{
  config,
  lib,
  pkgs,
  this,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.soju;
in {
  options.nixfiles.modules.soju = {
    enable = mkEnableOption "soju";

    protocol = mkOption {
      description = "Port.";
      type = with types; enum ["ircs" "irc+insecure"];
      default = "irc+insecure";
    };

    address = mkOption {
      description = "Address.";
      type = with types; str;
      default = this.wireguard.ipv4.address;
    };

    port = mkOption {
      description = "Port.";
      type = with types; port;
      default = 6667;
    };

    domain = mkOption {
      description = "Domain.";
      type = with types; str;
      default = config.networking.fqdn;
    };

    prometheus = {
      enable = mkEnableOption "Prometheus exporter." // {default = true;};

      port = mkOption {
        description = "Port.";
        type = with types; port;
        default = 9259;
      };
    };
  };

  config = let
    db = "soju";
  in
    mkIf cfg.enable {
      nixfiles.modules.postgresql = {
        enable = true;
        extraPostStart = [
          ''
            $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
          ''
        ];
      };

      services.postgresql = {
        ensureDatabases = [db];
        ensureUsers = [
          {
            name = db;
            ensurePermissions."DATABASE \"${db}\"" = "ALL";
          }
        ];
      };

      systemd.services.soju = {
        description = "soju IRC bouncer";
        wantedBy = ["multi-user.target"];
        after = ["network-online.target" "postgresql.service"];
        serviceConfig = {
          ExecStart = let
            # https://soju.im/doc/soju.1.html
            configFile = pkgs.writeText "soju.conf" ''
              listen ${cfg.protocol}://${cfg.address}:${toString cfg.port}
              ${
                with cfg.prometheus;
                  optionalString enable
                  "listen http+prometheus://localhost:${toString port}"
              }
              db postgres ${
                concatStringsSep " " [
                  "host=/run/postgresql"
                  "user=${db}"
                  "dbname=${db}"
                  "sslmode=disable"
                ]
              }
              hostname ${cfg.domain}
              title ${cfg.domain}
            '';
          in
            concatStringsSep " " [
              "${pkgs.soju}/bin/soju"
              "-config ${configFile}"
            ];
          DynamicUser = true;
          AmbientCapabilities = [""];
          CapabilityBoundingSet = [""];
          UMask = "0077";
          LockPersonality = true;
          MemoryDenyWriteExecute = true;
          NoNewPrivileges = true;
          PrivateDevices = true;
          PrivateTmp = true;
          PrivateUsers = true;
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectSystem = "strict";
          ProtectProc = "invisible";
          ProcSubset = "pid";
          RemoveIPC = true;
          RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
          SystemCallFilter = ["@system-service" "~@privileged"];
        };
      };
    };
}