{

  pkgs ? (import ./nix/pkgs.nix).stable,
  bootstrap ? null,

}: rec {

  rootedBootstrap = pkgs.stdenv.mkDerivation {
    name = "cryptic-net-rooted-bootstrap";

    src = bootstrap;

    builder = builtins.toFile "builder.sh" ''
      source $stdenv/setup
      mkdir -p "$out"/share
      cp "$src" "$out"/share/bootstrap.tgz
    '';
  };

  version = pkgs.stdenv.mkDerivation {
    name = "cryptic-net-version";

    buildInputs = [ pkgs.git pkgs.go ];
    src = ./.;
    inherit bootstrap;

    builder = builtins.toFile "builder.sh" ''
      source $stdenv/setup

      versionFile=version

      if [ "$bootstrap" != "" ]; then
        hostName=$(tar -xzf "$bootstrap" --to-stdout ./hostname)
        echo "Built for host:  $hostName" >> "$versionFile"
      fi

      echo "Build date:      $(date)" >> "$versionFile"
      echo "Git status:      $(cd "$src" && git describe --always --long --dirty=' (dirty)')" >> "$versionFile"
      echo "Go version:      $(go version)" >> "$versionFile"
      echo "Build host info: $(uname -srvm)" >> "$versionFile"

      mkdir -p "$out"/share
      cp "$versionFile" "$out"/share
    '';
  };

  goWorkspace = pkgs.callPackage ./go-workspace {};

  dnsmasq = (pkgs.callPackage ./dnsmasq {
    glibcStatic = pkgs.glibc.static;
  }).env;

  garage = (pkgs.callPackage ./nix/garage.nix {}).env;

  waitFor = pkgs.callPackage ./nix/wait-for.nix {};

  appDir = pkgs.buildEnv {
    name = "cryptic-net-AppDir";
    paths = [

      pkgs.pkgsStatic.bash
      pkgs.pkgsStatic.coreutils
      pkgs.pkgsStatic.unixtools.ping
      pkgs.pkgsStatic.netcat # required by waitFor
      pkgs.pkgsStatic.gnutar
      pkgs.pkgsStatic.gzip

      # custom packages from ./pkgs.nix
      pkgs.yq-go
      pkgs.nebula

      ./AppDir
      version
      dnsmasq
      garage
      waitFor
      goWorkspace.crypticNetMain

    ] ++ (if bootstrap != null then [ rootedBootstrap ] else []);
  };

  appimagetool = pkgs.callPackage ./nix/appimagetool.nix {};

  appImage = pkgs.stdenv.mkDerivation {
    name = "cryptic-net-AppImage";
    src = appDir;

    buildInputs = [ appimagetool ];

    ARCH = "x86_64";

    builder = builtins.toFile "build.sh" ''
      source $stdenv/setup
      cp -rL "$src" cryptic-net
      chmod +w cryptic-net -R
      mkdir $out
      appimagetool cryptic-net "$out/cryptic-net"
    '';
  };

  service = pkgs.writeText "cryptic-service" ''
    [Unit]
    Description=cryptic nebula
    Requires=network.target
    After=network.target

    [Service]
    Restart=always
    RestartSec=1s
    User=root
    ExecStart=${appImage}/cryptic-net

    [Install]
    WantedBy=multi-user.target
  '';
}