{
  lib,
  pkgs,
  ...
}:
let
  inherit (lib.meta) getExe;

  custom-wayneko = pkgs.wayneko.overrideAttrs {
    src = pkgs.fetchFromGitea {
      domain = "copeberg.org";
      owner = "virt";
      repo = "wayneko";
      rev = "3ed4e4e1f847213e712fe22e0278ec62c4fa2cf2";
      hash = "sha256-NxNrcQkx82SQ5GRqcJbbgM/Qg3GY8Whu5m5wI3zQi18=";
    };

    hash = "";
  };
in
{
  systemd.user.services.wayneko = {
    description = "Wayneko, as a systemd service";

    # makes the graphical session start this service when it starts
    wantedBy = [ "graphical-session.target" ];
    # when graphical session restarts or gets stopped, this also gets restarted/stopped.
    partOf = [ "graphical-session.target" ];
    # gets started only after graphical session
    after = [ "graphical-session.target" ];

    serviceConfig = {
      ExecStart = ''
        ${getExe custom-wayneko}\
        --layer top\
        --type striped\
        --background-colour 0xb4befe\
        --outline-colour 0x1e1e2e
      '';
      Restart = "on-failure";
      RestartSec = 1;
      TimeoutStopSec = 10;

      CapabilityBoundingSet = [ "" ];
      DevicePolicy = "closed";
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateNetwork = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProcSubset = "pid";

      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectControlGroup = true;
      ProtectHome = "read-only";
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictRealTime = true;
      RestrictSUIDSGID = true;

      SystemCallArchitectures = [ "native" ];

      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap @privileged";
    };
  };
}