{  ... }:
  let
    hostname = "gitlab.skynet.ie";
    user = "git";
  in {
  imports = [
    ./acme.nix
    ./nginx.nix
  ];

  age.secrets.gitlab_pw = {
    file = ../secrets/gitlab/pw.age;
    owner = user;
    group = user;
  };
  age.secrets.gitlab_db = {
    file = ../secrets/gitlab/db.age;
    owner = user;
    group = user;
  };
  age.secrets.gitlab_db_pw = {
    file = ../secrets/gitlab/db_pw.age;
    owner = user;
    group = user;
  };

  # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide

  services.nginx = {
    virtualHosts."${hostname}" = {
      forceSSL = true;
      useACMEHost = "skynet";
      locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
    };
  };

  services.gitlab = {
    enable = true;
    databasePasswordFile = config.age.secrets.gitlab_db_pw.path;
    initialRootPasswordFile = config.age.secrets.gitlab_pw.path;
    https = true;
    host = "${hostname}";
    port = 443;
    user = user;
    group = user;
    #smtp = {
    #  enable = true;
    #  address = "localhost";
    #  port = 25;
    #};
    secrets = {
      dbFile = config.age.secrets.gitlab_db.path;
      # these must be backed up for future
      secretFile = "/var/keys/gitlab/secret";
      otpFile = "/var/keys/gitlab/otp";
      jwsFile = "/var/keys/gitlab/jws";
    };
    extraConfig = {
      gitlab = {
        #email_from = "gitlab-no-reply@example.com";
        #email_display_name = "Example GitLab";
        #email_reply_to = "gitlab-no-reply@example.com";
        default_projects_features = { builds = false; };
      };
    };
  };

}