{pkgs, ...}: {
  # --- Utilisateur dédié ---
  users.users.git = {
    isSystemUser = true;
    home = "/var/lib/forgejo";
    shell = pkgs.bash;
    group = "git";
  };
  users.groups.git = {};

  # --- Forgejo ---
  services = {
    forgejo = {
      enable = true;
      user = "git";
      group = "git";
      database = {
        type = "sqlite3";
        path = "/var/lib/forgejo/data/gitea.db";
      };
      settings = {
        server = {
          DOMAIN = "govel.porzh.me";
          ROOT_URL = "https://govel.porzh.me/";
          SSH_DOMAIN = "govel.porzh.me";
          HTTP_PORT = 3000;
          SSH_PORT = 22;
          START_SSH_SERVER = false;
        };
        service = {
          DISABLE_REGISTRATION = true;
          REGISTER_EMAIL_CONFIRM = false;
        };
        repository = {
          DEFAULT_BRANCH = "main";
        };
      };
    };
    openssh.enable = true;
    caddy = {
      enable = true;
      virtualHosts."govel.porzh.me" = {
        extraConfig = ''
          reverse_proxy localhost:3000
        '';
      };
    };
  };

  # --- Ouvrir les ports nécessaires ---
  networking.firewall = {
    allowedTCPPorts = [80 443 2222];
    interfaces."eth0".allowedTCPPorts = [22];
  };
  # --- Pour que Forgejo génère les bonnes URLs Git ---
  #  networking.hostName = "git"; # non strictement obligatoire

  # --- Optionnel : config DNS ---
  # git.lomig.me -> ton IP publique (ou IP locale si LAN)

  # --- Pour te cloner un dépôt : ---
  # git clone git@git.lomig.me:lomig/nom-du-repo.git

  # --- Astuce : génère une paire de clés pour l’accès SSH Git ---
  # ssh-keygen -t ed25519 -f ~/.ssh/id_git_forgejo
  # puis ajoute la clé publique dans ton compte Forgejo
}