self: {
  config,
  pkgs,
  lib,
  ...
}: let
  inherit (lib.modules) mkIf;
  inherit (lib.options) mkOption mkEnableOption literalExpression;
  inherit (lib.types) nullOr str port package;

  defaultPackage = self.packages.${pkgs.stdenv.hostPlatform.system}.troutbot;
  cfg = config.services.troutbot;
in {
  options.services.troutbot = {
    enable = mkEnableOption "troutbot";

    package = mkOption {
      type = nullOr package;
      default = defaultPackage;
      defaultText = literalExpression "inputs.troutbot.packages.${pkgs.stdenv.hostPlatform.system}.troutbot";
      description = ''
        The Troutbot package to use.

        By default, this option will use the `packages.default` as exposed by this flake.
      '';
    };

    user = mkOption {
      type = str;
      default = "troutbot";
    };

    group = mkOption {
      type = str;
      default = "troutbot";
    };

    port = mkOption {
      type = port;
      default = 3000;
    };

    environmentFile = mkOption {
      type = nullOr str;
      default = null;
    };

    configPath = mkOption {
      type = nullOr str;
      default = null;
    };
  };

  config = mkIf cfg.enable {
    users.users.${cfg.user} = {
      isSystemUser = true;
      group = cfg.group;
    };

    users.groups.${cfg.group} = {};

    systemd.services.troutbot = {
      description = "Troutbot";
      after = ["network.target"];
      wantedBy = ["multi-user.target"];
      serviceConfig = {
        Type = "simple";
        User = cfg.user;
        Group = cfg.group;
        ExecStart = "${lib.getExe cfg.package}";
        Restart = "on-failure";
        EnvironmentFile = cfg.environmentFile;
        NODE_ENV = "production";
        CONFIG_PATH = cfg.configPath;
        PORT = toString cfg.port;
        ProtectSystem = "strict";
        ProtectHome = true;
        PrivateTmp = true;
        NoNewPrivileges = true;
      };
    };
  };
}