{ ... }:

{
  networking.firewall.interfaces.wg0.allowedTCPPorts = [
    2222
    3000
  ];

  services.forgejo = {
    enable = true;
    settings.service.DISABLE_REGISTRATION = true;
    settings.actions.ENABLED = true;
    settings.server = {
      DOMAIN = "forgejo.ellie.town";
      ROOT_URL = "https://forgejo.ellie.town/";
      HTTP_ADDR = "10.10.0.2";
      HTTP_PORT = 3000;
      START_SSH_SERVER = true;
      SSH_DOMAIN = "forgejo.ellie.town";
      SSH_PORT = 2222;
      SSH_LISTEN_PORT = 2222;
    };
  };

  # Forgejo binds HTTP to 10.10.0.2 (the wg0 inner address). Without this
  # ordering, forgejo races wireguard at boot, fails to bind, and stays up
  # only on its all-interfaces SSH listener — leaving the web UI 502'd.
  systemd.services.forgejo = {
    after = [ "wireguard-wg0.service" ];
    requires = [ "wireguard-wg0.service" ];
  };
}