{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/release-22.05";
    flake-utils.url = "github:numtide/flake-utils/master";

    rust-overlay = {
      url = "github:oxalica/rust-overlay/master";

      inputs = {
        flake-utils.follows = "flake-utils";
        nixpkgs.follows = "nixpkgs";
      };
    };

    naersk = {
      url = "github:nmattia/naersk/master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  description = "thulani discord bot";

  outputs = {
    self,
    nixpkgs,
    flake-utils,
    ...
  } @ inputs: let
    buildToolchain = pkgs: pkgs.rust-bin.nightly."2022-11-20".minimal;
    deps = pkgs: with pkgs; [
      openssl
      pkgconfig
      libopus
      postgresql
    ];

    mkPkg = pkgs: let
      buildToolchain = buildToolchain pkgs;

      naersk = pkgs.callPackage inputs.naersk {
        cargo = buildToolchain;
        rustc = buildToolchain;
      };

      inherit (pkgs) lib;

    in naersk.buildPackage {
      pname = "thulani";
      version = self.rev or "dirty";

      src = lib.cleanSource ./.;

      nativeBuildInputs = deps pkgs;
      remapPathPrefix = true;
    };

  in (flake-utils.lib.eachDefaultSystem (system:
    let
      pkgs = import nixpkgs {
        inherit system;

        overlays = [
          (import inputs.rust-overlay)
        ];
      };

      devToolchain = (buildToolchain pkgs).override {
        extensions = [
          "rust-src"
          "rust-analyzer"
          "clippy"
          "rust-docs"
          "rustfmt"
        ];
      };

      pkg = mkPkg pkgs;

    in {
      devShells.default = pkgs.mkShell {
        buildInputs = (with pkgs; [
          devToolchain
        ]) ++ (deps pkgs);

        RUST_SRC_PATH = "${devToolchain}/lib/rustlib/src/rust";
      };

      packages.default = pkg;
      apps.default = {
        type = "app";
        program = "${pkg}/bin/thulani";
      };

    }) // {
      overlays.default = final: prev: let
        withRust = (import inputs.rust-overlay) final prev;
      in {
        thulani = mkPkg withRust;
      };

      nixosModules.default = { pkgs, lib, config, ... }: let
        cfg = config.services.thulani;
      in {
        options.services.thulani = with lib; with lib.types; {
          enable = mkEnableOption "thulani";

          package = mkOption {
            description = "thulani derivation to use";
            type = package;
            default = pkgs.thulani;
          };

          environment = mkOption {
            description = "literal environment to include";
            type = attrsOf str;
            default = {};
          };

          envFiles = mkOption {
            description = "environment files to include";
            type = listOf path;
            default = [];
          };

          user = mkOption {
            description = "user to run service as";
            type = str;
            default = "thulani";
          };

          group = mkOption {
            description = "group to run service as";
            type = str;
            default = "thulani";
          };

          postgres = mkOption {
            description = "local postgres server with automatic setup";

            type = sumodule {
              enable = mkEnableOption "postgres";

              db = mkOption {
                description = "db name";
                type = str;
                default = "memes";
              };
            };
          };
        };

        config = lib.mkIf cfg.enable {
          systemd.services.thulani = {
            description = "thulani bot";

            wantedBy = [
              "multi-user.target"
            ];

            bindsTo = [
              "network-online.target"
            ];

            after = [
              "network-online.target"
            ];

            preStart = lib.mkIf (cfg.postgres.enable) (let
              invokePsql = "${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} -- ${config.services.postgresql.package}/bin/psql";

            in ''
              ${invokePsql} <<EOF
              DO $$
              BEGIN
              CREATE ROLE ${cfg.user};
              EXCEPTION WHEN duplicate_object THEN RAISE NOTICE '%, skipping', SQLERRM USING ERRCODE = SQLSTATE;
              END
              $$;

              SELECT 'CREATE DATABASE ${cfg.postgres.db}'
              WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${cfg.postgres.db}')\gexec
              EOF

              echo 'CREATE EXTENSION IF NOT EXISTS pgcrypto' | ${invokePsql} ${cfg.postgres.db}
            '');

            inherit (cfg) environment;

            unitConfig = {
              StartLimitBurst = 3;
              StartLimitIntervalSec = "1m";
            };

            serviceConfig = {
              Type = "exec";
              ExecStart = "${cfg.package}/bin/thulani";

              EnvironmentFile = cfg.environmentFiles;

              DynamicUser = true;
              User = cfg.user;
              Group = cfg.group;

              Restart = "always";
              RestartSec = "10s";

              TimeoutStopSec = "10s";

              MemoryHigh = "200M";
              MemoryMax = "300M";

              ProtectSystem = "strict";
              ProtectProc = "noaccess";
              ProtectHome = true;
              ProtectHostname = true;
              ProtectClock = true;
              ProtectKernelTunables = true;
              ProtectKernelModules = true;
              ProtectKernelLogs = true;
              ProtectControlGroups = true;

              PrivateDevices = true;
              PrivateUsers = true;
              PrivateMounts = true;

              RestrictNamespaces = true;
              RestrictRealtime = true;
              RestrictSUIDSGID = true;

              MemoryDenyWriteExecute = true;
              LockPersonality = true;
              NoNewPrivileges = true;
              KeyringMode = "private";

              SystemCallFilter = "@system-service";
              SystemCallErrorNumber = "EPERM";
            };
          };

          services.postgresql = lib.mkIf cfg.postgres.enable {
            enable = true;

            authentication = ''
              local ${cfg.postgres.db} ${cfg.user} ident
            '';
          };
        };
      };
    }
  );
}