{
  self,
  lib,
  ...
}: {
  flake.nixosModules.cgit = {
    config,
    pkgs,
    ...
  }: let
    cfg = config.hostOptions.server;
  in {
    imports = [
      self.nixosModules.hostOptions
      self.nixosModules.nginx
    ];

    users.users.git = {
      isSystemUser = true;
      group = "git";
      home = "${cfg.dataPath}/git";
      createHome = true;
      shell = "${pkgs.git}/bin/git-shell";
      openssh.authorizedKeys.keys = cfg.sshKeys;
    };
    users.groups.git = {};

    services.cgit."git.${cfg.domain}" = {
      enable = true;

      user = "git";
      group = "git";

      scanPath = "${cfg.dataPath}/git";

      settings = {
        enable-index-owner = false;
        enable-commit-graph = 1;
        enable-log-filecount = 1;
        enable-log-linecount = 1;
        clone-url = "https://git.${cfg.domain}/$CGIT_REPO_URL ssh://git@git.${cfg.domain}:${cfg.dataPath}/git/$CGIT_REPO_URL";
        source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
        about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh";
      };

      gitHttpBackend = {
        enable = true;
        checkExportOkFiles = false;
      };
    };

    services.nginx.virtualHosts."git.${cfg.domain}" = {
      enableACME = true;
      forceSSL = true;
    };
  };
}