{
  description = "A flake to install sTodo";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
  };

  outputs = {
    self,
    nixpkgs,
  }: let
    tarball = fetchTarball {
      url = "https://git.stuce.ch/stuce/sTodo/releases/download/r3/r3.tar.gz";
      sha256 = "1imgbbgbgx2r8qr90mpxlwfy9hcfpdz0sa4nir05jhqx8q1rl0y1";
    };
  in {
    packages.x86_64-linux.sTodo = with nixpkgs.legacyPackages.x86_64-linux;
      stdenv.mkDerivation {
        pname = "sTodo";
        version = "1.0.0";
        src = tarball;
        buildInputs = [libz gmp libffi];
        nativeBuildInputs = [openssl];
        installPhase = ''
          mkdir -p $out/bin
          cp $src/sTodo $out/bin
          chmod ugo+x $out/bin/sTodo
        '';
        mainProgram = "sTodo";
      };
    nixosModules.sTodo = {
      config,
      lib,
      pkgs,
      ...
    }: let
      cfg = config.services.sTodo;
      sessionKey = "/etc/sTodo/client_session_key.aes";
    in {
      options.services.sTodo = {
        # options.programs.sTodo = {
        enable = lib.mkEnableOption "sTodo";
        package = lib.mkOption {
          type = lib.types.package;
          default = self.packages.x86_64-linux.sTodo;
        };
        appRoot = lib.mkOption {
          type = lib.types.str;
          default = "http://localhost:6901";
          description = "Link used to access the webapp";
        };
        clientSessionKey = lib.mkOption {
          type = lib.types.str;
          default = "/etc/sTodo/client_session_key.aes";
          description = "Location of the client session key";
        };

        port = lib.mkOption {
          type = lib.types.int;
          default = 6901;
          description = "Default port of the app";
        };
      };

      # Systemd Service
      config = lib.mkIf cfg.enable {
        environment.etc."sTodo/static" = {
          source = "${tarball}/static";
        };
        environment.systemPackages = [pkgs.openssl];
        users.groups."sTodo".name = "sTodo";
        users.users."sTodo" = {
          name = "sTodo";
          isSystemUser = true;
          group = "sTodo";
        };
        systemd.services.sTodo.preStart = ''
          [ -f ${sessionKey} ] || {
            "${pkgs.openssl}/bin/openssl" rand 256 > ${sessionKey}
          }
        '';
        systemd.services.sTodo = {
          description = "Launch a sTodo app to have a online todolist";
          after = ["network.target"];
          wantedBy = ["multi-user.target"];
          serviceConfig = {
            ExecStart = "${cfg.package}/bin/sTodo";
            Restart = "always";
            User = "sTodo";
            Group = "sTodo";
            StateDirectory = "sTodo";
            StateDirectoryMode = "0700";

            AmbientCapabilities = "";
            CapabilityBoundingSet = "";
            DeviceAllow = "";
            LockPersonality = true;
            MemoryDenyWriteExecute = true;
            NoNewPrivileges = true;

            PrivateDevices = true;
            PrivateUsers = true;

            ProtectClock = true;
            ProtectControlGroups = true;
            ProtectHome = "read-only";
            ProtectHostname = true;
            ProtectKernelLogs = true;
            ProtectKernelModules = true;
            ProtectKernelTunables = true;
            ProtectProc = "noaccess";
            ProtectSystem = "strict";
          };
          environment = {
            YESOD_PORT = "${toString cfg.port}";
            YESOD_APPROOT = "${cfg.appRoot}";
            YESOD_SQLITE_DATABASE = "/var/lib/sTodo/sTodo.sqlite3";
            YESOD_STATIC_DIR = "/etc/sTodo/static";
            YESOD_SESSION_KEY = sessionKey;
          };
        };
      };
    };
  };
}