self: {
  config,
  lib,
  pkgs,
  utils,
  ...
}: let
  cfg = config.services.lasuite-docs-proxy;
in {
  meta.maintainers = with lib.maintainers; [quadradical];
  options.services.lasuite-docs-proxy = {
    enable = lib.mkEnableOption "the lasuite-docs proxy";
    package = lib.mkPackageOption self.packages.${pkgs.system} "default" {};

    group = lib.mkOption {
      type = lib.types.str;
      default = "lasuite-docs-proxy";
    };

    args = lib.mkOption {
      type = with lib.types; listOf str;
      default = [];
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.lasuite-docs-proxy = {
      description = "lasuite-docs-proxy server";
      documentation = ["https://git.federated.nexus/Henry-Hiles/lasuite-docs-proxy"];
      wantedBy = ["multi-user.target"];
      wants = ["network-online.target"];
      after = ["network-online.target"];

      serviceConfig = {
        ExecStart = utils.escapeSystemdExecArgs ([
            (lib.getExe cfg.package)
          ]
          ++ cfg.args);
        DynamicUser = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        PrivateDevices = true;
        PrivateMounts = true;
        RestrictAddressFamilies = [
          "AF_UNIX"
          "AF_INET"
          "AF_INET6"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        ProtectHome = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
          "~@resources"
        ];
        Restart = "on-failure";
        RestartSec = 5;
        UMask = 007;

        RuntimeDirectory = "lasuite-docs-proxy";
        RuntimeDirectoryMode = 0770;
        Group = cfg.group;
      };
    };
  };
}