{ system, self, deploy-rs, nvfetcher, mach-nix, leapseconds, ... }:
let
  pkgs = self.legacyPackages.${system};

  ca = mach-nix.lib.${system}.buildPythonPackage {
    pname = "ca";
    src = ./tools/ca;
    version = "0.0.0";
    ignoreDataOutdated = true;

    requirements = ''
      cryptography >=38.0.0
      fqdn
      atomicwrites
      leapseconddata
      xkcdpass
    '';

    _.cryptography.buildInputs = with pkgs; [ openssl ];

    postInstall = ''
      wrapProgram $out/bin/ca \
        --set-default LEAPSECONDS_FILE ${leapseconds} \
        --prefix PATH : ${pkgs.lib.makeBinPath (with pkgs; [sops])}
    '';
  };
in pkgs.mkShell {
  name = "nixos";
  nativeBuildInputs = with pkgs; [
    sops
    wireguard-tools
    gup
    nftables
    deploy-rs.packages.${system}.deploy-rs
    knot-dns
    yq
    nvfetcher.defaultPackage.${system}
    ca
  ];
}