{
  domain,
  isProd,
  config,
  pkgs,
  ...
}:
{
  # 1. Access the Secret
  sops.secrets.forgejo_db_password = { 
    owner = "forgejo"; 
    # Restart forgejo if the password changes
    restartUnits = [ "forgejo.service" ];
  };

  services.forgejo = {
    enable = true;
    
    # 2. STORAGE (SSD)
    stateDir = "/mnt/data/forgejo";
    
    # 3. DATABASE (Shared Postgres)
    database = {
      type = "postgres";
      name = "forgejo";
      user = "forgejo";
      createDatabase = false; # We let NixOS manage this below
      socket = "/run/postgresql"; # Ultra-fast socket connection
      passwordFile = config.sops.secrets.forgejo_db_password.path;
    };

    # 4. SETTINGS
    settings = {
      server = {
        DOMAIN = "git.${domain}";
        ROOT_URL = "https://git.${domain}/"; 
        HTTP_PORT = 3000;
        # Run internal SSH on 2222 so it doesn't block your Admin SSH (22)
        SSH_PORT = 2222;
        START_SSH_SERVER = true;
      };
      # Disable registration to prevent random internet people from joining
      service.DISABLE_REGISTRATION = true; 
      
      # Optional: Metrics for Grafana later
      metrics.ENABLED = true;
    };
  };

  # 5. POSTGRESQL PROVISIONING
  # This automatically creates the DB and User when you deploy
  services.postgresql = {
    ensureDatabases = [ "forgejo" ];
    ensureUsers = [
      {
        name = "forgejo";
        ensureDBOwnership = true;
      }
    ];
  };

  # 6. REVERSE PROXY
  services.nginx.virtualHosts."git.${domain}" = {
    forceSSL = isProd;
    enableACME = isProd;
    locations."/" = {
      proxyPass = "http://127.0.0.1:3000";
    };
  };
  
  # 7. FIREWALL
  # Allow Git-over-SSH on the custom port
  networking.firewall.allowedTCPPorts = [ 2222 ];
}