{
  config,
  modulesPath,
  lib,
  pkgs,
  ...
}@args:
{
  imports = [
    ./bootstrap.nix
  ];

  users.mutableUsers = false;

  users.users.git = {
    isNormalUser = true;
    home = "/var/git";
    createHome = true;
    description = "Git repository hosting user";
    packages = [ pkgs.git ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPtvI9cG6YLKUWY3R4vg/ky2wAV0izTAkMgWiOS8Tzr him@jakezerrer.com"
    ];
  };

  sops = {
    defaultSopsFile = ./secrets/secrets.yaml;
    defaultSopsFormat = "yaml";

    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

    secrets = { };
  };

  networking.firewall = {
    allowedTCPPorts = lib.mkForce [
      22
      80
      443
    ];
  };

  services.gitweb = {
    projectroot = "/var/git";
    extraConfig = ''
      $site_name = "jake's git host";
      $feature{'highlight'}{'default'} = [1];
      $projects_list_description_width = 50;
    '';
  };

  services.nginx = {
    enable = true;

    gitweb = {
      enable = true;
      location = "";
      virtualHost = "git.jakezerrer.com";
      user = "git";
      group = "nginx";
    };

    virtualHosts."git.jakezerrer.com" = {
      enableACME = true;
      forceSSL = true;
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "him@jakezerrer.com";
  };

  systemd.services.gitweb = {
    serviceConfig = {
      UMask = "0007";
    };
  };
}