{
  lib,
  pkgs,
  config,
  ...
}:
let
  cfg = config.services.washng-machine;
in
{
  options.services.washng-machine = {
    enable = lib.mkEnableOption "washien machien";

    package = lib.mkOption {
      type = lib.types.package;
      default = pkgs.callPackage ./default.nix { };
      description = "The package to use for th washng machine";
    };

    settings = {
      IDENTIFIER = lib.mkOption {
        type = lib.types.str;
        description = "ur bee sky identifier";
      };
      BACKGROUND = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = null;
        description = "background colour";
      };
      AVATAR = lib.mkOption {
        type = lib.types.str;
        description = "avatar image path";
      };
    };

    environmentFiles = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "The environment file to use for WASHING MACHIEn";
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services = {
      washng-machine = {
        description = "washng-machine";
        after = [ "network.target" ];
        wantedBy = [ "multi-user.target" ];

        serviceConfig = {
          Type = "oneshot";
          EnvironmentFile = cfg.environmentFiles;
          Environment = lib.mapAttrsToList (k: v: "${k}=${if builtins.isInt v then toString v else v}") (
            lib.filterAttrs (_: v: v != null) cfg.settings
          );

          ExecStart = "${lib.getExe cfg.package} ${cfg.settings.AVATAR}";
          RemainAfterExit = false;

          # Hardening
          RemoveIPC = true;
          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
          NoNewPrivileges = true;
          PrivateDevices = true;
          ProtectClock = true;
          ProtectKernelLogs = true;
          ProtectControlGroups = true;
          ProtectKernelModules = true;
          PrivateMounts = true;
          SystemCallArchitectures = [ "native" ];
          MemoryDenyWriteExecute = false; # required by V8 JIT
          RestrictNamespaces = true;
          RestrictSUIDSGID = true;
          ProtectHostname = true;
          LockPersonality = true;
          ProtectKernelTunables = true;
          RestrictAddressFamilies = [
            "AF_UNIX"
            "AF_INET"
            "AF_INET6"
          ];
          RestrictRealtime = true;
          DeviceAllow = [ "" ];
          ProtectProc = "invisible";
          ProcSubset = "pid";
          ProtectHome = true;
          PrivateUsers = true;
          PrivateTmp = true;
          UMask = "0077";
        };
      };
    };

    systemd.timers.washng-machine = {
      description = "Run washng-machine every minute";
      wantedBy = [ "timers.target" ];

      timerConfig = {
        OnBootSec = "1min"; # first run 1 minute after boot
        OnUnitActiveSec = "1min"; # run every minute
        AccuracySec = "5s";
        Unit = "washng-machine.service"; # the service to run
      };
    };
  };
}