{ pkgs, ps-cgit, ... }: {
  boot.isContainer = true;

  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  system.stateVersion = "26.05";
  environment.systemPackages = with pkgs; [ gdb rr file ];

  networking.useDHCP = false;
  networking.firewall.allowedTCPPorts = [ 22 80 1234 ];

  services.openssh.enable = true;
  users.users.root.openssh.authorizedKeys.keys = [ "${builtins.readFile "/home/ps/.ssh/id_ed25519.pub"}" ];

  users.users.git = {
    isSystemUser = true;
    group = "git";
    home = "/srv/git";
    createHome = true;
    # homeMode = "750";
    shell = "${pkgs.git}/bin/git-shell";
    openssh.authorizedKeys.keys = [ "${builtins.readFile "/home/ps/.ssh/id_ed25519.pub"}" ];
    packages = [ pkgs.git ];
  };
  users.groups.git = {};

  services.fcgiwrap.instances.cgit = {
    process.user = "git";
    process.group = "root";
    socket.user = "caddy";
    socket.group = "caddy";
  };

  services.caddy.enable = true;
  services.caddy.extraConfig = ''
  http://ps-cgit {
    rewrite /git /git/
    handle_path /git/* {
      handle_path /static/* {
        file_server {
          root ${ps-cgit}/cgit
        }
      }
      handle {
        reverse_proxy unix//run/fcgiwrap-cgit.sock {
          transport fastcgi {
            read_timeout 1h
            env CGIT_CONFIG ${pkgs.writeText "cgitrc" ''
              snapshots=tar tar.gz zip
              enable-git-config=1
              enable-index-owner=0
              enable-log-filecount=1
              enable-log-linecount=1
              section-from-path=1
              virtual-root=/git
              css=/git/static/cgit.css
              logo=/git/static/cgit.png
              favicon=/git/static/favicon.ico
              module-link=/git/%s/commit/?id=%s
              clone-url=https://$HTTP_HOST/git/$CGIT_REPO_URL git://$HTTP_HOST/$CGIT_REPO_URL git@$HTTP_HOST:$CGIT_REPO_URL
              noplainemail=1
              repository-sort=age
              about-filter=${pkgs.writeShellScript "markdown-filter" ''
                echo '<div class="markdown-body">'
                ${pkgs.md4c}/bin/md2html --github --ftables
                echo '</div>'
              ''}
              # source-filter=${ps-cgit}/lib/cgit/filters/syntax-highlighting.py
              head-include=${ps-cgit}/cgit/cgithub/head-include.html
              footer=${ps-cgit}/cgit/cgithub/footer.html
              readme=:readme.md
              readme=:readme
              root-readme=${pkgs.writeText "readme.md" ''
                # my git repos
              ''}
              scan-path=/srv/git
            ''}
            env SCRIPT_FILENAME ${ps-cgit}/cgit/cgit.cgi
          }
        }
      }
    }
  }
  '';
}