{

  pkgsAttrs ? (import ./nix/pkgs.nix),
  bootstrap ? null,

}: let

  pkgs = pkgsAttrs.pkgs;

in rec {

  rootedBootstrap = pkgs.stdenv.mkDerivation {
    name = "cryptic-net-rooted-bootstrap";

    src = bootstrap;

    builder = builtins.toFile "builder.sh" ''
      source $stdenv/setup
      mkdir -p "$out"/share
      cp "$src" "$out"/share/bootstrap.tgz
    '';
  };

  version = pkgs.stdenv.mkDerivation {
    name = "cryptic-net-version";

    buildInputs = [ pkgs.git pkgs.go ];

    src = ./.;
    inherit bootstrap;
    nixPkgsVersion = pkgsAttrs.version;
    nixPkgsRev = pkgsAttrs.rev;
    builtByUser = builtins.getEnv "USER";

    builder = builtins.toFile "builder.sh" ''
      source $stdenv/setup

      versionFile=version

      cp -r "$src" srcCp

      if [ "$bootstrap" != "" ]; then
        hostName=$(tar -xzf "$bootstrap" --to-stdout ./hostname)
        echo "Built for host:  $hostName" >> "$versionFile"
      fi

      echo "Build date:      $(date) ($(date +%s))" >> "$versionFile"
      echo "Built by:        $builtByUser" >> "$versionFile"
      echo "Git rev:         $(cd srcCp && git describe --always --long --dirty=' (dirty)')" >> "$versionFile"
      echo "Go version:      $(go version)" >> "$versionFile"
      echo "Nixpkgs version: $nixPkgsVersion ($nixPkgsRev)" >> "$versionFile"

      mkdir -p "$out"/share
      cp "$versionFile" "$out"/share
    '';
  };

  entrypoint = pkgs.callPackage ./entrypoint {};

  dnsmasq = (pkgs.callPackage ./dnsmasq {
    glibcStatic = pkgs.glibc.static;
  }).env;

  garage = (pkgs.callPackage ./nix/garage.nix {}).env;

  waitFor = pkgs.callPackage ./nix/wait-for.nix {};

  appDir = pkgs.buildEnv {
    name = "cryptic-net-AppDir";
    paths = [

      pkgs.pkgsStatic.bash
      pkgs.pkgsStatic.coreutils
      pkgs.pkgsStatic.gnutar
      pkgs.pkgsStatic.gzip

      # custom packages from ./pkgs.nix
      pkgs.yq-go
      pkgs.nebula

      ./AppDir
      version
      dnsmasq
      garage
      entrypoint

    ] ++ (if bootstrap != null then [ rootedBootstrap ] else []);
  };

  appimagetool = pkgs.callPackage ./nix/appimagetool.nix {};

  appImage = pkgs.stdenv.mkDerivation {
    name = "cryptic-net-AppImage";
    src = appDir;

    buildInputs = [ appimagetool ];

    ARCH = "x86_64";

    builder = builtins.toFile "build.sh" ''
      source $stdenv/setup
      cp -rL "$src" cryptic-net
      chmod +w cryptic-net -R
      mkdir $out
      appimagetool cryptic-net "$out/cryptic-net"
    '';
  };

  service = pkgs.writeText "cryptic-service" ''
    [Unit]
    Description=cryptic nebula
    Requires=network.target
    After=network.target

    [Service]
    Restart=always
    RestartSec=1s
    User=root
    ExecStart=${appImage}/cryptic-net

    [Install]
    WantedBy=multi-user.target
  '';
}