{
  config,
  lib,
  ...
}:
with lib; let
  cfg = config.local.gitea;
in {
  options.local.gitea = {
    enable = mkEnableOption "gitea";
  };

  config = mkIf cfg.enable {
    environment.etc."fail2ban/filter.d/gitea.local".text = ''
      [Definition]
      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
      ignoreregex =
    '';

    services = {
      fail2ban.jails.gitea.settings = {
        filter = "gitea";
        logpath = "${config.services.gitea.stateDir}/log/gitea.log";
        maxretry = "10";
        findtime = "3600";
        bantime = "900";
        action = "iptables-allports";
      };

      gitea = {
        enable = true;
        useWizard = true;
      };
    };

    users = {
      users.gitea.uid = 962;
      groups.gitea.gid = 962;
    };
  };
}