{...}: {
  imports = [./traefik.nix ./fail2ban.nix];
  services.gitea = {
    enable = true;
    settings = {
      server = {
        ROOT_URL = "https://git.xenia.me.uk";
        DOMAIN = "git.xenia.me.uk";
        SSH_PORT = 2222;
      };
      service.DISABLE_REGISTRATION = true;
      ui = {
        THEMES = "auto,gitea,arc-green,catppuccin-latte-lavender,catppuccin-frappe-lavender,catppuccin-macchiato-lavender,catppuccin-mocha-lavender";
      };
    };
    appName = "Gitea";
  };
  networking.firewall.allowedTCPPorts = [80 443 2222];
  services.traefik.dynamicConfigOptions.http = {
    routers.gitea = {
      rule = "Host(`git.xenia.me.uk`)";
      service = "gitea-websecure";
      tls = {certResolver = "default";};
    };
    services.gitea-websecure.loadBalancer.servers = [{url = "http://localhost:3000";}];
  };
  services.fail2ban.jails.gitea = ''
    enabled = true
    filter = sshd
    ports = 2222
    backend = systemd
  '';
}