{ lib, pkgs, config, userDetails, ... }:
let
	cfg = config.cgit;
in {
	options = {
		cgit = {
			enable = lib.mkEnableOption "enables cgit service";
			hostAddress = lib.mkOption {
				type = lib.types.str;
				description = "hostAddress for the container";
				default = "10.0.1.1";
			};
			localAddress = lib.mkOption {
				type = lib.types.str;
				description = "localAddress for the container";
				default = "10.0.1.2";
			};
			rootTitle = lib.mkOption {
				type = lib.types.str;
				description = "cgit site title";
				default = "";
			};
			rootDesc = lib.mkOption {
				type = lib.types.str;
				description = "cgit site description";
				default = "";
			};
			extraConfig = lib.mkOption {
				type = lib.types.str;
				description = "cgitrc lines inserted verbatim at the end";
				default = "";
			};
		};
	};

	config = lib.mkIf cfg.enable {
		# Configure cgit container
		containers.cgit = {
			autoStart = true;
			privateNetwork = true;
			hostAddress  = cfg.hostAddress;
			localAddress = cfg.localAddress;

			specialArgs = {
				authorizedKeys = userDetails.sshPublicKeys;
				cgitrc = with cfg; {
					inherit rootTitle;
					inherit rootDesc;
					inherit extraConfig;
				};
			};

			config = { lib, config, authorizedKeys, cgitrc, ... }: {
				# Create git user for ssh access
				users.users.git = {
					isNormalUser = true;
					home = "/srv/git";  # Serve from git user's home to allow cloning git@cgit:repo
					group = "git";
					createHome = true;
					homeMode = "750";  # Allow read permissions for group members
					shell = pkgs.bash;
					openssh.authorizedKeys.keys = authorizedKeys;
				};
				users.groups.git.members = [ "lighttpd" ];  # Create the git group and add lighttpd user as a member so /srv/git can be served by cgit

				# Enable git
				programs.git.enable = true;

				# Enable ssh service
				services.openssh.enable = true;

				# Enable cgit service
				services.lighttpd.enable = true;
				services.lighttpd.cgit = {
					enable = true;
					#subdir = "";  # FIXME this does not work for some reason
					configText = ''
						# Based on joseluisq/alpine-cgit
						root-title=${cgitrc.rootTitle}
						root-desc=${cgitrc.rootDesc}

						source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
						about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh

						readme=:README.md
						readme=:README.html
						readme=:README.txt
						readme=:README
						readme=:INSTALL.md
						readme=:INSTALL.html
						readme=:INSTALL.txt
						readme=:INSTALL

						# Cache
						#cache-root=/var/cache/cgit
						#cache-size=2000

						enable-index-links=1
						enable-index-owner=0
						enable-remote-branches=1
						enable-log-filecount=1
						enable-log-linecount=1
						enable-git-config=1
						snapshots=tar.xz zip

						robots=noindex, nofollow

						virtual-root=/cgit
						section-from-path=0
						max-repo-count=100
						scan-path=/srv/git

						# extra config
						${cgitrc.extraConfig}
					'';
				};

				# Networking, etc.
				networking.firewall.allowedTCPPorts = [ 80 22 ];
				networking.hostName = "cgit";

				system.stateVersion = "25.05";
			};
		};
	};
}