{
  pkgs,
  lib,
  configVars,
  inputs,
  ...
}: let
  containerName = "forgejo";
  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
  hostAddress = configVars.networking.addresses.forgejo.hostAddress;
  localAddress = configVars.networking.addresses.forgejo.localAddress;
  forgejoPort = configVars.networking.addresses.forgejo.port;
  forgejoDomain = configVars.domains.forgejo;
  cloudnixIp = configVars.networking.addresses.cloudnix.ip;
  sops-nix = inputs.sops-nix;
in {
  networking = {
    nat = {
      enable = true;
      internalInterfaces = ["ve-+"];
      externalInterface = "enp1s0";
    };
  };

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      "/var/lib/nixos-containers/${containerName}"
    ];
  };
   imports = [../nginx/forgejo.nix];

  containers."${containerName}" = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostAddress;
    localAddress = localAddress;
    nixpkgs = pkgs.path;
    bindMounts = {
      "/etc/ssh/ssh_host_ed25519_key" = {
        hostPath = "/etc/ssh/ssh_host_ed25519_key";
        isReadOnly = true;
      };
    };

    config = {
      pkgs,
      lib,
      ...
    }: let
      secretsDirectory = builtins.toString inputs.nix-secrets;
      secretsFile = "${secretsDirectory}/secrets.yaml";
    in {
      networking = {
        defaultGateway = cloudnixIp;
        firewall = {
          enable = true;
          allowedTCPPorts = [
            forgejoPort
          ];
        };
        useHostResolvConf = lib.mkForce false;
      };

      services.resolved.enable = true;

      sops = {
        defaultSopsFile = "${secretsFile}";
        validateSopsFiles = false;

        age = {
          sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
        };
      };

      imports = [
        sops-nix.nixosModules.sops
      ];

      environment.systemPackages = [
        pkgs.vim
        pkgs.git
        pkgs.lsof
      ];

      services.forgejo = {
        enable = true;
        package = pkgs.forgejo;
        database.type = "sqlite3";
        lfs.enable = true;
        settings = {
          server = {
            DOMAIN = "git.${forgejoDomain}";
            ROOT_URL = "https://git.${forgejoDomain}/";
            HTTP_PORT = forgejoPort;
          };
          service.DISABLE_REGISTRATION = false;
          actions = {
            ENABLED = true;
            DEFAULT_ACTIONS_URL = "github";
          };
        };
      };

      services.openssh = {
        enable = true;
        settings.PasswordAuthentication = false;
      };

      users.users = {
        root = {
          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
        };
      };

      system.stateVersion = "24.05";
    };
  };
}