{
  pkgs,
  pkgsUnstable,
  ...
}: {
  users.users.gitea = {
    home = "/var/lib/gitea";
    useDefaultShell = true;
    group = "gitea";
    isSystemUser = true;
  };
  users.groups.gitea = {};
  services.forgejo = {
    enable = true;
    package = pkgsUnstable.forgejo;
    repositoryRoot = "/forgejo/repos";
    stateDir = "/var/lib/gitea";
    appName = "Katzenschmiede";
    user = "gitea";
    group = "gitea";
    database = {
      type = "postgres";
      name = "gitea";
      user = "gitea";
    };
    settings = {
      openid = {
        ENABLE_OPENID_SIGNIN = true;
      };
      federation = {
        ENABLED = true;
      };
      server = {
        ROOT_URL = "https://forge.katzen.cafe/";
        HTTP_PORT = 8082;
        DOMAIN = "forge.katzen.cafe";
        START_SSH_SERVER = true;
        SSH_PORT = 2222;
      };
      service = {
        REGISTER_MANUAL_CONFIRM = true;
        SHOW_REGISTRATION_BUTTON = false;
      };
      actions = {
        ENABLED = true;
      };
      mailer = {
        ENABLED = true;
        FROM = "noreply@katzen.cafe";
        PROTOCOL = "smtps";
        SMTP_ADDR = "mail.katzen.cafe";
        SMTP_PORT = 465;
        USER = "noreply@katzen.cafe";
      };
    };
    mailerPasswordFile = "/var/lib/secrets/noreply-mail-pw-plain";
  };
  deployment.keys = {
    "noreply-mail-pw-plain" = {
      keyCommand = ["pass" "mailpws/plain/noreply"];
      destDir = "/var/lib/secrets";
      permissions = "0604";
    };
  };
}