{
  lib,
  sources,
  buildGoModule,
  envsubst,
  coreutils,
}:
let
  envsubstBin = lib.getExe envsubst;
in
buildGoModule {
  inherit (sources.crowdsec-firewall-bouncer) pname version src;

  vendorHash = "sha256-7Jxvg8UEjUxnIz1llvXyI2AefJ31OVdNzhWD/C8wU/Y=";

  postInstall = ''
    mkdir -p $out/lib/systemd/system

    CFG=/var/lib/crowdsec/config BIN=$out/bin/cs-firewall-bouncer ${envsubstBin} \
      -i ./config/crowdsec-firewall-bouncer.service \
      -o $out/lib/systemd/system/crowdsec-firewall-bouncer.service

    substituteInPlace $out/lib/systemd/system/crowdsec-firewall-bouncer.service \
      --replace-fail /bin/sleep ${coreutils}/bin/sleep
  '';
}