{
  config,
  pkgs,
  ...
}: let
  domain = "git.tonybtw.com";
  gitRoot = "/srv/git";
in {
  services.cgit.main = {
    enable = true;
    nginx.virtualHost = domain;
    scanPath = gitRoot;
    gitHttpBackend.enable = false;
    settings = {
      root-title = "Tony's Git";
      root-desc = "Personal git repositories";
      clone-url = "https://${domain}/$CGIT_REPO_URL git://${domain}/$CGIT_REPO_URL";
      enable-git-config = 1;
      enable-index-owner = 0;
      enable-commit-graph = 1;
      enable-log-filecount = 1;
      enable-log-linecount = 1;
      source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
      about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh";
      readme = ":README.md";
    };
  };

  services.nginx.virtualHosts.${domain} = {
    enableACME = true;
    forceSSL = true;
    locations."~ ^/([^/]+)/(HEAD|info/refs|objects|git-upload-pack)$" = {
      fastcgiParams = {
        GIT_HTTP_EXPORT_ALL = "";
        GIT_PROJECT_ROOT = gitRoot;
        PATH_INFO = "$uri";
      };
      extraConfig = ''
        fastcgi_pass unix:/run/fcgiwrap.sock;
      '';
    };
  };

  services.fcgiwrap.instances.git = {
    process.user = "git";
    process.group = "git";
    socket = {inherit (config.services.nginx) user group;};
  };

  systemd.services.git-daemon = {
    description = "Git daemon";
    wantedBy = ["multi-user.target"];
    after = ["network.target"];
    serviceConfig = {
      ExecStart = "${pkgs.git}/bin/git daemon --reuseaddr --base-path=${gitRoot} --export-all --verbose ${gitRoot}";
      User = "git";
      Group = "git";
    };
  };

  users.users.git = {
    isSystemUser = true;
    group = "git";
    home = gitRoot;
    shell = "${pkgs.git}/bin/git-shell";
  };
  users.groups.git = {};

  systemd.tmpfiles.rules = [
    "d ${gitRoot} 0755 git git -"
  ];

  networking.firewall.allowedTCPPorts = [9418];
}