{
  config,
  pkgs,
  lib,
  ...
}: let
  cfg = config.services.vm_forgejo;
in {
  options.services.vm_forgejo = {
    enable = lib.mkEnableOption "Enable minimal config";
    pgsql_ip = lib.mkOption {
      type = lib.types.str;
      description = "forgejo database IP address";
    };
  };
  config = lib.mkIf cfg.enable {
    age.secrets = {
      forgejo-lapi-key = {
        file = ../../secrets/forgejo-lapi-key.age;
        owner = "crowdsec";
      };
      forgejoDBPass.file = ./secrets/forgejoDBPass.age;
    };
    services = {
      crowdsec = {
        hub.collections = [
          "LePresidente/gitea"
        ];
        settings.lapi.credentialsFile = "${config.age.secrets.forgejo-lapi-key.path}";
        localConfig = {
          acquisitions = [
            {
              source = "journalctl";
              journalctl_filter = [ "_SYSTEMD_UNIT=forgejo.service" ];
              labels = {
                type = "syslog";
              };
            }
          ];
        };
      };
      forgejo = {
        enable = true;
        package = pkgs.forgejo;
        user = "tbarnouin";
        settings = {
          server.HTTP_PORT = 3000;
          server.DISABLE_SSH = true;
          server.ROOT_URL = "https://git.le43.eu";
          service.DISABLE_REGISTRATION = true;
        };
        database = {
          createDatabase = false;
          type = "postgres";
          host = "${cfg.pgsql_ip}";
          name = "gitea";
          user = "gitea";
          passwordFile = config.age.secrets.forgejoDBPass.path;
        };
      };
    };
    networking.firewall.allowedTCPPorts = [3000];
  };
}