{...}: {
  imports = [./traefik.nix ./fail2ban.nix];
  services.gitea = {
    enable = true;
    settings = {
      server = {
        ROOT_URL = "https://git.xenia.me.uk";
        DOMAIN = "git.xenia.me.uk";
        START_SSH_SERVER = true;
        SSH_DOMAIN = "git.xenia.me.uk";
        SSH_PORT = 2222;
        SSH_LISTEN_PORT = 30922;
      };
      service.DISABLE_REGISTRATION = true;
      ui = {
        THEMES = "auto,gitea,arc-green,catppuccin-latte-lavender,catppuccin-frappe-lavender,catppuccin-macchiato-lavender,catppuccin-mocha-lavender";
      };
    };
    appName = "Gitea";
  };
  services.traefik.dynamicConfigOptions = {
    http = {
      routers.gitea = {
        rule = "Host(`git.xenia.me.uk`)";
        entryPoints = ["http" "https"];
        service = "gitea-websecure";
        tls = {certResolver = "default";};
      };
      services.gitea-websecure.loadBalancer.servers = [{url = "http://localhost:3000";}];
    };
    tcp = {
      routers.gitea-ssh = {
        rule = "HostSNI(`git.xenia.me.uk`)";
        entryPoints = ["ssh"];
        service = "gitea-sshservice";
        tls = {certResolver = "default";};
      };
      routers.gitea-ssh-local = {
        rule = "ClientIP(`192.168.0.0/16`)";
        entryPoints = ["ssh"];
        service = "gitea-sshservice";
      };
      services.gitea-sshservice.loadBalancer.servers = [{address = "localhost:30922";}];
    };
  };
  services.fail2ban.jails.gitea = ''
    enabled = true
    filter = sshd
    ports = 30922
    backend = systemd
  '';
}