{
  nixos-lib,
  pkgsUnstable,
  nixpkgs-unstable,
  pkgs,
  extraModules,
  ...
}: let
  sshKeys =
    import ./ssh_keys.nix {inherit pkgs;};

  gitServerDomain = "server";

  gitoliteAdminConfSnippet = pkgs.writeText "gitolite-admin-conf-snippet" ''
    repo CREATOR/[a-zA-Z0-9].*
      C     = @all
      RW+   = CREATOR
      RW    = WRITERS
      R     = READERS
      option user-configs = cgit\.owner cgit\.desc cgit\.section cgit\.homepage
  '';

  expectedGitoliteConf = pkgs.writeText "expected-gitolite-conf" ''
    repo gitolite-admin
     RW+ = gitolite-admin

    repo testing
     RW+ = @all
    repo CREATOR/[a-zA-Z0-9].*
     C = @all
     RW+ = CREATOR
     RW = WRITERS
     R = READERS
     option user-configs = cgit\.owner cgit\.desc cgit\.section cgit\.homepage
  '';

  expectedHtmlReadme = pkgs.writeText "expectedHtmlReadme" ''
    <h1>Alice's Repo</h1>
  '';
  expectedMdReadme = pkgs.writeText "expectedMdReadme" ''
    # Alice's Repo
  '';
in
  nixos-lib.runTest {
    hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs

    name = "git-server";

    node = {
      specialArgs = {inherit pkgsUnstable nixpkgs-unstable;};

      # Use the nixpkgs as constructed by the `nixpkgs.*` options
      pkgs = null;
    };

    nodes = {
      server = {config, ...}: {
        imports =
          extraModules
          ++ [
            ../../../../modules/nixos
          ];

        system.activationScripts = {
          gitolite = {
            text = ''
              if ! [ -d /srv/gitolite ]; then
                mkdir --parents /srv/gitolite
                chown -R git:git /srv/gitolite
              fi
            '';
          };
        };

        vhack = {
          openssh.enable = true;
          nginx = {
            enable = true;
            selfsign = true;
          };
          git-server = {
            enable = true;
            domain = gitServerDomain;
            gitolite.adminPubkey = sshKeys.admin.pub;
          };
        };
      };

      client = {...}: {
        environment.systemPackages = [pkgs.git];
        programs.ssh.extraConfig = ''
          Host *
            UserKnownHostsFile /dev/null
            StrictHostKeyChecking no
            # there's nobody around that can input password
            PreferredAuthentications publickey
        '';
        users.users.alice = {isNormalUser = true;};
        users.users.bob = {isNormalUser = true;};
      };
    };

    testScript = {nodes, ...}:
    /*
    python
    */
    ''
      start_all()

      with subtest("can setup ssh keys on client"):
        client.succeed(
            "mkdir -p ~root/.ssh",
            "cp ${sshKeys.admin.priv} ~root/.ssh/id_ed25519",
            "chmod 600 ~root/.ssh/id_ed25519",
        )
        client.succeed(
            "sudo -u alice mkdir -p ~alice/.ssh",
            "sudo -u alice cp ${sshKeys.alice.priv} ~alice/.ssh/id_ed25519",
            "sudo -u alice chmod 600 ~alice/.ssh/id_ed25519",
        )
        client.succeed(
            "sudo -u bob mkdir -p ~bob/.ssh",
            "sudo -u bob cp ${sshKeys.bob.priv} ~bob/.ssh/id_ed25519",
            "sudo -u bob chmod 600 ~bob/.ssh/id_ed25519",
        )

      with subtest("gitolite server starts"):
        server.wait_for_unit("gitolite-init.service")
        server.wait_for_unit("sshd.service")
        client.succeed("ssh -n git@server info")


      with subtest("admin can clone and configure gitolite-admin.git"):
        client.succeed("${pkgs.writeShellScript "setup-gitolite-admin.git" ''
        set -xe

        git clone git@server:gitolite-admin.git
        git config --global user.name 'System Administrator'
        git config --global user.email root\@domain.example

        cp ${sshKeys.alice.pub} gitolite-admin/keydir/alice.pub
        cp ${sshKeys.bob.pub} gitolite-admin/keydir/bob.pub

