{
  config,
  pkgs,
  lib,
  ...
}:
let
  p = import ../parameters.nix;
in
{

  age.secrets.scaleway-password.file = ../../secrets/scaleway-password.age;

  my = {
    utils = {
      commons.enable = true;
      lxc-standard.enable = true;
    };

    services.forgejo = {
      enable = true;
      stateDir = "/mnt/git";
      proxy.domain = p.domains.public;
      secrets = {
        mailer.PASSWD = config.age.secrets.scaleway-password.path;
      };
      settings = {
        service = {
          DISABLE_REGISTRATION = true;
          LANDING_PAGE = "explore";
          ENABLE_NOTIFY_MAIL = true;
        };
        mailer = {
          ENABLED = true;
          PROTOCOL = "smtps";
          SMTP_ADDR = "smtp.tem.scaleway.com";
          SMTP_PORT = "465";
          USER = "5cbeeec0-9c3a-441a-9772-c11e9650fcd2";
          FROM = "git@${p.domains.public}";
        };
        oauth2_client = {
          USERNAME = "openid";
          ACCOUNT_LINKING = "auto";
        };
        repository = {
          DEFAULT_BRANCH = "master";
        };
      };
    };

    networking.lxc_shares = {
      enable = true;
      allowUsers = [ config.services.forgejo.user ];
    };

    virtualisation.proxmox.enable = true;
  };

  # Management SSH on 5022; port 22 is used by Forgejo built-in Git SSH
  services.openssh.ports = [ 5022 ];

  systemd.services.forgejo.serviceConfig = {
    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
    CapabilityBoundingSet = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
    PrivateUsers = lib.mkForce false;
  };

  # Extra packages
  environment.systemPackages = with pkgs; [ ];

  system.stateVersion = "25.05";
}