diff --git a/host/roam/git.nix b/host/roam/git.nix
index af897c0..5dda083 100644
--- a/host/roam/git.nix
+++ b/host/roam/git.nix
@@ -1,6 +1,48 @@
-{ pkgs, var, ... }:
+{
+  pkgs,
+  var,
+  lib,
+  ...
+}:
 let
   gitpath = "/git";
+  git-config = pkgs.writeText "git-git-config" ''
+    [init]
+      defaultBranch = main
+  '';
+  git-shell-commands = {
+    "create" = ''
+      #!/bin/sh
+      REPO_NAME="$1"
+      if [ -z "$REPO_NAME" ]; then
+        echo "Usage: $0 <repo-name>"
+        exit 1
+      fi
+      REPO_PATH="${gitpath}/$REPO_NAME.git"
+      if [ -d "$REPO_PATH" ]; then
+        echo "Repository '$REPO_NAME' already exists."
+        exit 1
+      fi
+      git init --bare "$REPO_PATH"
+      echo "Created bare repository: $REPO_PATH"
+    '';
+  };
+  git-shell-commands-dir = pkgs.stdenv.mkDerivation {
+    name = "git-shell-commands-dir";
+    version = "0.0.1";
+    src = null;
+    dontUnpack = true;
+    buildPhase = "";
+    installPhase = lib.concatStringsSep "\n" (
+      lib.mapAttrsToList (name: script: ''
+        mkdir -p $out
+        cat <<'EOF' > $out/${name}
+        ${script}
+        EOF
+        chmod +x $out/${name}
+      '') git-shell-commands
+    );
+  };
 in
 {
   programs.git.enable = true;
@@ -14,8 +56,14 @@ in
     shell = "${pkgs.git}/bin/git-shell";
     openssh.authorizedKeys.keys = var.ssh-keys.hd;
     hashedPassword = "!";
+    packages = [ pkgs.git ];
   };
 
+  systemd.tmpfiles.rules = [
+    "L+ ${gitpath}/git-shell-commands - - - - ${git-shell-commands-dir}"
+    "L+ ${gitpath}/.gitconfig - - - - ${git-config}"
+  ];
+
   services =
     let
       cgit-host = "git.lan";
@@ -26,9 +74,10 @@ in
       };
       cgit."git" = {
         group = "git";
-        enable = false; # FIXME: find out what breaks here
+        enable = true;
         scanPath = gitpath;
         nginx.virtualHost = cgit-host;
+        gitHttpBackend.checkExportOkFiles = false;
       };
     };
 }