{
  description = "NixOS Gitea server";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
  };

  outputs = { self, nixpkgs, ... }: {

    nixosModules.gitea = { config, lib, pkgs, ... }:
      let
        cfg = config.gitea;

        # https://github.com/majewsky/nixos-modules/blob/master/gitea.nix
        ldapOptions = let
          inherit (config.services) openldap;
        in {
          name = "ldap";
          security-protocol = "LDAPS";
          host = "localhost";
          port = "389";
          bind-dn = "uid=${openldap.services.gitea.uid},ou=services,dc=${openldap.organization},dc=${openldap.extension}";
          bind-password = openldap.services.gitea.passwordFile;
          user-search-base = "ou=people,dc=${openldap.organization},dc=${openldap.extension}";
          user-filter = "(&(objectclass=*)(|(uniqueIdentifier=%[1]s)(mail=%[1]s)))";
          #admin-filter = "(isMemberOf=cn=gitea-admins,ou=groups,${ldap.suffix})";
          username-attribute = "uniqueIdentifier";
          firstname-attribute = "givenName";
          surname-attribute = "sn";
          email-attribute = "mail";
        };
        ldapFlags = "--attributes-in-bind --synchronize-users";

      in
      {
        options.gitea = {
          enable = lib.mkOption {type = lib.types.bool;};
          hostName = lib.mkOption {type = lib.types.str;};
          sshPort = lib.mkOption {type = lib.types.ints.unsigned;};
          httpPort = lib.mkOption {type = lib.types.ints.unsigned;};
        };

        config = lib.mkIf cfg.enable {
          services.gitea = {
            enable = true;
            database = {
              type = "sqlite3";
              createDatabase = true;
            };
            stateDir = "/var/lib/gitea";
            settings = {
              server = {
                SSH_PORT = cfg.sshPort;
                HTTP_PORT = cfg.httpPort;
              };
            };
          };

          # nginx virtual host
          services.nginx.virtualHosts.${cfg.hostName} = {
            enableACME = true;
            acmeRoot = null;
            addSSL = true;
            # directs traffic to the appropriate port
            locations."/" = {
              proxyPass = "http://localhost:${cfg.httpPort}";
              proxyWebsockets = true;
            };
          };

          # LDAP authentication cannot be set up declaratively, so we have to do it
          # at the end of the preStart script
          #
          # WARNING: This assumes that the LDAP auth source has the internal ID 1.
          systemd.services.gitea.preStart = let
            giteaBin = "${pkgs.gitea}/bin/gitea";

            formatOption = key: value: "--${key} ${lib.strings.escapeShellArg value}";
            ldapOptionsStrs = lib.mapAttrsToList formatOption ldapOptions;
            ldapOptionsStr = lib.concatStringsSep " " ldapOptionsStrs;
          in lib.mkAfter ''
            if ${giteaBin} admin auth list | grep -q ${ldapOptions.name}; then
              ${giteaBin} admin auth update-ldap --id 1 ${ldapOptionsStr} ${ldapFlags}
            else
              ${giteaBin} admin auth add-ldap ${ldapOptionsStr} ${ldapFlags}
            fi
          '';
        };
      };
  };
}