{ lib, myLib, ... }: {
  kubernetes.resources = {
    secrets.runner-secret.stringData.token = "ref+sops://secrets/sops.yaml#/forgejo/runnerToken";

    configMaps = {
      forgejo-config.data.config = lib.generators.toINI { } (import ./config.nix);

      forgejo-env.data = {
        USER_UID = "1000";
        USER_GID = "1000";
      };
    };

    deployments = {
      forgejo = {
        metadata.labels = {
          app = "forgejo";
          component = "forgejo";
        };

        spec = {
          selector.matchLabels = {
            app = "forgejo";
            component = "forgejo";
          };

          template = {
            metadata.labels = {
              app = "forgejo";
              component = "forgejo";
            };

            spec = {
              containers.forgejo = {
                image = "codeberg.org/forgejo/forgejo:1.21";
                envFrom = [{ configMapRef.name = "forgejo-env"; }];

                ports = {
                  web.containerPort = 3000;
                  ssh.containerPort = 22;
                };

                volumeMounts = [
                  {
                    name = "data";
                    mountPath = "/data";
                  }
                  {
                    name = "config";
                    mountPath = "/data/gitea/conf/app.ini";
                    subPath = "config";
                  }
                ];
              };

              volumes = {
                data.persistentVolumeClaim.claimName = "forgejo";
                config.configMap.name = "forgejo-config";
              };
            };
          };
        };
      };

      # Forgejo-runner for docker in docker (dind) on Kubernetes:
      # https://code.forgejo.org/forgejo/runner/src/branch/main/examples/kubernetes/dind-docker.yaml
      forgejo-runner = {
        metadata.labels = {
          app = "forgejo";
          component = "runner";
        };

        spec = {
          selector.matchLabels = {
            app = "forgejo";
            component = "runner";
          };

          template = {
            metadata.labels = {
              app = "forgejo";
              component = "runner";
            };

            spec = {
              restartPolicy = "Always";

              initContainers.runner-register = {
                image = "code.forgejo.org/forgejo/runner:3.2.0";
                command = [ "forgejo-runner" "register" "--no-interactive" "--token" "$(RUNNER_SECRET)" "--name" "$(RUNNER_NAME)" "--instance" "$(FORGEJO_INSTANCE_URL)" ];

                env = {
                  RUNNER_NAME.value = "runner";
                  FORGEJO_INSTANCE_URL.value = "https://git.kun.is";
                  RUNNER_SECRET.valueFrom.secretKeyRef = {
                    name = "runner-secret";
                    key = "token";
                  };
                };

                resources.limits = {
                  cpu = "0.50";
                  memory = "64Mi";
                };

                volumeMounts = [{
                  name = "data";
                  mountPath = "/data";
                }];
              };

              containers = {
                runner = {
                  image = "code.forgejo.org/forgejo/runner:3.0.0";
                  command = [ "sh" "-c" "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; forgejo-runner daemon" ];

                  env = {
                    DOCKER_HOST.value = "tcp://localhost:2376";
                    DOCKER_CERT_PATH.value = "/certs/client";
                    DOCKER_TLS_VERIFY.value = "1";
                  };

                  volumeMounts = [
                    {
                      name = "data";
                      mountPath = "/data";
                    }
                    {
                      name = "certs";
                      mountPath = "/certs";
                    }
                  ];
                };

                daemon = {
                  image = "docker:23.0.6-dind";
                  securityContext.privileged = true;
                  env.DOCKER_TLS_CERTDIR.value = "/certs";

                  volumeMounts = [{
                    name = "certs";
                    mountPath = "/certs";
                  }];
                };
              };

              volumes = {
                data.persistentVolumeClaim.claimName = "forgejo-runner-data";
                certs.persistentVolumeClaim.claimName = "forgejo-runner-certs";
              };
            };
          };
        };
      };
    };

    services = {
      forgejo-web.spec = {
        selector = {
          app = "forgejo";
          component = "forgejo";
        };

        ports.web = {
          port = 80;
          targetPort = "web";
        };
      };

      forgejo-ssh.spec = {
        type = "LoadBalancer";
        loadBalancerIP = myLib.globals.gitIPv4;
        selector.app = "forgejo";

        ports.ssh = {
          port = 56287;
          targetPort = "ssh";
        };
      };
    };
  };

  lab = {
    nfsVolumes = {
      forgejo.path = "forgejo/data";
      forgejo-runner-data.path = "forgejo/runner/data";
      forgejo-runner-certs.path = "forgejo/runner/certs";
    };

    ingresses.forgejo = {
      host = "git.kun.is";

      service = {
        name = "forgejo-web";
        portName = "web";
      };
    };
  };
}