{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.services.gitea;
  rootUrl = "https://gitea.mjallen.dev/";
  dataDir = "/var/lib/gitea";
  secretsDir = "/run/secrets/jallen-nas/gitea";
  mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path;
  metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;

  serviceConfig =
    { ... }:
    {
      services.gitea = {
        enable = true;
        stateDir = dataDir;
        mailerPasswordFile = mailerPasswordFile;
        metricsTokenFile = metricsTokenFile;
        settings = {
          server = {
            DOMAIN = "jallen-nas";
            HTTP_ADDR = "0.0.0.0";
            HTTP_PORT = cfg.httpPort;
            PROTOCOL = "http";
            ROOT_URL = rootUrl;
            START_SSH_SERVER = true;
            SSH_PORT = cfg.sshPort;
          };
          service = {
            REGISTER_EMAIL_CONFIRM = false;
            ENABLE_CAPTCHA = false;
            DISABLE_REGISTRATION = true;
            ENABLE_OPENID_SIGNIN = false;
            ENABLE_LDAP_SIGNIN = false;
            ENABLE_SSH_SIGNIN = true;
            ENABLE_BUILTIN_SSH_SERVER = true;
            ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
          };
        };
      };

      users.users.gitea = {
        extraGroups = [ "keys" ];
      };

      # Create and set permissions for required directories
      system.activationScripts.gitea-dirs = ''
        mkdir -p /var/lib/gitea
        chown -R gitea:gitea /var/lib/gitea
        chmod -R 775 /var/lib/gitea
        mkdir -p /run/secrets/jallen-nas
        chown -R gitea:gitea /run/secrets/jallen-nas
        chmod -R 775 /run/secrets/jallen-nas
      '';
    };

  bindMounts = {
    ${dataDir} = {
      hostPath = cfg.dataDir;
      isReadOnly = false;
    };
    secrets = {
      hostPath = secretsDir;
      isReadOnly = true;
      mountPoint = secretsDir;
    };
  };

  # Create reverse proxy configuration using mkReverseProxy
  reverseProxyConfig = lib.${namespace}.mkReverseProxy {
    name = "gitea";
    subdomain = cfg.reverseProxy.subdomain;
    url = "http://${cfg.localAddress}:${toString cfg.httpPort}";
    middlewares = cfg.reverseProxy.middlewares;
  };

  containerConfig =
    (lib.${namespace}.mkContainer {
      name = "gitea";
      localAddress = cfg.localAddress;
      ports = [
        cfg.httpPort
        cfg.sshPort
      ];
      bindMounts = bindMounts;
      config = serviceConfig;
    })
      { inherit lib; };

  giteaConfig = {
    ${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
      reverseProxies = [ reverseProxyConfig ];
    };
  }
  // containerConfig;
in
{
  imports = [ ./options.nix ];
  config = mkIf cfg.enable giteaConfig;
}