{pkgs, config, ...}:

{
  containers.cgit = { 
    autoStart = true;
    privateNetwork = true;
    hostAddress6 = "fd00::42:12";
    localAddress6 = "fd00::42:13";

    bindMounts."/git" = {
      hostPath = "/var/git/public";
      isReadOnly = true;
    };

    bindMounts."/forks" = {
      hostPath = "/var/git/forks";
      isReadOnly = true;
    };

    config = {pkgs, config, ...}: {
      services.lighttpd.enable = true;
      services.lighttpd.extraConfig = ''server.use-ipv6 = "enable"'';
      services.lighttpd.cgit = {
        enable = true;
        subdir = "git";
        configText = ''
          source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
          about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
          cache-size=1000
          logo=/git/cgit.png
          favicon=/git/favicon.ico

          # take css from an assumed repo `config`
          css=/git/config/plain/cgit.css

          # remove .git extensions from repo names
          remove-suffix=1

          # readme formats which may be parsed
          readme=:README.md
          readme=:README
          readme=:README.txt
          readme=:README.org

          # allow cloning repos
          enable-http-clone=1
                  
          enable-follow-links=1
          enable-html-serving=1
          enable-index-owner=0

          mimetype.css=text/css
          mimetype.jpg=image/jpeg
          mimetype.jpeg=image/jpeg
          mimetype.pdf=application/pdf
          mimetype.png=image/png
          mimetype.svg=image/svg+xml

          # some nice formatting
          root-title=An Assortment of Stuff
          root-desc=hand-squished into git repos
          enable-commit-graph=1
          enable-log-linecount=1
          enable-log-filecount=1
          branch-sort=age
          # suppress email addresses in html logs
          noplainemail=1

          # maximum file size for plain blobs in kilobyte
          max-blob-size=100

          cache-scanrc-ttl=1

          scan-path=/git

          section=Forks
          scan-path=/forks
        '';
      };

      networking.firewall.allowedTCPPorts = [ 80 ];
    };
  };

  services.nginx.recommendedProxySettings = true;
  services.nginx.virtualHosts."stuebinm.eu" = {
    locations."/git/".proxyPass = "http://[${config.containers.cgit.localAddress6}]";
    enableACME = true;
    forceSSL = true;
  };

  # user for git repo administration
  users.users.git = {
    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
    home = "/var/git";
    isNormalUser = true;
    packages = [ pkgs.git ];
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

}