{ pkgs  , ... } :

with pkgs ;
with pkgs . kernelmaft ;

{
	systemd = {
		units = {
			"bookwyrm.service" = {
				text = ''
					[Unit]

					After=network.target

					[Service]

					ExecStartPre=${coreutils-full}/bin/ln -sf ${bookwyrm}/var/lib/bookwyrm/VERSION /var/lib/bookwyrm/
					ExecStart=${bookwyrm}/bin/bookwyrm

					WorkingDirectory=/var/lib/bookwyrm

					# Creates /var/lib/bookwyrm directory
					StateDirectory=bookwyrm

					# Creates /run/bookwyrm directory
					RuntimeDirectory=bookwyrm

					User=bookwyrm
					Group=bookwyrm

					ProtectSystem=strict
					ProtectHome=tmpfs
					PrivateTmp=true
					PrivateDevices=true
					PrivateIPC=true
					ProtectHostname=true
					ProtectClock=true
					ProtectKernelTunables=true
					ProtectKernelModules=true
					ProtectControlGroups=true
					RestrictNamespaces=true
					LockPersonality=true
					RestrictRealtime=true
					RestrictSUIDSGID=true
				'' ;
			} ;
		} ;
	} ;

	users = {
		groups = {
			bookwyrm = {} ;
		} ;
		users = {
			bookwyrm = {
				group = "bookwyrm" ;
				home = "/var/lib/bookwyrm" ;
				isSystemUser = true ;
			} ;
		} ;
	} ;
}