{pkgs, ...}: let
  deploy_hook = pkgs.writeShellScript "post-receive-deploy" ''
    REPO=$(basename $(pwd) .git)
    SITE=/www/sites/$REPO

    if [ -d "$SITE" ]; then
        GIT_WORK_TREE=$SITE git checkout -f
        echo "deployed $REPO → $SITE"
    else
        echo "no deploy target for $REPO (no $SITE directory)"
    fi
  '';
in {
  systemd.tmpfiles.rules = [
    "d /www/sites 0755 root root -"
    "L+ /srv/git/.deploy-hook - - - - ${deploy_hook}"
  ];

  environment.systemPackages = [
    (pkgs.writeShellScriptBin "git-enable-deploy" ''
      if [ -z "$1" ]; then
        echo "usage: git-enable-deploy <repo.git>"
        exit 1
      fi
      REPO="/srv/git/$1"
      if [ ! -d "$REPO" ]; then
        echo "repo not found: $REPO"
        exit 1
      fi
      ln -sf /srv/git/.deploy-hook "$REPO/hooks/post-receive"
      chmod +x "$REPO/hooks/post-receive"
      echo "enabled deploy hook for $1"
    '')
  ];
}