{pkgs, config, ...}:

let
  cgitconf = ''
    source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
    about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
    cache-size=1000
    logo=/git/cgit.png
    favicon=/git/favicon.ico
    virtual-root=/git

    # take css from an assumed repo `config`
    css=/git/config/plain/cgit.css

    # remove .git extensions from repo names
    remove-suffix=1

    # readme formats which may be parsed
    readme=:README.md
    readme=:README
    readme=:README.txt
    readme=:README.org

    enable-follow-links=1
    enable-html-serving=1
    enable-index-owner=0

    mimetype.css=text/css
    mimetype.jpg=image/jpeg
    mimetype.jpeg=image/jpeg
    mimetype.pdf=application/pdf
    mimetype.png=image/png
    mimetype.svg=image/svg+xml

    # some nice formatting
    root-title=An Assortment of Stuff
    root-desc=hand-squished into git repos
    enable-commit-graph=1
    enable-log-linecount=1
    enable-log-filecount=1
    branch-sort=age
    # suppress email addresses in html logs
    noplainemail=1

    # maximum file size for plain blobs in kilobyte
    max-blob-size=100

    cache-scanrc-ttl=1

    defbranch=main
    scan-path=/var/git/public

    section=Forks
    clone-url=https://stuebinm.eu/git/forks/$CGIT_REPO_URL
    scan-path=/var/git/forks
  '';

  cgit = pkgs.cgit.overrideAttrs (old: {
    patches = [ ./0001-main-instead-of-master-branch.patch ];
  });
in
{
  services.fcgiwrap = {
    user = "git";
    group = "users";
    enable = true;
  };

  services.nginx.virtualHosts."stuebinm.eu" = {
    enableACME = true;
    forceSSL = true;

    locations."~ /git(/.*)".extraConfig = ''
      fastcgi_pass  unix:${config.services.fcgiwrap.socketAddress};
      include       ${pkgs.nginx}/conf/fastcgi_params;
      fastcgi_param SCRIPT_FILENAME     ${cgit}/cgit/cgit.cgi;
      fastcgi_param CGIT_CONFIG     ${pkgs.writeText "cgit.conf" cgitconf};
      fastcgi_param PATH_INFO           $1;
    '';

    locations."~ /git(/[^/]*/(info/refs|git-(upload|receive)-pack|objects/info/packs))" = {
      extraConfig = ''
        fastcgi_pass  unix:${config.services.fcgiwrap.socketAddress};
        include       ${pkgs.nginx}/conf/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME     ${pkgs.git}/bin/git-http-backend;
        fastcgi_param GIT_HTTP_EXPORT_ALL "";
        fastcgi_param GIT_PROJECT_ROOT    /var/git/public;
        fastcgi_param PATH_INFO           $1;
      '';
    };

    locations."~ /git/forks(/.*/(info/refs|git-(upload|receive)-pack|objects/info/packs))" = {
      extraConfig = ''
        fastcgi_pass  unix:${config.services.fcgiwrap.socketAddress};
        include       ${pkgs.nginx}/conf/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME     ${pkgs.git}/bin/git-http-backend;
        fastcgi_param GIT_HTTP_EXPORT_ALL "";
        fastcgi_param GIT_PROJECT_ROOT    /var/git/forks;
        fastcgi_param PATH_INFO           $1;
      '';
    };
  };

  # user for git repo administration
  users.users.git = {
    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
    home = "/var/git";
    isNormalUser = true;
    packages = [ pkgs.git ];
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

}