{ pkgs, ... }:
{
  groups.git = { };
  users.users.git = {
    isSystemUser = true;
    group = "git";
    home = "/var/lib/git-server";
    createHome = true;
    shell = "${pkgs.git}/bin/git-shell";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDXt8vkpi9jOp9dCjoS8u0dC4fDdgb73w8z7VNI42FB did:web:vt3e.cat"
    ];
  };

  services.openssh.extraConfig = ''
    Match user git
      AllowTcpForwarding no
      AllowAgentForwarding no
      PasswordAuthentication no
      PermitTTY no
      X11Forwarding no
  '';
}