{ pkgs, lib, config, ... }:
with lib;
{
  options.services.xsecurelock = {
    settings = mkOption {
      description = "xsecurelock settings";
      type = lib.types.submodule {
        freeformType = with types; attrsOf str;
      };
      default = {};
    };
  };
  config = {
    services.xsecurelock.settings = {
      #XSECURELOCK_DATETIME_FORMAT = mkDefault "";
      #XSECURELOCK_KEY_%s_COMMAND = mkDefault "";
      #XSECURELOCK_SWITCH_USER_COMMAND = mkDefault "${pkgs.lightdm}/bin/dm-tool switch-to-greeter";
      XSECURELOCK_BLANK_DPMS_STATE = mkDefault "off";
      XSECURELOCK_BLANK_TIMEOUT = mkDefault "1";
      XSECURELOCK_BURNIN_MITIGATION = mkDefault "100";
      XSECURELOCK_BURNIN_MITIGATION_DYNAMIC = mkDefault "1";
      XSECURELOCK_DIM_TIME_MS = mkDefault "2000";
      XSECURELOCK_DISCARD_FIRST_KEYPRESS = mkDefault "0";
      XSECURELOCK_FONT = mkDefault "monospace:size=12";
      XSECURELOCK_PASSWORD_PROMPT = mkDefault "cursor";
      XSECURELOCK_SAVER = mkDefault "saver_blank";
      XSECURELOCK_SHOW_DATETIME = mkDefault "1";
      XSECURELOCK_SHOW_HOSTNAME = mkDefault "1";
      XSECURELOCK_SHOW_USERNAME = mkDefault "1";
      XSECURELOCK_WAIT_TIME_MS = mkDefault "2000";
    };
    home.packages = [
      pkgs.xsecurelock
      pkgs.xss-lock
    ];
    services.screen-locker = {
      enable = true;
      lockCmd = toString (pkgs.writeShellScript "xsecurelock" ''
        export PATH=${with pkgs; makeBinPath [coreutils gnugrep xsecurelock xorg.xset]}
        ${concatMapStringsSep "\n"
            ({name, value}: "export "+escapeShellArg name+"="+escapeShellArg value)
            (attrsToList config.services.xsecurelock.settings)}
        ${pkgs.xsecurelock}/bin/xsecurelock
      '');
      inactiveInterval = mkDefault 3; # minutes
      xautolock.detectSleep = true;
      xss-lock.extraOptions = [
        "--transfer-sleep-lock"
        #"-n" "${pkgs.xss-lock}/share/doc/xss-lock/dim-screen.sh"
      ];
    };
  };
}