{
  config,
  lib,
  inputs,
  pkgs,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.git;
in {
  options.nixfiles.modules.git.server = {
    enable = mkEnableOption "Git server";

    domain = mkOption {
      description = "Domain name sans protocol scheme.";
      type = with types; nullOr str;
      default = "git.${config.networking.domain}";
    };

    package = mkOption {
      description = "Package.";
      type = types.package;
      default = pkgs.cgit-pink;
    };
  };

  config = mkMerge [
    (mkIf cfg.client.enable {
      secrets = {
        glab-cli-config = {
          file = "${inputs.self}/secrets/glab-cli-config";
          path = "${config.dirs.config}/glab-cli/config.yml";
          owner = my.username;
          inherit (config.my) group;
        };
        gh-hosts = {
          file = "${inputs.self}/secrets/gh-hosts";
          path = "${config.dirs.config}/gh/hosts.yml";
          owner = my.username;
          inherit (config.my) group;
        };
        hut = {
          file = "${inputs.self}/secrets/hut";
          path = "${config.dirs.config}/hut/config";
          owner = my.username;
          inherit (config.my) group;
        };
      };
    })
    (mkIf cfg.server.enable {
      nixfiles.modules.nginx = {
        enable = true;
        virtualHosts.${cfg.server.domain} = {
          locations = {
            "/".extraConfig = let
              cgitrc = pkgs.writeText "cgitrc" ''
                root-title=azahi’s git stuff
                root-desc=鯛も一人はうまからず

                about-filter=${cfg.server.package}/lib/cgit/filters/about-formatting.sh
                source-filter=${cfg.server.package}/lib/cgit/filters/syntax-highlighting.py
                commit-filter=${cfg.server.package}/lib/cgit/filters/commit-links.sh

                enable-git-config=1
                enable-gitweb-owner=1
                remove-suffix=1

                snapshots=tar.gz tar.bz2 zip

                readme=:README
                readme=:README.md
                readme=:README.org
                readme=:README.txt
                readme=:readme
                readme=:readme.md
                readme=:readme.org
                readme=:readme.txt

                scan-path=${config.services.gitolite.dataDir}/repositories
              '';
            in ''
              include ${config.services.nginx.package}/conf/fastcgi_params;
              fastcgi_split_path_info ^(/?)(.+)$;
              fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
              fastcgi_param SCRIPT_FILENAME ${cfg.server.package}/cgit/cgit.cgi;
              fastcgi_param CGIT_CONFIG ${cgitrc};
              fastcgi_param PATH_INFO $uri;
              fastcgi_param QUERY_STRING $args;
              fastcgi_param HTTP_HOST $server_name;
            '';
            # FIXME This breaks sources previewing for these files.
            "~* ^/(.+.(ico|css|png))$".extraConfig = ''
              alias ${cfg.server.package}/cgit/$1;
            '';
          };
        };
      };

      services = let
        user = "git";
        group = "git";
      in {
        gitolite = {
          # TODO Make the configuration purely declarative.
          enable = true;
          inherit user group;
          adminPubkey = my.ssh.key;
        };

        fcgiwrap = {
          enable = true;
          inherit user group;
        };
      };
    })
  ];
}