{
  stdenv,
  makeBinaryWrapper,
  removeReferencesTo,
  srcOnly,
  python3,
  pnpm,
  fetchFromGitHub,
  nodejs,
  vips,
  pkg-config,
  writeShellApplication,
  bash,
  xxd,
  openssl,
  nixosTests,
  lib,
}:

let
  generateSecrets = writeShellApplication {
    name = "generate-pds-secrets";

    runtimeInputs = [
      xxd
      openssl
    ];

    # Commands from https://github.com/bluesky-social/pds/blob/8b9fc24cec5f30066b0d0b86d2b0ba3d66c2b532/installer.sh
    text = ''
      echo "PDS_JWT_SECRET=$(openssl rand --hex 16)"
      echo "PDS_ADMIN_PASSWORD=$(openssl rand --hex 16)"
      echo "PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=$(openssl ecparam --name secp256k1 --genkey --noout --outform DER | tail --bytes=+8 | head --bytes=32 | xxd --plain --cols 32)"
    '';
  };

  nodeSources = srcOnly nodejs;
  customPython3 = python3.withPackages (p: [ p.setuptools ]);
in

stdenv.mkDerivation (finalAttrs: {
  pname = "pds";
  version = "0.4.74";

  src = fetchFromGitHub {
    owner = "bluesky-social";
    repo = "pds";
    rev = "v${finalAttrs.version}";
    hash = "sha256-kNHsQ6funmo8bnkFBNWHQ0Fmd5nf/uh+x9buaRJMZnM=";
  };

  sourceRoot = "${finalAttrs.src.name}/service";

  npmDepsHash = "sha256-uQKhODaVHLj+JEq6LYiJ/zXuu7kDCLmpxOs/VCc0GqQ=";

  nativeBuildInputs = [
    makeBinaryWrapper
    nodejs
    customPython3
    pkg-config
    pnpm.configHook
  ];

  # Required for `sharp` NPM dependency
  buildInputs = [ vips ];

  pnpmDeps = pnpm.fetchDeps {
    inherit (finalAttrs)
      pname
      version
      src
      sourceRoot
      ;
    hash = "sha256-oU4dwlBdsMmgAUv1ICaOqaqucmg/TjKOZxjnxpm0qL8=";
  };

  buildPhase = ''
    runHook preBuild

    for f in $(find -path '*/node_modules/better-sqlite3' -type d); do
      (cd "$f" && (
        npm run build-release --offline --nodedir=${nodeSources}
        find build -type f -exec \
        ${lib.getExe removeReferencesTo} \
        -t "${nodeSources}" {} \;
      ))
    done

    makeWrapper "${lib.getExe nodejs}" "$out/bin/pds" \
      --add-flags --enable-source-maps                \
      --add-flags "$out/lib/pds/index.js"             \
      --set-default NODE_ENV production

    runHook postBuild
  '';

  installPhase = ''
    runHook preInstall

    mkdir -p $out/{bin,lib/pds}
    mv node_modules $out/lib/pds
    mv index.js $out/lib/pds

    runHook postInstall
  '';

  passthru = {
    inherit generateSecrets;
    tests = {
      inherit (nixosTests) pds;
    };
  };

  meta = {
    description = "Bluesky Personal Data Server (PDS)";
    homepage = "https://bsky.social";
    license = with lib.licenses; [
      mit
      asl20
    ];
    maintainers = with lib.maintainers; [ t4ccer ];
    platforms = lib.platforms.unix;
    mainProgram = "pds";
  };
})