{ appConfig, lib, pkgs, ... }:
{
  users.users.git.home = "/var/lib/git";
  users.users.git.createHome = true;
  users.users.git.shell = "${pkgs.git}/bin/git-shell";
  users.users.git.openssh.authorizedKeys.keyFiles =
    lib.optionals (appConfig.users != null) (lib.concatLists (lib.mapAttrsToList
      (name: attrs: attrs.publicKeyFiles)
      appConfig.users));

  bindMounts."/var/lib/git".isReadOnly = false;

  systemd.services."ensure-git-repositories".wantedBy = [ "multi-user.target" ];
  systemd.services."ensure-git-repositories".script = "${pkgs.writers.writeDashBin "ensure-git-repositories" ''
    set -efu
    ${lib.concatLines (lib.mapAttrsToList (name: _: ''
      test -e /var/lib/git/${lib.escapeShellArg name} || \
        ${pkgs.git}/bin/git init --bare /var/lib/git/${lib.escapeShellArg name}
    '') appConfig.repositories)}
  ''}/bin/ensure-git-repositories";
  systemd.services."ensure-git-repositories".serviceConfig.User = "git";
  systemd.services."ensure-git-repositories".serviceConfig.Group = "nogroup";
}