{
  config,
  pkgs,
  lib,
  ...
}: let
  home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz";
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
in {
  options.local = {
    hostname = lib.mkOption {type = lib.types.str;};
    username = lib.mkOption {type = lib.types.str;};
    userDescription = lib.mkOption {type = lib.types.str;};
    address = lib.mkOption {type = lib.types.str;};
  };

  config = {
    local.hostname = "forgejoprg";
    local.username = "forgejoprg";
    local.userDescription = "Forgejo Admin";
    local.address = "10.1.1.4";
  };

  # Enable Fedgejo service
  services.nginx = {
    enable = true;
    virtualHosts."git.prg.local" = {
      # Remove forceSSL and enableACME for local network
      # forceSSL = true;
      # enableACME = true;
      extraConfig = ''
        client_max_body_size 512M;
      '';
      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
    };
  };

  # Enable PostgreSQL for Forgejo
  services.postgresql.enable = true;

  # Forgejo configuration
  services.forgejo = {
    enable = true;
    database = {
      type = "postgres";
      host = "10.1.1.251"; # IP of your database server
      name = "forgejo";
      user = "forgejo";
      passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security
    };
    lfs.enable = true;

    settings = {
      server = {
        DOMAIN = "git.prg-radio.org";
        ROOT_URL = "https://git.prg-radio.org/";
        HTTP_PORT = 3000;
        # SSH integration
        SSH_PORT = lib.head config.services.openssh.ports;
      };

      # Temporarily allow registration to create admin user
      service.DISABLE_REGISTRATION = false;

      # Enable Actions support
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "github";
      };

      # Optional: Email configuration
      # mailer = {
      #   ENABLED = false;
      # };
    };
  };

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [3000];

  imports = [
    # ./secrets/secrets.nix  # Add this locally after running add-secrets.zsh
    # Optionally import local secrets if present (won't fail if missing)
    (lib.optional (builtins.pathExists ./secrets/secrets.nix) ./secrets/secrets.nix)
    ./modules/desktop-manager/sway_greetd_homemanager.nix
    ./modules/local/hostname_username.nix
    ./modules/local/networking_local.nix
    ./modules/toolsets/remote_building.nix
    ./modules/bootloader/seabios.nix
    ./modules/lix-default.nix
  ];

  system.stateVersion = "25.11";
}