{
  config,
  lib,
  pkgs,
  ...
}:

let
  cfg = config.services.gogs;
  iniFormat = pkgs.formats.ini { };
  configFile = iniFormat.generate "gogs.ini" cfg.settings;
in
{
  options.services.gogs = {
    enable = lib.mkEnableOption "Gogs Git service";

    package = lib.mkPackageOption pkgs "gogs" { };

    user = lib.mkOption {
      type = lib.types.str;
      default = "gogs";
      description = "User account under which Gogs runs.";
    };

    group = lib.mkOption {
      type = lib.types.str;
      default = "gogs";
      description = "Group under which Gogs runs.";
    };

    stateDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/gogs";
      description = "Persistent data directory.";
    };

    environmentFile = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      default = null;
      description = ''
        File containing environment variables to pass to the Gogs service,
        formatted as VARIABLE=VALUE per line. Values set here are merged into
        the service's environment and can be used to pass secrets (e.g.
        database passwords) without putting them in the Nix store.
      '';
    };

    settings = lib.mkOption {
      type = iniFormat.type;
      default = { };

      example = lib.literalExpression ''
        {
          server = {
            DOMAIN = "git.example.com";
            ROOT_URL = "https://git.example.com/";
            HTTP_PORT = 3000;
          };

          database = {
            TYPE = "sqlite3";
            PATH = "/var/lib/gogs/data/gogs.db";
          };
        }
      '';

      description = ''
        Settings written to app.ini.

        See:
        https://gogs.io/docs/advanced/configuration_cheat_sheet
      '';
    };
  };

  config = lib.mkIf cfg.enable {

    users.users.${cfg.user} = {
      isSystemUser = true;
      group = cfg.group;
      home = cfg.stateDir;
      createHome = true;
    };

    users.groups.${cfg.group} = { };

    systemd.tmpfiles.rules = [
      "d ${cfg.stateDir} 0750 ${cfg.user} ${cfg.group} -"
      "d ${cfg.stateDir}/repositories 0750 ${cfg.user} ${cfg.group} -"
      "d ${cfg.stateDir}/data 0750 ${cfg.user} ${cfg.group} -"
      "d ${cfg.stateDir}/log 0750 ${cfg.user} ${cfg.group} -"
    ];

    systemd.services.gogs = {
      description = "Gogs Git Service";

      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        Type = "simple";

        User = cfg.user;
        Group = cfg.group;

        WorkingDirectory = cfg.stateDir;

        ExecStart = "${lib.getExe cfg.package} web --config ${configFile}";

        Restart = "on-failure";

        EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;

        NoNewPrivileges = true;
        PrivateTmp = true;
        ProtectSystem = "strict";
        ProtectHome = true;

        ReadWritePaths = [
          cfg.stateDir
        ];
      };
    };
  };
}