{
  config,
  lib,
  pkgs,
  ...
}:
with pkgs; let
  cfg = config.services.veilid-server;
in {
  options = with lib; {
    services.veilid-server = {
      enable = mkEnableOption "Enable velid-server";
      user = mkOption {
        type = with types; oneOf [str int];
        default = "veilid";
        description = "The user veilid-server will run as.";
      };

      group = mkOption {
        type = with types; oneOf [str int];
        default = "veilid";
        description = "The group veilid-server will run with.";
      };

      dataDir = mkOption {
        type = types.path;
        default = "/var/lib/veilid";
        description = "Path for veilid-server state directory.";
      };

      package = mkOption {
        type = types.package;
        default = pkgs.veilid;
      };

      openFirewall = mkOption {
        type = types.bool;
        default = false;
        description = "enable veilid-server in the firewall";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    users.groups.${cfg.group} = {};
    users.users.${cfg.user} = {
      inherit (cfg) group;
      description = "veilid-server user";
      isSystemUser = true;
      home = cfg.dataDir;
      createHome = true;
    };

    networking.firewall = lib.mkIf cfg.openFirewall {
      allowedTCPPorts = [5150];
      allowedUDPPorts = [5150];
    };

    systemd.services.veilid-server = {
      enable = true;
      description = "veilid-server";
      wantedBy = ["network-online.target"];
      after = ["network-online.target"];

      environment = {
        HOME = cfg.dataDir;
      };

      serviceConfig = {
        User = cfg.user;
        Group = cfg.group;

        RuntimeDirectory = "veilid";
        StateDirectory = "veilid";
        StateDirectoryMode = "0700";
        CacheDirectory = "veilid";

        ExecStart = "${cfg.package}/bin/veilid-server";
      };
    };
  };
}