{
  pkgs,
  inputs,
  ...
}:
{
  nixpkgs.overlays = [
    (import ../overlays/git-fix)
  ];

  disabledModules = ["services/networking/cgit.nix" ];
  imports = [
    "${inputs.nixpkgs-stable-release}/nixos/modules/services/networking/cgit.nix"
    ./acme.nix
  ];

  users.users.git = {
    isSystemUser = true;
    group = "git";
    home = "/var/lib/git";
    createHome = false; # tmpfiles creates it
    shell = "${pkgs.git}/bin/git-shell";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAC/BtvW1c1RbBI8eeGo7oOH2y9byBaxWVDHsErgaE+s kjtsanaktsidis@KJMacbookGroq.local"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsyhMLrlNiffDrqz0s46hZF8IdR9/qX63TUyllK0LCA kj@KJ-PC"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS77sno1zVa6uO+2wCbBK489snNIp3uvymca2cHX/33 kjtsanaktsidis@labsrv01"
    ];
  };
  users.groups.git = { };
  systemd.tmpfiles.rules = [
    "d /var/lib/git 0755 git git -"
  ];

  services.openssh.extraConfig = ''
    Match User git
      PasswordAuthentication no
      PubkeyAuthentication yes
      X11Forwarding no
      AllowTcpForwarding no
      PermitTTY no
  '';

  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.fcgiwrap.instances."git-http" = {
    socket.user = "nginx";
    socket.group = "nginx";
    process.user = "git";
    process.group = "git";
    socket.type = "unix";
    socket.address = "/run/fcgiwrap-git-http.sock";
  };

  services.cgit.git = {
    enable = true;
    scanPath = "/var/lib/git";
    settings = {
      root-title = "KJ's Git server";
      root-desc = "Repositories hosted on KJ's labsrv01";
      enable-index-links = "1";
      enable-log-linecount = "1";
      enable-log-fielcount = "1";
      clone-url = "https://git.kjtsanaktsidis.id.au/git/$CGIT_REPO_URL ssh://git@git.kjtsanaktsidis.id.au:$CGIT_REPO_URL";
    };
    nginx = {
      virtualHost = "git.kjtsanaktsidis.id.au";
      location = "/";
    };
    gitHttpBackend = {
      enable = true;
      checkExportOkFiles = false;
    };
    user = "git";
    group = "git";
  };

  services.nginx = {
    enable = true;
    virtualHosts."git.kjtsanaktsidis.id.au" = {
      forceSSL = true;
      enableACME = true;
      locations = {
        # Block HTTP pushes explicitly (receive-pack)
        "~ ^/git/.+\\.git/git-receive-pack$" = {
          return = "403";
        };

        # Smart HTTP for clone/fetch
        "~ ^/git(/.+\\.git)(/.*)?$" = {
          extraConfig = ''
            client_max_body_size 0;

            include ${pkgs.nginx}/conf/fastcgi_params;
            fastcgi_param SCRIPT_FILENAME ${pkgs.git}/libexec/git-core/git-http-backend;
            fastcgi_param GIT_PROJECT_ROOT /var/lib/git;
            fastcgi_param GIT_HTTP_EXPORT_ALL "";
            fastcgi_param PATH_INFO $1$2;
            fastcgi_param REMOTE_USER $remote_user;

            fastcgi_pass unix:/run/fcgiwrap-git-http.sock;
          '';
        };
      };
    };
  };
}