{
  pkgs,
  config,
  utils,
  ...
}:

let
  name = "dev";
  domain = "dev.thewordnerd.info";
  appName = "Nolan's Projects";
in
{
  age.secrets."${name}_runner_linux".file = ../../../secrets/${name}_runner_linux.age;

  services = {
    postgresql = {
      ensureDatabases = [ name ];
      ensureUsers = [
        {
          name = name;
          ensureDBOwnership = true;
        }
      ];
    };
    authelia.instances.main.settings.access_control.rules = [
      {
        domain = domain;
        policy = "bypass";
      }
    ];

    caddy.virtualHosts.${domain}.extraConfig = ''
      forward_auth localhost:9091 {
        uri /api/authz/forward-auth
        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
      }
      reverse_proxy ${name}:3000
    '';

    gitea-actions-runner = {
      package = pkgs.unstable.forgejo-runner;
      instances."${name}-linux" = {
        name = "Linux";
        enable = true;
        url = "https://${domain}";
        labels = [
          "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
          "native:host"
        ];
        settings = {
          container = {
            network = "bridge";
          };
        };
        hostPackages = with pkgs; [
          bash
          coreutils
          curl
          gawk
          gitMinimal
          gnused
          nodejs
          rsync
          wget
        ];
        tokenFile = config.age.secrets."${name}_runner_linux".path;
      };
    };
  };

  systemd.tmpfiles.rules = [
    "d /var/www 0775 root root"
  ];

  systemd.services."gitea-runner-${utils.escapeSystemdPath "${name}-linux"}".serviceConfig.ReadWritePaths =
    "/var/www";

  environment.systemPackages = with pkgs; [ unstable.forgejo-runner ];

  networking.firewall.trustedInterfaces = [ "podman0" ];

  containers."${name}" = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.0.1";
    localAddress = "192.168.0.2";
    config =
      let
        hostPkgs = pkgs;
      in
      {
        lib,
        ...
      }:
      {
        services.forgejo = {
          enable = true;
          package = hostPkgs.unstable.forgejo;
          settings = {
            DEFAULT = {
              APP_NAME = appName;
            };
            server = {
              ROOT_URL = "https://${domain}";
              DOMAIN = domain;
              DISABLE_SSH = true;
              LANDING_PAGE = "explore";
            };
            service = {
              DISABLE_REGISTRATION = true;
              # ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
              # ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true;
            };
            security = {
              REVERSE_PROXY_AUTHENTICATION_USER = "Remote-User";
              REVERSE_PROXY_AUTHENTICATION_EMAIL = "Remote-Email";
              REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "Remote-Name";
              REVERSE_PROXY_TRUSTED_PROXIES = "192.168.0.0/24";
            };
          };
          lfs.enable = true;
          database = {
            type = "postgres";
            name = name;
            user = name;
            socket = "/run/postgresql";
            createDatabase = false;
          };
        };
        networking = {
          firewall.allowedTCPPorts = [ 3000 ];
          useHostResolvConf = lib.mkForce false;
        };
        services.resolved.enable = true;
        environment.sessionVariables = {
          PATH = [ "${pkgs.forgejo}/bin" ];
          GITEA_WORK_DIR = "/var/lib/gitea";
        };
      };
    bindMounts = {
      "/run/postgresql" = {
        hostPath = "/run/postgresql";
      };
    };
  };
}