{ myLib, ... }: {
  kubernetes.resources = {
    secrets.runner-secret.stringData.token = "ref+sops://secrets/sops.yaml#/forgejo/runnerToken";

    configMaps = {
      forgejo-config.data = {
        # TODO: Generate from nix code?
        config = ''
          APP_NAME = Forgejo: Beyond coding. We forge.
          RUN_MODE = prod
          RUN_USER = git
          WORK_PATH=/data/gitea

          [repository]
          ROOT = /data/git/repositories
          DEFAULT_BRANCH = master

          [repository.local]
          LOCAL_COPY_PATH = /data/gitea/tmp/local-repo

          [repository.upload]
          TEMP_PATH = /data/gitea/uploads

          [server]
          APP_DATA_PATH    = /data/gitea
          DOMAIN           = git.kun.is
          SSH_DOMAIN       = ssh.git.kun.is
          HTTP_PORT        = 3000
          ROOT_URL         = https://git.kun.is
          DISABLE_SSH      = false
          SSH_PORT         = 56287
          SSH_LISTEN_PORT  = 22
          LFS_START_SERVER = true
          LFS_JWT_SECRET   = ref+sops://secrets/sops.yaml#/forgejo/lfsJwtSecret
          OFFLINE_MODE     = false

          [database]
          PATH     = /data/gitea/gitea.db
          DB_TYPE  = sqlite3
          HOST     = localhost:3306
          NAME     = gitea
          USER     = root
          PASSWD   = 
          LOG_SQL  = false
          SCHEMA   = 
          SSL_MODE = disable
          CHARSET  = utf8

          [indexer]
          ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
          ISSUE_INDEXER_TYPE = db

          [session]
          PROVIDER_CONFIG = /data/gitea/sessions
          PROVIDER        = file

          [picture]
          AVATAR_UPLOAD_PATH            = /data/gitea/avatars
          REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
          ENABLE_FEDERATED_AVATAR       = false

          [attachment]
          PATH = /data/gitea/attachments

          [log]
          MODE      = console
          LEVEL     = info
          logger.router.MODE = console
          ROOT_PATH = /data/gitea/log
          logger.access.MODE=console

          [security]
          INSTALL_LOCK                  = true
          SECRET_KEY                    = 
          REVERSE_PROXY_LIMIT           = 1
          REVERSE_PROXY_TRUSTED_PROXIES = *
          INTERNAL_TOKEN                = ref+sops://secrets/sops.yaml#/forgejo/internalToken
          PASSWORD_HASH_ALGO            = pbkdf2

          [service]
          DISABLE_REGISTRATION              = true
          REQUIRE_SIGNIN_VIEW               = false
          REGISTER_EMAIL_CONFIRM            = false
          ENABLE_NOTIFY_MAIL                = false
          ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
          ENABLE_CAPTCHA                    = false
          DEFAULT_KEEP_EMAIL_PRIVATE        = true
          DEFAULT_ALLOW_CREATE_ORGANIZATION = true
          DEFAULT_ENABLE_TIMETRACKING       = true
          NO_REPLY_ADDRESS                  = noreply.localhost

          [lfs]
          PATH = /data/git/lfs

          [mailer]
          ENABLED   = false

          [openid]
          ENABLE_OPENID_SIGNIN = true
          ENABLE_OPENID_SIGNUP = false

