{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.vhack.git-server;
in {
  options.vhack.git-server.enable = lib.mkEnableOption "a lightweight git-server,
  realised with cgit and gitolite.";
  config = lib.mkIf cfg.enable {
    services = {
      gitolite = {
        enable = true;
        adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A";
        dataDir = "/srv/gitolite";
        user = "git";
        group = "git";
        extraGitoliteRc = ''
          $RC{UMASK} = 0027; # Enable group access, important for cgit.
        '';
      };
      cgit."git.vhack.eu" = {
        enable = true;
        package = pkgs.cgit-pink;
        scanPath = "${config.services.gitolite.dataDir}/repositories";
        settings = {
          enable-http-clone = true;
          section-from-path = true;
          project-list = "${config.services.gitolite.dataDir}/projects.list";
          source-filter = "${config.services.cgit."git.vhack.eu".package}/lib/cgit/filters/syntax-highlighting.py";
        };
      };
      nginx.virtualHosts."git.vhack.eu" = {
        enableACME = true;
        forceSSL = true;
        locations."~ \"^/[0-9A-Za-z._-]+/(HEAD|info/refs|objects/info/(alternates|http-alternates|packs)|[0-9a-f]{2}/([0-9a-f]{38}|[0-9a-f]{62})|pack/pack-([0-9a-f]{40}|[0-9a-f]{64})\\.(pack|idx)|git-upload-pack|git-receive-pack)$\"".extraConfig = ''
          include ${pkgs.nginx}/conf/fastcgi_params;
          fastcgi_param GIT_HTTP_EXPORT_ALL "";
          fastcgi_param GIT_PROJECT_ROOT ${cfg.dataDir};
          fastcgi_param PATH_INFO $fastcgi_script_name;
          fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend;
          fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
        '';
      };
    };
  };
}