{ self, ... }:
{

  flake.machines.tharos =
    let
      path = "/git/infra";
    in
    {
      nixos =
        {
          config,
          pkgs,
          lib,
          ...
        }:
        let
          cgit = config.services.cgit.infra.nginx.virtualHost;
          nginx = lib.head config.services.nginx.virtualHosts.${cgit}.listen;
        in
        {
          users.groups.git = { };
          users.users = lib.mapAttrs (_: _': { extraGroups = [ "git" ]; }) self.keys;
          environment.systemPackages = with pkgs; [ git ];

          systemd.services.init-git-repos = {
            wantedBy = [ "multi-user.target" ];
            before = [ "cgit.service" ];

            serviceConfig = {
              Type = "oneshot";
              RemainAfterExit = true;
            };

            script = ''
              if [ ! -f ${path} ]; then
                ${lib.getExe pkgs.git} init --shared=group --bare ${path}
              fi
            '';
          };

          systemd.tmpfiles.rules = [
            "d ${path} 2775 root git -"
          ];

          services.cgit.infra = rec {
            enable = true;
            nginx.virtualHost = "git.${self.domain}";
            repos.infra = {
              desc = "Quellcode für die technische Infrastruktur des Stadtteilbeirats Heimfeld";
              inherit path;
              clone-url = "https://${nginx.virtualHost}/$CGIT_REPO_URL ssh://${self.domain}${path}";
            };
            settings = {
              about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh";
              readme = ":README.md";
              enable-commit-graph = true;
            };
          };
          services.nginx.virtualHosts.${cgit}.listen = [
            {
              addr = "127.0.0.1";
              port = 8083;
            }
          ];
          services.caddy.virtualHosts.${cgit}.extraConfig = ''
            reverse_proxy localhost:${toString nginx.port}
          '';
        };
      vm =
        {
          config,
          lib,
          ...
        }:
        let
          httpPort = 700;
          cgit = config.services.cgit.infra.nginx.virtualHost;
        in
        {
          services.cgit.infra = {
            nginx.virtualHost = lib.mkForce "git.localhost";

            repos.infra.clone-url = lib.mkForce "http://${cgit}:${
              with config.virtualisation; toString (portOffset + exposedPorts.http.port)
            }/$CGIT_REPO_URL ssh://localhost:${
              toString (config.virtualisation.portOffset + lib.head config.services.openssh.ports)
            }${path}";
          };

          services.caddy.virtualHosts = {
            "http://${cgit}:${toString config.virtualisation.exposedPorts.http.port}".extraConfig =
              config.services.caddy.virtualHosts.${cgit}.extraConfig;
          };
          services.getty.helpLine = lib.mkBefore ''
            cgit: http://${cgit}:${with config.virtualisation; toString (portOffset + exposedPorts.http.port)}
          '';
        };
    };
}