{
  config,
  lib,
  ...
}:
let
  inherit (config.machine.forgejo)
    enable
    domain
    port
    ;
in
with lib;
mkIf enable {
  networking.firewall = {
    allowedTCPPorts = [ port ];
  };

  services.nginx.virtualHosts =
    with lib;
    mkIf (domain != null) {
      "${domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://[::1]:${toString port}";
          proxyWebsockets = true;
        };
      };
    };
}