let
  ipv6 = {
    openssh ="2001:bc8:38ee:100:1000::41";
    forgejo = "2001:bc8:38ee:100:1000::40";
  };
in
{
  networking.hostName = "git";
  networking.domain = "infra.forkos.org";

  bagel.sysadmin.enable = true;
  # Forgejo will be proxied.
  bagel.raito.v6-proxy-awareness.enable = true;
  bagel.hardware.raito-vm = {
    enable = true;
    networking = {
      nat-lan-mac = "BC:24:11:83:71:56";
      wan = {
        address = "${ipv6.forgejo}/64";
        mac = "BC:24:11:0B:8A:81";
      };
    };
  };

  # Add one additional IPv6, so we can have both OpenSSH and
  # Forgejo's built-in server bind on port :22.
  systemd.network.networks."10-wan".networkConfig.Address = [ "${ipv6.openssh}/64" ];
  services.openssh.listenAddresses = [{
    addr = "[${ipv6.openssh}]";
  }];
  # Defaults to network.target, but networkd may take a while to settle and set up
  # the required (additional) IPv6 address, leading to sshd to not being able to
  # bind to the requested IP, crashing 5 times and running into the default
  # restart counter limit (5).
  systemd.services.sshd.wants = [ "network-online.target" ];
  systemd.services.sshd.after = [ "network-online.target" ];

  bagel.services.forgejo = {
    enable = true;
    sshBindAddr = ipv6.forgejo;
  };

  i18n.defaultLocale = "en_US.UTF-8";

  system.stateVersion = "24.05";
  deployment.targetHost = "git.infra.forkos.org";
}