{ pkgs, config, lib, ... }:
{
  options.git = {
    enable = lib.mkEnableOption "enable git server";
    user = lib.mkOption {
      type = lib.types.str;
      default = "git";
    };
    group = lib.mkOption {
      type = lib.types.str;
      default = "git";
    };
    cgit = {
      name = lib.mkOption {
        type = lib.types.str;
        default = "home";
      };
      port = lib.mkOption {
        type = lib.types.int;
        default = 8091;
      };
    };
  };
  config = lib.mkIf config.git.enable {
    services.gatus.settings.endpoints = [
      {
        name = "cgit site";
        group = "local";
        url = "http://localhost:" + builtins.toString config.git.cgit.port;
        interval = "5m";
        conditions = [ "[connected] == true" "[RESPONSE_TIME] < 300" ];
      }
    ];

    users.users.${config.git.user} = let
      git-shell-wrap = pkgs.writeShellScriptBin "git-shell-wrap" ''
        set -euo pipefail
        cmd=$1; repo=$2

        # get the repo normalize, and create it only if the client is sending
        # us stuff
        if echo "$repo" | grep -q git-receive-pack; then
          repo=$(echo "$repo" | cut -d"'" -f 2 | sed 's/\.git$//').git

          # Make sure the repo exists on the server
          repos=${config.users.users.${config.git.user}.home}
          path=$repos/$repo
          if [ ! -d "$path" ]; then
            git init --bare "$path" >/dev/null 2>&1
          fi
        fi

        # Run git-shell with the original args
        exec ${pkgs.git}/bin/git-shell "$@"
      '';
    in {
      isSystemUser = true;
      inherit (config.git) group;
      home = "/var/lib/git-server";
      createHome = true;
      openssh.authorizedKeys.keys = config.ssh.keys;
      packages = [ git-shell-wrap ];
      shell = "${git-shell-wrap}/bin/git-shell-wrap";
    };
    users.groups.${config.git.group} = {};

    networking.firewall.allowedTCPPorts = [ config.git.cgit.port ];
    services = {
      cgit.${config.git.cgit.name} = {
        enable = true;
        inherit (config.git) user group;
        scanPath = config.users.users.${config.git.user}.home;
        gitHttpBackend.checkExportOkFiles = false;
        settings = {
          root-desc = "local git repo store path: ${config.users.users.${config.git.user}.home}";
          snapshots = "all";
          enable-commit-graph = true;
          enable-follow-links = true;
          enable-http-clone = true;
          enable-remote-branches = true;
        };
      };
      nginx.virtualHosts.${config.git.cgit.name}.listen = [{
        addr = "0.0.0.0";
        port = config.git.cgit.port;
      }];

      openssh = {
        enable = true;
        extraConfig = ''
        Match user git
          AllowTcpForwarding no
          AllowAgentForwarding no
          PasswordAuthentication no
          PermitTTY no
          X11Forwarding no
        '';
      };
    };
  };
}