{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  format = pkgs.formats.toml {};
  cfg = config.services.lightflash;
  configFile = format.generate "lightflash.toml" {
    mqtt = {
      inherit (cfg.mqtt) hostname username;
      password_file = "$CREDENTIALS_DIRECTORY/mqtt_password";
    };
    switch = cfg.switches;
  };
in {
  options.services.lightflash = {
    enable = mkEnableOption "Enables the lightflash service";

    mqtt = mkOption {
      type = types.submodule {
        options = {
          hostname = mkOption {
            type = types.str;
            description = "mqtt server hostname";
          };
          username = mkOption {
            type = types.str;
            description = "mqtt username";
          };
          passwordFile = mkOption {
            type = types.str;
            description = "path containing the mqtt password";
          };
        };
      };
    };

    switches = mkOption {
      description = "configured triggers";
      type = types.listOf (types.submodule {
        options = {
          name = mkOption {
            type = types.str;
            description = "switch to listen on";
          };
          lights = mkOption {
            type = types.listOf types.str;
            description = "lights to flash";
          };
        };
      });
    };

    package = mkOption {
      type = types.package;
      description = "package to use";
    };

    logLevel = mkOption {
      type = types.str;
      default = "INFO";
      description = "log level";
    };
  };

  config = mkIf cfg.enable {
    systemd.services.lightflash = {
      wantedBy = ["multi-user.target"];

      environment = {
        RUST_LOG = cfg.logLevel;
      };

      serviceConfig = {
        LoadCredential = [
          "mqtt_password:${cfg.mqtt.passwordFile}"
        ];

        Restart = "on-failure";
        ExecStart = "${getExe cfg.package} --config ${configFile}";
        DynamicUser = true;
        PrivateUsers = true;
        PrivateTmp = true;
        ProtectSystem = "strict";
        ProtectHome = true;
        NoNewPrivileges = true;
        ProtectClock = true;
        CapabilityBoundingSet = true;
        ProtectControlGroups = true;
        SystemCallArchitectures = "native";
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectKernelTunables = true;
        ProtectHostname = true;
        LockPersonality = true;
        ProtectProc = "invisible";
        PrivateDevices = true;
        RestrictAddressFamilies = ["AF_LOCAL" "AF_INET"];
        RestrictRealtime = true;
        SystemCallFilter = ["~@reboot" "~@cpu-emulation" "~@obsolete" "~@debug" "~@swap" "~@clock" "~@module"];
        IPAddressDeny = ["any"];
        IPAddressAllow = ["localhost"];
        UMask = "0007";
        RuntimeDirectory = "lightflash";
      };
    };
  };
}