{pkgs, ...}: let
  sourcehut-fqdn = "sourcehut.nixos.local";
in {
  systemd.services.gitsrht = {
    environment = {
      # make python's requests package use the global ca-certificates store, which will contain my own CA cert
      REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt";
    };
  };

  # enable selfhosted sourcehut instance
  services.sourcehut = {
    enable = true;
    meta = {
      enable = true;
      gunicorn.extraArgs = [
        "--timeout 120"
        "--workers 1"
        "--log-level=info"
        "--bind [::1]:5000"
      ];
    };
    git = {
      enable = true;
      gunicorn.extraArgs = [
        "--timeout 120"
        "--workers 1"
        "--log-level=info"
        "--bind [::1]:5001"
      ];
    };
    man = {
      enable = true;
      gunicorn.extraArgs = [
        "--timeout 120"
        "--workers 1"
        "--log-level=info"
        "--bind [::1]:5004"
      ];
    };
    nginx.enable = true;
    postgresql.enable = true;
    redis.enable = true;
    settings = {
      "sr.ht" = {
        environment = "production";
        global-domain = "${sourcehut-fqdn}";
        origin = "http://${sourcehut-fqdn}";
        network-key = "/etc/nixos/secrets/sourcehut/network.key";
        service-key = "/etc/nixos/secrets/sourcehut/service.key";
      };
      "git.sr.ht" = {
        oauth-client-id = "7f2819091157584f";
        oauth-client-secret = "/etc/nixos/secrets/sourcehut/git.oauth";
        origin = "http://git.${sourcehut-fqdn}";
      };
      "man.sr.ht" = {
        oauth-client-id = "man.sr.ht";
        oauth-client-secret = "/etc/nixos/secrets/sourcehut/man.oauth";
        origin = "http://man.${sourcehut-fqdn}";
      };
      "meta.sr.ht" = {
        origin = "http://meta.${sourcehut-fqdn}";
        onboarding-redirect = "http://meta.${sourcehut-fqdn}";
      };
      mail = {
        pgp-key-id = "/etc/nixos/secrets/sourcehut/mail.key.id";
        pgp-privkey = "/etc/nixos/secrets/sourcehut/mail.key";
        pgp-pubkey = "/etc/nixos/secrets/sourcehut/mail.key.pub";
        smtp-from = "mail@${sourcehut-fqdn}";
      };
      webhooks.private-key = "/etc/nixos/secrets/sourcehut/webhook.key";
    };
  };

  # security.acme = {
  #   certs."${sourcehut-fqdn}".extraDomainNames = [
  #     "meta.${sourcehut-fqdn}"
  #     "man.${sourcehut-fqdn}"
  #     "git.${sourcehut-fqdn}"
  #   ];
  #   acceptTerms = true;
  #   defaults.email = "khais.colin+letsencrypt@gmail.com";
  # };

  security.pki.certificateFiles = [
    /etc/nixos/secrets/certs/myCA.pem
  ];

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "${sourcehut-fqdn}" = {
        sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
        sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
      };
      "meta.${sourcehut-fqdn}" = {
        sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
        sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
      };
      "man.${sourcehut-fqdn}" = {
        sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
        sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
      };
      "git.${sourcehut-fqdn}" = {
        sslCertificate = "/etc/nixos/secrets/certs/sourcehut.nixos.local.crt";
        sslCertificateKey = "/etc/nixos/secrets/certs/sourcehut.nixos.local.key";
      };
    };
  };

  services.postgresql.enable = true;
}