{
  config,
  pkgs,
  ...
}: let
  inherit (config.sops) secrets;
  inherit (config.khepri) rwDataDir;

  rwPath = rwDataDir + "/forgejo";
in {
  khepri.compositions."forgejo".services = {
    "forgejo" = {
      image = import ./images/forgejo.nix pkgs;

      ports = [
        # Redirect WAN port 22 to this port
        "2222:22"
        "3000:3000"
      ];

      restart = "always";
      dependsOn = ["forgejo-db"];

      environmentFiles = [secrets.forgejo.path];
      environment = {
        APP_NAME = "Gitea";

        # TODO: change ids
        USER_UID = "1000";
        USER_GID = "1000";

        ROOT_URL = "https://git.nelim.org";
        SSH_DOMAIN = "git.nelim.org";
        SSH_PORT = "22";
        HTTP_PORT = "3000";
      };

      volumes = [
        "${rwPath}/data:/data"
        "/etc/timezone:/etc/timezone:ro"
        "/etc/localtime:/etc/localtime:ro"
      ];
    };

    "forgejo-db" = {
      image = import ./images/postgres.nix pkgs;

      restart = "always";

      environmentFiles = [secrets.forgejo-db.path];

      volumes = ["${rwPath}/db:/var/lib/postgresql/data"];
    };

    "act_runner" = {
      image = import ./images/act_runner.nix pkgs;

      privileged = true;

      restart = "always";
      dependsOn = ["forgejo"];

      environmentFiles = [secrets.forgejo-runner.path];
      environment = {
        GITEA_INSTANCE_URL = "https://git.nelim.org";
        GITEA_RUNNER_NAME = "DinD";
      };

      volumes = ["${rwPath}/act:/data"];
      extraHosts = [
        "git.nelim.org=10.0.0.130"
      ];
    };
  };
}