{
  lib,
  fetchFromGitHub,
  buildGoModule,
  envsubst,
  coreutils,

  writers,
  nix-update,
}:
let
  envsubstBin = lib.getExe envsubst;
in
buildGoModule (drv: {
  pname = "crowdsec-firewall-bouncer";
  version = drv.src.rev;

  src = fetchFromGitHub {
    owner = "crowdsecurity";
    repo = "cs-firewall-bouncer";
    rev = "0.0.34";
    sha256 = "sha256-lDO9pwPkbI+FDTdXBv03c0p8wbkRUiIDNl1ip3AZo2g=";
  };

  vendorHash = "sha256-SbpclloBgd9vffC0lBduGRqPOqmzQ0J91/KeDHCh0jo=";

  postInstall = ''
    mkdir -p $out/lib/systemd/system

    CFG=/var/lib/crowdsec/config BIN=$out/bin/cs-firewall-bouncer ${envsubstBin} \
      -i ./config/crowdsec-firewall-bouncer.service \
      -o $out/lib/systemd/system/crowdsec-firewall-bouncer.service

    substituteInPlace $out/lib/systemd/system/crowdsec-firewall-bouncer.service \
      --replace-fail /bin/sleep ${coreutils}/bin/sleep
  '';

  passthru.updateScript =
    writers.writeNuBin "update-crowdsec-firewall-bouncer"
      {
        makeWrapperArgs = [
          "--prefix"
          "PATH"
          ":"
          (lib.makeBinPath [ nix-update ])
        ];
      }
      ''
        nix-update --flake --format crowdsec-firewall-bouncer
      '';
})