{ ... }:
{
  # ssh config for forgejo
  # need ip forward for nat
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
  };

  networking.firewall = {
    # open port explicitly
    allowedTCPPorts = [ 22 ];
    # git.oxapentane.com: port forward 22 to forgejo
    # TODO do a proper thing with ipv6
    extraCommands = ''
      iptables -t nat -I PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222
      iptables ! -o lo -t nat -A POSTROUTING -j MASQUERADE
    '';
    extraStopCommands = ''
      iptables -t nat -D PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222 || true
    '';
  };
  # host sshd: only listen on oxapentane.com and mgmt vpn
  services.openssh.listenAddresses =
    map
      (a: {
        addr = a;
        port = 22;
      })
      [
        # enp1s0
        "188.245.196.27"
        "2a01:4f8:c17:7f8a::1"
        # wg-0xa-mgmt
        "10.89.87.1"
        "fd31:185d:722e::1"
      ];

  services.nginx.upstreams.forgejo = {
    servers = {
      "10.89.88.15:3000" = { };
      "[fd31:185d:722f::15]:3000" = { };
    };
  };

  services.nginx.virtualHosts."git.oxapentane.com" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://forgejo";
      extraConfig = ''
        client_max_body_size 50000M;

        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
        send_timeout 600s;
      '';
    };
  };
}