{ pkgs, ... }:
{

  services.gitolite = {
    enable = true;
    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
    user = "git";
    group = "git";
    extraGitoliteRc = ''
      # Make dirs/files group readable, needed for webserver/cgit. (Default
      # setting is 0077.)
      $RC{UMASK} = 0027;
      $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner';
      $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local";
      push( @{$RC{ENABLE}}, 'symbolic-ref' );
    '';
  };

  # let's make sure the default branch is `main'.
  systemd.tmpfiles.rules = [
    "C /var/lib/gitolite/.gitconfig - git git 0644 ${pkgs.writeText "gitolite-gitconfig" ''
      [init]
      	defaultBranch = main
    ''}"
  ];

  # # TODO also rsync the backups to the nas
  # # TODO need the ssh key for the nas for rsync ?
  # age.secrets.restic = {
  #   file = ../../../secrets/restic-backups.age;
  #   owner = "root";
  #   group = "root";
  #   path = "/etc/restic/secret";
  #   mode = "600";
  # };

  # # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix
  # services.restic.backups.git = {
  #   passwordFile = "/etc/restic/secret";
  #   repository = "/srv/backups/git";
  #   initialize = true;
  #   paths = [ "/var/lib/gitolite" ];
  #   exclude = [
  #     "/var/lib/gitolite/.bash_history"
  #     "/var/lib/gitolite/.ssh"
  #     "/var/lib/gitolite/.viminfo"
  #   ];
  #   extraBackupArgs = [
  #     "--exclude-caches"
  #     "--compression=max"
  #   ];
  #   timerConfig = {
  #     OnCalendar = "daily";
  #   };
  #   pruneOpts = [
  #     "--keep-daily 7"
  #     "--keep-weekly 4"
  #     "--keep-monthly 3"
  #   ];
  # };
}