mkIf cfg.nativeRunner {
      after = [
        "gitea-runner-gen-token.service"
      ];
      requires = [
        "gitea-runner-gen-token.service"
      ];
    };
    systemd.services.gitea-runner-gen-token = lib.mkIf cfg.nativeRunner {
      wantedBy = ["multi-user.target"];
      after = ["gitea.service"];
      environment = {
        GITEA_CUSTOM = "/var/lib/gitea/custom";
        GITEA_WORK_DIR = "/var/lib/gitea";
      };
      script = ''
        set -euo pipefail
        token=$(${config.services.gitea.package}/bin/gitea actions generate-runner-token)
        echo "TOKEN=$token" > /var/lib/gitea-registration/nixos-host
      '';
      unitConfig.ConditionPathExists = ["!/var/lib/gitea-registration/nixos-host"];
      serviceConfig = {
        User = "gitea";
        Group = "gitea";
        StateDirectory = "gitea-registration";
        Type = "oneshot";
        RemainAfterExit = true;
      };
    };
  };
}