{pkgs, ...}: 
let
  globals = import ../../config/globals.nix;
in {
  # --- Utilisateur dédié ---
  users.users.${globals.services.forgejo.user} = {
    isSystemUser = true;
    home = globals.services.forgejo.home;
    shell = pkgs.bash;
    group = globals.services.forgejo.user;
  };
  users.groups.${globals.services.forgejo.user} = {};

  # --- Forgejo ---
  services = {
    forgejo = {
      enable = true;
      user = globals.services.forgejo.user;
      group = globals.services.forgejo.user;
      database = {
        type = "sqlite3";
        path = "${globals.services.forgejo.home}/data/gitea.db";
      };
      settings = {
        server = {
          DOMAIN = globals.services.forgejo.url ;
          ROOT_URL = "https://${globals.services.forgejo.url}/";
          SSH_DOMAIN = globals.services.forgejo.url;
          HTTP_PORT = globals.services.forgejo.port;
          START_SSH_SERVER = false;
        };
        service = {
          DISABLE_REGISTRATION = true;
          REGISTER_EMAIL_CONFIRM = false;
        };
        repository = {
          DEFAULT_BRANCH = "master";
        };
      };
    };
    openssh.enable = true;
    caddy = {
      enable = true;
      virtualHosts.${globals.services.forgejo.url} = {
        extraConfig = ''
          reverse_proxy localhost:${toString globals.services.forgejo.port}
        '';
      };
    };
  };
  networking.firewall.allowedTCPPorts = [80 443 22 ];
}