        (cd gitolite-admin && git switch -c master && git branch -D main)

        (cd gitolite-admin && git add . && git commit -m 'Add keys for alice, bob' && git push -u origin master)
        cat ${gitoliteAdminConfSnippet} >> gitolite-admin/conf/gitolite.conf
        (cd gitolite-admin && git add . && git commit -m 'Add support for wild repos' && git push)
        (cd gitolite-admin && git push -d origin main)
      ''}")

        server.succeed("${pkgs.writeShellScript "verify gitolite-admin.conf" ''
        set -xe

        testFile=~git/.gitolite/conf/gitolite.conf.test

        cp ~git/.gitolite/conf/gitolite.conf "$testFile"

        # Normalize the white space
        sed -i 's/\t/ /g' "$testFile"
        sed -i 's/\s\+/ /g' "$testFile"

        diff "$testFile" ${expectedGitoliteConf}
      ''}")


      with subtest("non-admins cannot clone gitolite-admin.git"):
        client.fail("sudo -i -u alice git clone git@server:gitolite-admin.git")
        client.fail("sudo -i -u bob git clone git@server:gitolite-admin.git")

      with subtest("non-admins can clone testing.git"):
        client.succeed("sudo -i -u alice git clone git@server:testing.git")
        client.succeed("sudo -i -u bob git clone git@server:testing.git")


      with subtest("alice can create a repo"):
        client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-create-repo" ''
        set -xe

        mkdir alice-repo && cd alice-repo;

        git init --initial-branch main
        echo "# Alice's Repo" > README.md
        git add README.md
        git -c user.name=Alice -c user.email=alice@domain.example commit -m 'Add readme'

        git remote add origin git@server:alice/alice-project.git
        git push --set-upstream origin main
      ''}")

      with subtest("alice can clone alice-project.git"):
        client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-clone-repo" ''
        set -xe

        git clone git@server:alice/alice-project.git
        diff --side-by-side ${expectedMdReadme}  ./alice-project/README.md
      ''}")

      with subtest("bob cannot clone alice-project.git"):
        client.fail("sudo -i -u bob git clone git@server:alice/alice-project.git")

      with subtest("Alice can make her repo public"):
        client.succeed(
            "sudo -u alice ssh git@server perms alice/alice-project + READERS @all",
            "sudo -u alice ssh git@server desc alice/alice-project 'My nice project.'"
        )

      with subtest("Bob can see alice config on cgit"):
        client.succeed("sudo -u bob ${pkgs.writeShellScript "bob-clone-repo" ''
        set -xe

        cd ~bob
        # Disable ssl verification, as the certs are self-signed
        git -c http.sslVerify=false clone https://server/alice/alice-project.git
      ''}")

      with subtest("Alice can change settings in her repo"):
        client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-change-settings" ''
        set -xe

        echo 'Hi! You want to work with alice' | ssh git@server motd alice/alice-project set
        ssh git@server config alice/alice-project --add 'cgit.owner' 'alice'
        ssh git@server config alice/alice-project --add 'cgit.section' 'alice'
        ssh git@server config alice/alice-project --add 'cgit.homepage' 'alice'

        owner="$(ssh git@server config alice/alice-project --get-all 'cgit.owner')"
        [ "$owner" = "alice" ] || {
          echo "owner should be alice but is '$owner'!"
          exit 1
        }
      ''}")


      # He can't see the readme (FIXME:  find out why this does not work. <2024-08-13> )
      # with subtest("Bob can see alice's README"):
      #   client.succeed("sudo -u bob ${pkgs.writeShellScript "bob-alice-readme" ''
      #   set -xe
      #
      #   curl --insecure --silent --fail --show-error 'https://server/alice/alice-project/about' > readme.html
      #   cat readme.html
      #   diff --side-by-side ${expectedHtmlReadme}  readme.html
      # ''}")
    '';
  }