{ ... }:

{
  networking.firewall.interfaces.wg0.allowedTCPPorts = [
    2222
    3000
  ];

  services.forgejo = {
    enable = true;
    settings.service.DISABLE_REGISTRATION = true;
    settings.actions.ENABLED = true;
    settings.server = {
      DOMAIN = "forgejo.ellie.town";
      ROOT_URL = "https://forgejo.ellie.town/";
      HTTP_ADDR = "10.10.0.2";
      HTTP_PORT = 3000;
      START_SSH_SERVER = true;
      SSH_DOMAIN = "forgejo.ellie.town";
      SSH_PORT = 2222;
      SSH_LISTEN_PORT = 2222;
    };
  };

  # Forgejo binds HTTP to 10.10.0.2 (the wg0 inner address). Without this
  # ordering, forgejo races wireguard at boot, fails to bind, and stays up
  # only on its all-interfaces SSH listener — leaving the web UI 502'd.
  # nixpkgs 25.11 routes networking.wireguard.interfaces through
  # systemd-networkd, so the gate is network-online.target (which pulls in
  # systemd-networkd-wait-online.service) rather than wireguard-wg0.service.
  systemd.services.forgejo = {
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
  };
}