{
  pkgs,
  inputs',
  lib,
  ...
}: let
  inherit
    (lib)
    mkForce
    ;
in {
  imports = [
    inputs'.buildbot-nix.nixosModules.buildbot-master
    inputs'.buildbot-nix.nixosModules.buildbot-worker
  ];

  services.nginx.virtualHosts."buildbot.redalder.org".listen = [
    {
      addr = "10.64.2.1";
      port = 8833;
    }
  ];

  environment.systemPackages = with pkgs; [
    git
  ];

  services.buildbot-master = {
    buildbotUrl = mkForce "https://buildbot.redalder.org/";
  };

  services.buildbot-nix.master = {
    enable = true;
    domain = "buildbot.redalder.org";
    workersFile = pkgs.writeText "workers.json" ''
      [
        { "name": "buildbot", "pass": "XXXXXXXXXXXXXXXXXXXX", "cores": 24 }
      ]
    '';
    authBackend = "gitea";
    gitea = {
      enable = true;
      tokenFile = "/secret/gitea_token";
      instanceURL = "codeberg.org";
      oauthId = "b862a7fa-04ba-462e-b495-2cecc1e6bb18";
      webhookSecretFile = "/secret/github_webhook_secret";
      oauthSecretFile = "/secret/gitea_oauth_secret";
      admins = ["magic_rb"];
      topic = "build-with-buildbot";
    };
    github = {
      # Github user used as a CI identity
      user = "MagicRB";
      # Github token of the same user
      tokenFile = "/secret/github_token";
      # A random secret used to verify incoming webhooks from GitHub
      # buildbot-nix will set up a webhook for each project in the organization
      webhookSecretFile = "/secret/github_webhook_secret";
      # Either create a GitHub app or an OAuth app
      # After creating the app, press "Generate a new client secret" and fill in the client ID and secret below
      oauthId = "Iv1.9602794c2e5a475b";
      oauthSecretFile = "/secret/github_oauth_secret";
      # Users in this list will be able to reload the project list.
      # All other user in the organization will be able to restart builds or evaluations.
      admins = ["MagicRB"];
      # All github projects with this topic will be added to buildbot.
      # One can trigger a project scan by visiting the Builds -> Builders page and looking for the "reload-github-project" builder.
      # This builder has a "Update Github Projects" button that everyone in the github organization can use.
      topic = "buildbot-magicrb";
    };
    # optional expose latest store path as text file
    # outputsPath = "/var/www/buildbot/nix-outputs";

    # optional nix-eval-jobs settings
    evalWorkerCount = 2; # limit number of concurrent evaluations
    evalMaxMemorySize = "4096"; # limit memory usage per evaluation

    # optional cachix
    #cachix = {
    #  name = "my-cachix";
    #  # One of the following is required:
    #  signingKey = "/var/lib/secrets/cachix-key";
    #  authToken = "/var/lib/secrets/cachix-token";
    #};
  };

  # Optional: Enable acme/TLS in nginx (recommended)
  #services.nginx.virtualHosts.${config.services.buildbot-nix.master.domain} = {
  #  forceSSL = true;
  #  useACME = true;
  #};

  services.buildbot-nix.worker = {
    enable = true;
    workerPasswordFile = pkgs.writeText "worker-password-file" "XXXXXXXXXXXXXXXXXXXX";
  };
}