{ pkgs, lib, config, inputs, hostName, ... }:
let
  inherit (lib) types;
  inherit (config) networking;
  inherit (config.services) gitolite;
  inherit (config.users) users groups;
  gitolite-admin = "julm";
in
{
environment.systemPackages = [ pkgs.gitolite ];
services.gitolite = {
  enable = true;
  user   = "git";
  group  = users."git".name;
  adminPubkey =
    builtins.readFile (inputs.secrets + "/members/ssh/julm.pub") +
    builtins.readFile (inputs.secrets + "/members/ssh/julm-losurdo.pub");
  extraGitoliteRc = ''
    $RC{UMASK}           = 0027; # NOTE: no quote around in Perl, so it's octal
    $RC{LOG_DEST}        = 'repo-log,syslog';
    $RC{LOG_FACILITY}    = 'local0';
    #$RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*';
    $RC{GIT_CONFIG_KEYS} = '.*';
    #$RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"
    #  if -d "$rc{GL_ADMIN_BASE}/local";
    $RC{LOCAL_CODE} = "$ENV{HOME}/local";
    push(@{$RC{ENABLE}}, ( 'Alias'
                         , 'cgit'
                           # NOTE: without this "cgit" option,
                           # the repositories' "description" files are not modified
                         , 'D'
                         , 'Shell ${gitolite-admin}'
                         , 'create'
                         , 'expand-deny-messages'
                         , 'fork'
                         , 'keysubdirs-as-groups'
                         , 'readme'
                         , (-d "$ENV{HOME}/local" ? 'repo-specific-hooks' : ())
                         , 'ssh-authkeys-split'
                         ));
  '';
};
fileSystems."/var/lib/gitolite" = {
  device = "${hostName}/var/git";
  fsType = "zfs";
};
services.sanoid.datasets."${hostName}/var/git" = {
  use_template = [ "snap" ];
  daily = 7;
};
}