{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.vhack.git-server;
  /*
  Until <https://github.com/NixOS/nixpkgs/pull/317293> is merged into
  nixpkgs, we have to do the list to string conversion ourselves:
  */
  toCgitRc = list: lib.strings.concatStringsSep " " list;
in {
  options.vhack.git-server = {
    enable = lib.mkEnableOption ''
      a lightweight git-server, realised with cgit and gitolite.
    '';

    domain = lib.mkOption {
      type = lib.types.str;
      default = "git.vhack.eu";
      description = ''
        The domain this git instance will run under.
      '';
    };

    gitolite = {
      adminPubkey = lib.mkOption {
        description = ''
          The initial key to use for gitolite. This will only be used for the initial
          clone of the `gitolite-admin` repository.
        '';
        type = lib.types.str;
        default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    programs.git = {
      enable = true;
      config = {
        init = {
          defaultBranch = "main";
        };
      };
    };

    # Needed for the nginx proxy and the virtual host
    vhack.nginx.enable = true;

    services = {
      fcgiwrap = {
        # NOTE: This is needed as `cgit` otherwise fails to run `git` commands in the git
        # repositories (for example, when cloning a repository over http). <2024-08-02>
        # FIXME: Is there a way to not run _all_ wrapped cgi things as `git`? <2024-08-02>
        user = "git";
        group = "nginx";
      };

      gitolite = {
        inherit (cfg.gitolite) adminPubkey;
        enable = true;
        dataDir = "/srv/gitolite";
        user = "git";
        group = "git";
        extraGitoliteRc = ''
          $RC{UMASK} = 0027; # Enable group access, important for cgit.
        '';
      };

      cgit."${cfg.domain}" = {
        enable = true;
        package = pkgs.cgit-pink;
        scanPath = "${config.services.gitolite.dataDir}/repositories";
        settings = {
          # Allow users to download a repo checkout with these compression formats
          snapshots = toCgitRc ["tar.gz" "zip"];
          # The template used to generate the clone url for https clone.
          clone-url = toCgitRc ["https://${cfg.domain}/$CGIT_REPO_URL" "ssh://git@${cfg.domain}/$CGIT_REPO_URL"];
          enable-http-clone = true;
          section-from-path = true;
          project-list = "${config.services.gitolite.dataDir}/projects.list";
          source-filter = "${config.services.cgit."git.vhack.eu".package}/lib/cgit/filters/syntax-highlighting.py";
        };
      };

      nginx.virtualHosts."${cfg.domain}" = {
        enableACME = true;
        forceSSL = true;
      };
    };
  };
}