{
  config,
  modulesPath,
  lib,
  pkgs,
  ...
}@args:
{
  imports = [
    ./bootstrap.nix
  ];

  users.mutableUsers = false;

  users.users.git = {
    isNormalUser = true;
    group = "git";
    home = "/var/git";
    createHome = true;
    homeMode = "750";
    description = "Git repository hosting user";
    packages = [ pkgs.git ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPtvI9cG6YLKUWY3R4vg/ky2wAV0izTAkMgWiOS8Tzr him@jakezerrer.com"
    ];
  };

  users.groups.git = {
    members = [ "cgit" ];
  };

  systemd.tmpfiles.rules = [
    "d /var/git 0750 git git -"
    "Z /var/git - git git -"
    "d /var/www/html 0755 git nginx -"
  ];

  sops = {
    defaultSopsFile = ./secrets/secrets.yaml;
    defaultSopsFormat = "yaml";

    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

    secrets = { };
  };

  networking.firewall = {
    allowedTCPPorts = lib.mkForce [
      22
      80
      443
    ];
  };

  services.cgit.main = {
    enable = true;

    nginx.virtualHost = "git.jakezerrer.com";
    nginx.location = "/";

    scanPath = "/var/git";

    settings = {
      root-title = "jake's git host";
      enable-git-config = true;
      source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
      enable-index-owner = false;
    };
  };

  services.nginx = {
    enable = true;

    virtualHosts."git.jakezerrer.com" = {
      enableACME = true;
      forceSSL = true;
    };

    virtualHosts."jakezerrer.com" = {
      enableACME = true;
      forceSSL = true;
      globalRedirect = "www.jakezerrer.com";
    };

    virtualHosts."www.jakezerrer.com" = {
      enableACME = true;
      forceSSL = true;
      root = "/var/www/html";
      locations."/" = {
        index = "index.html";
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "him@jakezerrer.com";
  };
}