{
  self,
  config,
  lib,
  pkgs,
  ...
}:

{
  environment.systemPackages = [ pkgs.gitea ];

  services.cgit =
    let
      settings = {
        css = "https://cdn.vapor.systems/cgit/cgit.css";

        root-title = "vapor.systems git repositories";

        enable-follow-links = true;
        enable-commit-graph = true;
        enable-git-config = true;
        enable-http-clone = true;
        enable-index-links = true;
        enable-index-owner = true;
        enable-log-linecount = true;
        enable-subject-links = true;

        strict-export = "git-daemon-export-ok";

        max-repodesc-length = 120;

        clone-url = "https://$HTTP_HOST/$CGIT_REPO_URL";
        readme = "README.adoc";

        source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
        about-filter = "${pkgs.writeShellScript "cgit-about-filter" ''
          ${pkgs.asciidoctor}/bin/asciidoctor -b html5 -e -o - -
        ''}";
      };

      gitHttpBackend = {
        enable = true;
        checkExportOkFiles = true;
      };

      package = pkgs.cgit.overrideAttrs (
        final: prev:
        let
          rev = "09d24d7cd0b7e85633f2f43808b12871bb209d69";
        in
        {
          version = "1.2.3-2025-11-15";

          src = pkgs.fetchurl {
            url = "https://git.zx2c4.com/cgit/snapshot/${prev.pname}-${rev}.tar.xz";
            hash = "sha256-gfgjAXnWRqVCP+4cmYOVdB/3OFOLJl2WBOc3bFVDsjw=";
          };

          gitSrc = pkgs.fetchurl {
            url = "mirror://kernel/software/scm/git/git-2.46.0.tar.xz";
            hash = "sha256-fxI0YqKLfKPr4mB0hfcWhVTCsQ38FVx+xGMAZmrCf5U=";
          };
        }
      );
    in
    {
      audron = {
        inherit settings gitHttpBackend package;
        enable = true;
        repos = {
          "dotfiles.git" = {
            desc = "Fully Managed NixOS System Dotfiles";
            path = "/home/audron/dotfiles.git";
          };
        };

        nginx.virtualHost = "git.audron.dev";
      };

      "vapor-systems" = {
        inherit gitHttpBackend package;
        enable = true;
        scanPath = "/var/lib/git";

        settings = settings // {
          cache-root = "/var/cache/cgit";
          cache-size = 50;
        };

        nginx.virtualHost = "git.vapor.systems";
      };
    };

  system.activationScripts.setup-git-shell-commands.text = ''
    rm "/var/lib/git/git-shell-commands"
    ln -s "${./git-shell-commands}" "/var/lib/git/git-shell-commands"
  '';

  services.nginx.virtualHosts = {
    "git.audron.dev" = {
      forceSSL = true;
      useACMEHost = "audron.dev";
    };

    "git.vapor.systems" = {
      forceSSL = true;
      useACMEHost = "vapor.systems";
    };
  };

  users.users = {
    cgit.extraGroups = [ "users" ];

    git = {
      isSystemUser = true;
      group = "git";
      home = "/var/lib/git";
      homeMode = "755";
      createHome = true;
      shell = "${pkgs.git}/bin/git-shell";
      openssh.authorizedKeys.keys = lib.flatten (
        lib.map (user: user.openssh.authorizedKeys.keys or [ ]) (
          lib.filter (user: user.isNormalUser) (lib.attrValues config.users.users)
        )
      );
    };
  };

  users.groups.git = { };

  services.openssh = {
    enable = true;
    extraConfig = ''
      Match user git
        AllowTcpForwarding no
        AllowAgentForwarding no
        PasswordAuthentication no
        PermitTTY no
        X11Forwarding no
    '';
  };

  security.acme.certs = {
    "vapor.systems" = {
      extraDomainNames = [ "*.vapor.systems" ];
    };
    "audron.dev" = {
      extraDomainNames = [ "*.audron.dev" ];
    };
  };
}