{ pkgs, lib, config, hostName, ... }:
let
  inherit (config.users) users;
  gitolite-admin = "julm";
in
{
  environment.systemPackages = [ pkgs.gitolite ];
  services.gitolite = {
    enable = true;
    user = "git";
    group = users."git".name;
    adminPubkey = lib.concatStringsSep "\n" users.${gitolite-admin}.openssh.authorizedKeys.keys;
    extraGitoliteRc = ''
      $RC{UMASK} = 0027; # NOTE: no quote around in Perl, so it's octal
      $RC{LOG_DEST} = 'repo-log,syslog';
      $RC{LOG_FACILITY} = 'local0';
      #$RC{GIT_CONFIG_KEYS} = 'hooks.* gitweb.*';
      $RC{GIT_CONFIG_KEYS} = '.*';
      #$RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"
      #  if -d "$rc{GL_ADMIN_BASE}/local";
      $RC{LOCAL_CODE} = "$ENV{HOME}/local";
      push(@{$RC{ENABLE}}, ( 'Alias'
                           , 'cgit'
                             # NOTE: without this "cgit" option,
                             # the repositories' "description" files are not modified
                           , 'D'
                           , 'Shell ${gitolite-admin}'
                           , 'create'
                           , 'expand-deny-messages'
                           , 'fork'
                           , 'keysubdirs-as-groups'
                           , 'readme'
                           , (-d "$ENV{HOME}/local" ? 'repo-specific-hooks' : ())
                           , 'ssh-authkeys-split'
                           ));
    '';
  };
  fileSystems."/var/lib/gitolite" = {
    device = "${hostName}/var/git";
    fsType = "zfs";
  };
  services.sanoid.datasets."${hostName}/var/git" = {
    use_template = [ "snap" ];
    daily = 7;
  };
  programs.git = {
    enable = true;
    package = pkgs.gitMinimal;
    config = {
      init.defaultBranch = "main";
    };
  };
}