{
  self,
  system,
}: {
  config,
  lib,
  ...
}: let
  inherit (lib) mkEnableOption mkIf mkOption;
  inherit (lib.types) str int;
  inherit (lib.strings) escapeShellArgs;
  inherit (self.packages.${system}) server templates;

  cfg = config.services.tlaternet-webserver;
in {
  options = {
    services.tlaternet-webserver = {
      enable = mkEnableOption "tlaternet web server";
      listen = {
        addr = mkOption {
          type = str;
          description = "IP address.";
          default = "127.0.0.1";
        };

        port = mkOption {
          type = int;
          description = "Port number.";
          default = 8000;
        };
      };
    };
  };

  config = mkIf cfg.enable {
    systemd.services.tlaternet-webserver = {
      description = "tlaternet webserver";
      wantedBy = ["multi-user.target"];
      after = ["network.target"];

      script = escapeShellArgs [
        "${server}/bin/tlaternet-webserver"
        "--template-directory"
        templates
        "--address"
        "${cfg.listen.addr}:${toString cfg.listen.port}"
      ];

      serviceConfig = {
        Restart = "always";

        DynamicUser = true;
        ProtectHome = true; # Override the default (read-only)
        PrivateDevices = true;
        PrivateIPC = true;
        PrivateUsers = true;
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
        RestrictNamespaces = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"];
      };
    };
  };
}