{
  config,
  pkgs,
  ...
}: let
  domain = "git.tonybtw.com";
  git_root = "/srv/git";
  app_root = "/www/sites/git-btw";
  php_user = "git-btw";
  php_group = "git-btw";
in {
  services.phpfpm.pools.git-btw = {
    user = php_user;
    group = php_group;
    settings = {
      "listen.owner" = config.services.nginx.user;
      "listen.group" = config.services.nginx.group;
      "pm" = "ondemand";
      "pm.max_children" = 8;
      "pm.process_idle_timeout" = "10s";
    };
  };

  services.nginx.virtualHosts.${domain} = {
    enableACME = true;
    forceSSL = true;

    root = "${app_root}/public";
    index = "index.php";

    locations."/" = {
      tryFiles = "$uri $uri/ /index.php?$query_string";
    };

    locations."~ \\.php$" = {
      extraConfig = ''
        fastcgi_pass unix:${config.services.phpfpm.pools.git-btw.socket};
        fastcgi_index index.php;
        include ${pkgs.nginx}/conf/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param GIT_ROOT ${git_root};
      '';
    };

    locations."/css/" = {
      root = "${app_root}/public";
    };

    locations."/js/" = {
      root = "${app_root}/public";
    };

    locations."~ ^/([^/]+\\.git)/(HEAD|info/refs|objects|git-upload-pack)$" = {
      fastcgiParams = {
        GIT_HTTP_EXPORT_ALL = "";
        GIT_PROJECT_ROOT = git_root;
        PATH_INFO = "$uri";
      };
      extraConfig = ''
        fastcgi_pass unix:${config.services.fcgiwrap.instances.git.socket.path};
      '';
    };

    locations."~ ^/([^/]+\\.git)/git-receive-pack$" = {
      fastcgiParams = {
        GIT_HTTP_EXPORT_ALL = "";
        GIT_PROJECT_ROOT = git_root;
        PATH_INFO = "$uri";
      };
      extraConfig = ''
        auth_basic "git push";
        auth_basic_user_file /srv/git/.htpasswd;
        fastcgi_pass unix:${config.services.fcgiwrap.instances.git.socket.path};
      '';
    };
  };

  services.fcgiwrap.instances.git = {
    process.user = "git";
    process.group = "git";
    socket = {inherit (config.services.nginx) user group;};
  };

  systemd.services.git-daemon = {
    description = "Git daemon";
    wantedBy = ["multi-user.target"];
    after = ["network.target"];
    serviceConfig = {
      ExecStart = "${pkgs.git}/bin/git daemon --reuseaddr --base-path=${git_root} --export-all --verbose ${git_root}";
      User = "git";
      Group = "git";
    };
  };

  users.users.git = {
    isSystemUser = true;
    group = "git";
    home = git_root;
    shell = "${pkgs.git}/bin/git-shell";
  };
  users.groups.git = {};

  users.users.${php_user} = {
    isSystemUser = true;
    group = php_group;
    extraGroups = ["git"];
  };
  users.groups.${php_group} = {};

  systemd.tmpfiles.rules = [
    "d ${git_root} 0755 git git -"
  ];

  networking.firewall.allowedTCPPorts = [9418];
}