{ pkgs, homelab, ... }: {
  services.forgejo = {
    enable = true;
    lfs.enable = true;
    stateDir = "/mnt/data/forgejo";
    package = pkgs.forgejo;
    #secrets = {
    #  oauth2.JWT_SECRET = "/mnt/data/forgejo/custom/conf/oauth2_jwt_secret";
    #  server.LFS_JWT_SECRET = "/mnt/data/forgejo/custom/conf/lfs_jwt_secret";
    #  security = {
    #    INTERNAL_TOKEN = "/mnt/data/forgejo/custom/conf/internal_token";
    #    SECRET_KEY = "/mnt/data/forgejo/custom/conf/secret_key";
    #  };
    #};
    settings = {
      server = {
        DISABLE_SSH = true;
        DOMAIN = "git.${homelab.domain}";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 5080;
        PROTOCOL = "http";
        ROOT_URL = "https://git.${homelab.domain}";
        LANDING_PAGE = "explore";
      };
      oauth2_client.ENABLE_AUTO_REGISTRATION=true;
      service = {
        DISABLE_REGISTRATION = true;
        ENABLE_OPENID_SIGNIN = false;
        ENABLE_OPENID_SIGNUP = false;
        ENABLE_INTERNAL_SIGNIN = true; # TODO: set false after migration complete
        SHOW_REGISTRATION_BUTTON = false;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
        ALLOW_ONLY_INTERNAL_REGISTRATION = false;
        REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = true;
      };
      user.ENABLE_FOLLOWING = false;
      repository = {
        DISABLE_STARS = true;
        DISABLE_FORKS = true;
      };
    };
  };
}