{config, ...}: let
  sshExposeIp = "0.0.0.0"; # TODO: change this to the public-facing IP for prod
  sshIntPort = 14022;
  httpIntPort = 14020;
  dom = "git.min.rip";
in {
  services.nginx = {
    virtualHosts.${dom} = {
      forceSSL = true;
      enableACME = true;

      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString httpIntPort}";
      };
    };
    streamConfig = ''
      upstream gitea {
        server 127.0.0.1:${toString sshIntPort};
      }

      server {
        listen ${sshExposeIp}:22;
        proxy_timeout 20s;
        proxy_pass gitea;
      }
    ''; # May not support IPv6, i'm unsure..
  };

  # Auto-create directories we need
  systemd.tmpfiles.rules = [
    "d /srv/gitea 0750 1000 1000 - -"
    "d /srv/gitea/gitea 0750 1000 1000 - -"
    "d /srv/gitea/runner 0750 1000 1000 - -"
  ];

  virtualisation.oci-containers.containers.gitea = {
    image = "docker.io/gitea/gitea:1.21.4";
    environment = {
      USER_UID = "1000";
      USER_GID = "1000";
      GITEA_WORK_DIR = "/data/gitea";
      GITEA_CUSTOM = "/data/gitea";
      GITEA_APP_INI = "/data/gitea/conf/app.ini";
    };
    volumes = [
      "/srv/gitea/gitea:/data"
      "/etc/localtime:/etc/localtime:ro"
    ];
    ports = [
      "${toString httpIntPort}:3000/tcp"
      "${toString sshIntPort}:22/tcp"
    ];
  };

  sops.secrets."svc-gitea-runner-env" = {};

  virtualisation.oci-containers.containers.gitea-runner = {
    image = "docker.io/gitea/act_runner:0.2.6-dind-rootless";
    environment = {
      GITEA_INSTANCE_URL = "https://${dom}/";
      DOCKER_HOST = "unix:///var/run/user/1000/docker.sock";
    };
    environmentFiles = [config.sops.secrets."svc-gitea-runner-env".path];
    volumes = [
      "/srv/gitea/runner:/data"
    ];
    extraOptions = ["--privileged"];
  };
}