{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.services.demostf-cleanup;
  format = pkgs.formats.toml {};
  configFile = format.generate "demostf-cleanup.toml" {
    api = {
      url = cfg.source;
      key_file = "$CREDENTIALS_DIRECTORY/api_key";
    };
    storage = {
      root = cfg.storageRoot;
    };
    cleanup = {
      from_backend = cfg.backend;
      age = cfg.age;
    };
  };
in {
  options.services.demostf-cleanup = {
    enable = mkEnableOption "demostf-cleanup";

    source = mkOption {
      type = types.str;
      default = "https://api.demos.tf";
      description = "Api endpoint to cleanup demos for";
    };

    storageRoot = mkOption {
      type = types.str;
      description = "path local demo files are stored at";
    };

    backend = mkOption {
      type = types.str;
      description = "name of the local demos backend";
    };

    age = mkOption {
      type = types.int;
      default = 157784629; # 5 years
      description = "age of demos to cleanup";
    };

    keyFile = mkOption {
      type = types.str;
      description = "path containing the edit secret";
    };

    user = mkOption {
      type = types.str;
      description = "user that owns the local demos";
    };

    log = mkOption {
      type = types.str;
      default = "info";
      description = "log level";
    };

    interval = mkOption {
      type = types.str;
      default = "*:0/10";
      description = "how often to run";
    };

    package = mkOption {
      type = types.package;
      defaultText = literalExpression "pkgs.demostf-cleanup";
      description = "package to use";
    };
  };

  config = mkIf cfg.enable {
    systemd.services."demostf-cleanup" = {
      environment = {
        RUST_LOG = cfg.log;
      };

      serviceConfig = {
        ExecStart = "${getExe cfg.package} ${configFile}";
        ReadWritePaths = [cfg.storageRoot];
        LoadCredential = [
          "api_key:${cfg.keyFile}"
        ];
        Restart = "on-failure";
        User = cfg.user;
        PrivateTmp = true;
        ProtectSystem = "strict";
        ProtectHome = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        ProtectClock = true;
        CapabilityBoundingSet = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        SystemCallArchitectures = "native";
        ProtectKernelModules = true;
        RestrictNamespaces = true;
        MemoryDenyWriteExecute = true;
        ProtectHostname = true;
        LockPersonality = true;
        ProtectKernelTunables = true;
        RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
        RestrictRealtime = true;
        ProtectProc = "noaccess";
        SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
        IPAddressDeny = ["localhost" "link-local" "multicast"];
        ProcSubset = "pid";
      };
    };

    systemd.timers."demostf-cleanup" = {
      enable = true;
      description = "Cleanup demos for demos.tf";
      wantedBy = ["multi-user.target"];
      timerConfig = {
        OnCalendar = cfg.interval;
      };
    };
  };
}