{ ... }: {
  services.gitea = {
    enable = true;
    appName = "Newtype's Git";
    mailerPasswordFile = "/var/lib/secrets/gitea/mailpw";
    settings = {
      server = {
        ROOT_URL = "https://git.newtype.fr";
        DOMAIN = "git.newtype.fr";
      };
      service.DISABLE_REGISTRATION = true;
      session.COOKIE_SECURE = true;
      mailer = {
        ENABLED = true;
        HOST = "mail.gandi.net:465";
        USER = "git@newtype.fr";
        FROM = "Newtype's Git <git@newtype.fr>";
        IS_TLS_ENABLED = true;
      };
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."git.newtype.fr" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = { proxyPass = "http://127.0.0.1:3000"; };
    };
  };

  security.acme.certs = { "git.newtype.fr".email = "contact@newtype.fr"; };
  security.acme.acceptTerms = true;
}