          [repository.pull-request]
          DEFAULT_MERGE_STYLE = merge

          [repository.signing]
          DEFAULT_TRUST_MODEL = committer

          [ui]
          DEFAULT_THEME = forgejo-light

          [oauth2]
          ENABLE=false
        '';
      };

      forgejo-env.data = {
        USER_UID = "1000";
        USER_GID = "1000";
      };
    };

    deployments = {
      forgejo = {
        metadata.labels = {
          app = "forgejo";
          component = "forgejo";
        };

        spec = {
          selector.matchLabels = {
            app = "forgejo";
            component = "forgejo";
          };

          template = {
            metadata.labels = {
              app = "forgejo";
              component = "forgejo";
            };

            spec = {
              containers.forgejo = {
                image = "codeberg.org/forgejo/forgejo:1.21";
                envFrom = [{ configMapRef.name = "forgejo-env"; }];

                ports = {
                  web.containerPort = 3000;
                  ssh.containerPort = 22;
                };

                volumeMounts = [
                  {
                    name = "data";
                    mountPath = "/data";
                  }
                  {
                    name = "config";
                    mountPath = "/data/gitea/conf/app.ini";
                    subPath = "config";
                  }
                ];
              };

              volumes = {
                data.persistentVolumeClaim.claimName = "forgejo";
                config.configMap.name = "forgejo-config";
              };
            };
          };
        };
      };

      # Forgejo-runner for docker in docker (dind) on Kubernetes:
      # https://code.forgejo.org/forgejo/runner/src/branch/main/examples/kubernetes/dind-docker.yaml
      forgejo-runner = {
        metadata.labels = {
          app = "forgejo";
          component = "runner";
        };

        spec = {
          selector.matchLabels = {
            app = "forgejo";
            component = "runner";
          };

          template = {
            metadata.labels = {
              app = "forgejo";
              component = "runner";
            };

            spec = {
              restartPolicy = "Always";

              volumes = {
                docker-certs.emptyDir = { };
                runner-data.emptyDir = { };
              };

              initContainers.runner-register = {
                image = "code.forgejo.org/forgejo/runner:3.2.0";
                command = [ "forgejo-runner" "register" "--no-interactive" "--token" "$(RUNNER_SECRET)" "--name" "$(RUNNER_NAME)" "--instance" "$(FORGEJO_INSTANCE_URL)" ];

                env = {
                  RUNNER_NAME.value = "runner";
                  FORGEJO_INSTANCE_URL.value = "https://git.kun.is";
                  RUNNER_SECRET.valueFrom.secretKeyRef = {
                    name = "runner-secret";
                    key = "token";
                  };
                };

                resources.limits = {
                  cpu = "0.50";
                  memory = "64Mi";
                };

                volumeMounts = [{
                  name = "runner-data";
                  mountPath = "/data";
                }];
              };

              containers = {
                runner = {
                  image = "code.forgejo.org/forgejo/runner:3.0.0";
                  command = [ "sh" "-c" "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; forgejo-runner daemon" ];

                  env = {
                    DOCKER_HOST.value = "tcp://localhost:2376";
                    DOCKER_CERT_PATH.value = "/certs/client";
                    DOCKER_TLS_VERIFY.value = "1";
                  };

                  volumeMounts = [
                    {
                      name = "docker-certs";
                      mountPath = "/certs";
                    }
                    {
                      name = "runner-data";
                      mountPath = "/data";
                    }
                  ];
                };

                daemon = {
                  image = "docker:23.0.6-dind";
                  securityContext.privileged = true;
                  env.DOCKER_TLS_CERTDIR.value = "/certs";

                  volumeMounts = [{
                    name = "docker-certs";
                    mountPath = "/certs";
                  }];
                };
              };
            };
          };
        };
      };
    };

    services = {
      forgejo-web.spec = {
        selector = {
          app = "forgejo";
          component = "forgejo";
        };

        ports.web = {
          port = 80;
          targetPort = "web";
        };
      };

      forgejo-ssh.spec = {
        type = "LoadBalancer";
        loadBalancerIP = myLib.globals.gitIPv4;
        selector.app = "forgejo";

        ports.ssh = {
          port = 56287;
          targetPort = "ssh";
        };
      };
    };
  };

  lab = {
    nfsVolumes.forgejo.path = "forgejo";

    ingresses.forgejo = {
      host = "git.kun.is";

      service = {
        name = "forgejo-web";
        portName = "web";
      };
    };
  };
}