{ pkgs, inputs, config, lib, ... }: {

  config = {

    # fail2ban
    services.fail2ban.enable = true;
    services.openssh.settings.LogLevel = "VERBOSE";


    # caddy
    services.caddy = {
      enable = true;
      configFile = ../../dotfiles/caddy/Caddyfile;
    };
    networking.firewall.allowedTCPPorts = [ 80 443 ];

    # gitea
    sops.secrets."gitea_dbpass" = {
      owner = "gitea";
      group = "gitea";
    };

    services.gitea = {
      enable = true;
      database = {
        type = "postgres";   
        passwordFile = config.sops.secrets."gitea_dbpass".path;
      }; 
      settings = {
       server = {
         DOMAIN = "gitea.fredzernia.com";
         ROOT_URL = "https://gitea.fredzernia.com";
         HTTP_PORT = 7904;
       };
       service.DISABLE_REGISTRATION = true;
      };
    };
  };
}