{
  config,
  pkgs,
  ...
}: let
  domain = "git.${config.customOps.domain.fqdn}";
  darkModePatch = pkgs.fetchpatch2 {
    url = "https://git.zx2c4.com/cgit/patch/?id=601ba0f25d6d9df488a5a37c7877818ac47966b0";
    sha256 = "sha256-yW54g40Bj2QxUwj4KZUjHMT1JGvVKW7o16NM83XDqsQ=";
  };
  cgitPatched = pkgs.cgit.overrideAttrs (old: {
    patches = (old.patches or []) ++ [darkModePatch];
  });
in {
  sops.secrets = {
    "gitolite-sshkey" = {
      owner = config.services.gitolite.user;
      group = config.services.gitolite.group;
      path = "${config.services.gitolite.dataDir}/.ssh/id_ed25519";
      mode = "0600";
    };
  };

  services.gitolite = {
    enable = true;
    user = "git";
    group = "git";
    adminPubkey = config.customOps.owner.pubkey;
    extraGitoliteRc = ''
      %RC = (
        UMASK            =>  0027,
        GIT_CONFIG_KEYS  =>  '.*',
        LOG_EXTRA        =>  1,
        LOCAL_CODE       =>  "$rc{GL_ADMIN_BASE}/local",
        ROLES => {
          READERS        =>  1,
          WRITERS        =>  1,
        },
        ENABLE => [
          'help',
          'desc',
          'info',
          'perms',
          'writable',
          'ssh-authkeys',
          'git-config',
          'daemon',
          'gitweb',
          'repo-specific-hooks',
        ],
      );
    '';
  };

  systemd.tmpfiles.settings = let
    base = "${config.services.gitolite.dataDir}/.gitolite";
    paths = ["/local" "/local/hooks" "/local/hooks/repo-specific"];
    user = config.services.gitolite.user;
    group = config.services.gitolite.group;
  in {
    "gitolite-local-code" = builtins.listToAttrs (map (p: {
        name = "${base}${p}";
        value = {
          d = {
            user = user;
            group = group;
          };
        };
      })
      paths);
  };

  services.cgit.${domain} = {
    enable = true;
    package = cgitPatched;
    user = "git";
    group = "git";
    gitHttpBackend = {
      enable = true;
      checkExportOkFiles = true;
    };
    scanPath = "${config.services.gitolite.dataDir}/repositories";
    settings = {
      about-filter = "${cgitPatched}/lib/cgit/filters/about-formatting.sh";
      source-filter = "${cgitPatched}/lib/cgit/filters/syntax-highlighting.py";
      root-title = domain;
      root-desc = "toufy's project repositories";
      snapshots = "tar.gz zip";
      clone-url = "https://${domain}/$CGIT_REPO_URL";
      enable-index-owner = true;
      enable-index-links = true;
      remove-suffix = true;
      enable-blame = true;
      enable-commit-graph = true;
      enable-log-filecount = true;
      enable-log-linecount = true;
      strict-export = "git-daemon-export-ok";
      branch-sort = "age";
      virtual-root = "/";
      enable-git-config = true;
      "mimetype.gif" = "image/gif";
      "mimetype.html" = "text/html";
      "mimetype.jpg" = "image/jpeg";
      "mimetype.jpeg" = "image/jpeg";
      "mimetype.pdf" = "application/pdf";
      "mimetype.png" = "image/png";
      "mimetype.svg" = "image/svg+xml";
      readme = ":README.md";
      project-list = "${config.services.gitolite.dataDir}/projects.list";
    };
  };

  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
    enableACME = true;
  };
}