{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.vhack.git-server;
in {
  options.vhack.git-server = {
    enable = lib.mkEnableOption ''
      a lightweight git-server, realised with cgit and gitolite.
    '';
  };

  config = lib.mkIf cfg.enable {
    services = {
      gitolite = {
        enable = true;
        adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A";
        dataDir = "/srv/gitolite";
        user = "git";
        group = "git";
        extraGitoliteRc = ''
          $RC{UMASK} = 0027; # Enable group access, important for cgit.
        '';
      };

      cgit."git.vhack.eu" = {
        enable = true;
        package = pkgs.cgit-pink;
        scanPath = "${config.services.gitolite.dataDir}/repositories";
        settings = {
          enable-http-clone = true;
          section-from-path = true;
          project-list = "${config.services.gitolite.dataDir}/projects.list";
          source-filter = "${config.services.cgit."git.vhack.eu".package}/lib/cgit/filters/syntax-highlighting.py";
        };
      };

      nginx.virtualHosts."git.vhack.eu" = {
        enableACME = true;
        forceSSL = true;
      };
    };
  };
}