{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
  };

  outputs = { self, nixpkgs, ... }@inputs: let
    forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;
  in {
    nixosModule = { pkgs, config, lib, ... }: let
      cfg = config.papatutuwawa.pubcached;
    in {
      options.papatutuwawa.pubcached = {
        enable = lib.mkEnableOption "Enable pubcached";

        serverUrl = lib.mkOption {
          description = "The URL to which archives should be redirected";
        };

        host = lib.mkOption {
          description = "The host to bind to";
          default = "127.0.0.1";
        };
        port = lib.mkOption {
          description = "The port to bind to";
          default = 8000;
        };
      };

      config = lib.mkIf cfg.enable {
        systemd.services.pubcached = let
          settingsFormat = pkgs.formats.toml {};
          configRaw = {
            "db_path" = "/var/lib/pubcached/db.sqlite";
            "package_path" = "/var/lib/pubcached/packages/";
            "server_url" = cfg.serverUrl;
            
            "host" = cfg.host;
            "port" = cfg.port;
          };
        in {
          description = "pubcached Service";
          wantedBy = [ "multi-user.target" ];
          after = [ "network-online.target" ];
          wants = [ "network-online.target" ];
          serviceConfig = {
            DynamicUser = true;
            WorkingDirectory = "%S/pubcached";
            StateDirectory = "pubcached";
            StateDirectoryMode = "0700";
            UMask = "0007";
            ConfigurationDirectory = "pubcached";
            ExecStart = "${pkgs.pubcached}/bin/pubcached -c ${settingsFormat.generate "config.toml" configRaw}";
            Restart = "on-failure";
            RestartSec = 15;
            CapabilityBoundingSet = "";
            # Security
            NoNewPrivileges = true;
            # Sandboxing
            ProtectSystem = "strict";
            ProtectHome = true;
            PrivateTmp = true;
            PrivateDevices = true;
            PrivateUsers = true;
            ProtectHostname = true;
            ProtectClock = true;
            ProtectKernelTunables = true;
            ProtectKernelModules = true;
            ProtectKernelLogs = true;
            ProtectControlGroups = true;
            RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
            LockPersonality = true;
            MemoryDenyWriteExecute = true;
            RestrictRealtime = true;
            RestrictSUIDSGID = true;
            PrivateMounts = true;
            # System Call Filtering
            SystemCallArchitectures = "native";
            SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
          };
        };
      };
    };

    packages = forAllSystems (system: let
      pkgs = import nixpkgs { inherit system; };
    in {
      pubcached = pkgs.callPackage ./pkgs/pubcached.nix {};
    });
  };
}