{
  config,
  pkgs,
  lib,
  ...
}:
let
  cfg = config.services.victorialogs;
  pkg = pkgs.victoriametrics;
  dirname = "victorialogs";
in
{
  options.services.victorialogs =
    let
      inherit (lib.types) str;
    in
    {
      listenAddress = lib.mkOption {
        default = ":9428";
        type = str;
      };

      bindAddress = lib.mkOption {
        readOnly = true;
        type = str;
        description = ''
          Final address on which victorialogs listens.
        '';
      };
    };

  config = {
    services.victorialogs.bindAddress =
      (lib.optionalString (lib.hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;

    services.journald.upload = {
      enable = true;
      settings.Upload = {
        URL = "http://${cfg.bindAddress}/insert/journald";
        NetworkTimeoutSec = "20s";
      };
    };

    systemd.services."systemd-journal-upload".after = [ "victorialogs.service" ];

    systemd.services.victorialogs = {
      description = "VictoriaLogs log database";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      startLimitBurst = 5;

      serviceConfig = {
        ExecStart = lib.escapeShellArgs [
          "${pkg}/bin/victoria-logs"
          "-storageDataPath=/var/lib/${dirname}"
          "-httpListenAddr=${cfg.listenAddress}"
        ];

        DynamicUser = true;
        RestartSec = 1;
        Restart = "on-failure";
        RuntimeDirectory = dirname;
        RuntimeDirectoryMode = "0700";
        StateDirectory = dirname;
        StateDirectoryMode = "0700";

        LimitNOFILE = 1048576;

        # Hardening
        DeviceAllow = [ "/dev/null rw" ];
        DevicePolicy = "strict";
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateTmp = true;
        PrivateUsers = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        ProtectSystem = "full";
        RemoveIPC = true;
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
        ];
      };

      postStart = lib.mkBefore ''
        until ${lib.getBin pkgs.curl}/bin/curl -s -o /dev/null http://${cfg.bindAddress}/ping; do
          sleep 1;
        done
      '';
    };
  };
}