{ wrap }:
{ lib, pkgs, config, ... }:
let
  garage-ephemeral-key = pkgs.writers.writePython3Bin
    "garage-ephemeral-key"
    { libraries = [ pkgs.python3.pkgs.requests ]; }
    (builtins.readFile ./garage_ephemeral_key.py);

  # the usual copy pasta of systemd-analyze security satisfying rules
  containment = {
    DynamicUser = true;
    CapabilityBoundingSet = "";
    NoNewPrivileges = true;
    PrivateTmp = true;
    PrivateUsers = true;
    PrivateDevices = true;
    ProtectHome = true;
    ProtectClock = true;
    ProtectProc = "noaccess";
    ProcSubset = "pid";
    UMask = "0077";
    ProtectKernelLogs = true;
    ProtectKernelModules = true;
    ProtectKernelTunables = true;
    ProtectControlGroups = true;
    ProtectHostname = true;
    RestrictSUIDSGID = true;
    RestrictRealtime = true;
    RestrictNamespaces = true;
    LockPersonality = true;
    RemoveIPC = true;
    SystemCallFilter = [ "@system-service" "~@privileged" ];
    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
    MemoryDenyWriteExecute = true;
    SystemCallArchitectures = "native";
  };
in
{
  _file = ./garage-ephemeral-key.nix;

  environment.systemPackages = [
    (wrap garage-ephemeral-key "garage-ephemeral-key")
  ];

  # Clean expired ephemeral keys every 2 minutes
  systemd.timers.garage-ephemeral-key-clean = {
    wantedBy = [ "multi-user.target" ];
    timerConfig = {
      # Every 2 minutes.
      OnCalendar = "*-*-* *:00/2";
    };
  };

  systemd.services.garage-ephemeral-key-clean = {
    after = [ "garage.service" ];
    wants = [ "garage.service" ];
    serviceConfig = {
      ExecStart = "${lib.getExe garage-ephemeral-key} clean";

      EnvironmentFile = config.age.secrets.garage.path;
    } // containment;
  };
}