{ ... }:
{
  imports = [ ./traefik.nix ./fail2ban.nix ];
  services.gitea = {
    enable = true;
    settings = {
      server = {
        ROOT_URL = "https://git.xenia.me.uk";
        DOMAIN = "git.xenia.me.uk";
        SSH_PORT = 2222;
      };
      service.DISABLE_REGISTRATION = true;
    };
    appName = "Gitea";
  };
  networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
  services.traefik.dynamicConfigOptions.http = {
    routers.gitea = { rule = "Host(`git.xenia.me.uk`)"; service = "gitea-websecure"; tls = { certResolver = "default"; }; };
    services.gitea-websecure.loadBalancer.servers = [{ url = "http://localhost:3000"; }];
  };
  services.fail2ban.jails.gitea = ''
    enabled = true
    filter = sshd
    ports = 2222
    backend = systemd
  '';
}