{
  inputs,
  lib,
  ...
}: let
  inherit
    (lib)
    singleton
    ;
in {
  flake.nixngConfigurations.gitea = inputs.nixng.nglib.makeSystem {
    system = "x86_64-linux";
    name = "nixng-gitea";
    inherit
      (inputs)
      nixpkgs
      ;
    config = {
      pkgs,
      config,
      options,
      ...
    }: {
      dumb-init = {
        enable = true;
        type.services = {};
      };

      services.postgresql = {
        enable = true;
        package = pkgs.postgresql_16;

        ensureDatabases = singleton "gitea";
        ensureUsers = singleton {
          name = "gitea";
          ensureDBOwnership = true;
          ensurePermissions = {
            "DATABASE \"gitea\"" = "ALL PRIVILEGES";
          };
        };
      };

      imports = [
        (import "${inputs.nixng}/modules/services/gitea/sane.nix" {
            rootConfig = config;
            rootOptions = options;
            inherit pkgs lib;
          } {
            user = "gitea";
            database = {
              type = "postgres";
              # host = "127.0.0.1";
              # port = 5432;
              socket = "/run/postgresql";
              name = "gitea";
              user = "gitea";
            };
          })
      ];

      init.services.gitea.shutdownOnExit = false;
      services.gitea = {
        enable = true;
        package = pkgs.forgejo;

        secrets = {
          secretKeyFile = "/secrets/secret_key";
          internalTokenFile = "/secrets/internal_token";
          jwtSecretFile = "/secrets/jwt_secret";
          lfsJwtSecretFile = "/secrets/lfs_jwt_secret";
        };

        settings = {
          DEFAULT.APP_NAME = "RedAlder Forgejo";
        };
      };
    };
  };
}