{ pkgs, config, ... }:
{
  systemd.sockets."tmux@" = {
    listenStreams = [ "/home/%i/tmux.sock" ];
    socketConfig.SocketUser = "%i";
    socketConfig.SocketMode = "600";
    socketConfig.Service = "tmux@%i.service";
  };
  /*
    systemd.services."proxy-to-irssi@" = {
    requires = ["irssi@%i.service"];
    after = ["irssi@%i.service" "proxy-to-irssi-%i.socket"];
    #unitConfig.JoinsNamespaceOf = ["netns-${netns}.service"];
    unitConfig.JoinsNamespaceOf = ["irssi@%i.service"];
    serviceConfig = {
      ExecStart = "${pkgs.systemd}/lib/systemd/systemd-socket-proxyd /var/lib/irssi/%i/tmux.sock";
      #PrivateNetwork = true;
      PrivateTmp = true;
    };
    };
  */
  #systemd.sockets."irssi@" = {
  #  enable = values.peersAnnouncing.enable;
  #  listenStreams = [(toString values.peersAnnouncing.listenPort)];
  #  socketConfig.Accept = true;
  #  socketConfig.ReusePort = true;
  #  wantedBy = [ "sockets.target" ];
  #};
  systemd.services."tmux@" = {
    description = "tmux for user %i";
    #after = [ "network.target" ];
    environment.HOME = "/var/lib/tmux/%i";
    # A custom LD_LIBRARY_PATH is needed to access in `getent passwd`
    # the systemd's entry about the DynamicUser=
    environment.LD_LIBRARY_PATH = config.system.nssModules.path;
    unitConfig = {
      RefuseManualStart = true;
    };
    serviceConfig = {
      Type = "notify";
      #GuessMainPID = true;
      ExecStart = "${pkgs.tmux}/bin/tmux -v -D -f /var/lib/tmux/%i/.config/tmux/tmux.conf -f ${pkgs.writeText "tmux.conf" ''
        set-option -g default-shell ${pkgs.runtimeShell}
        #set-option -g exit-empty off
        new-session -d
        run-shell -b "systemd-notify --ready"
      ''}";
      NotifyAccess = "all";
      #RuntimeDirectory = ["tmux/%i"];
      #RuntimeDirectoryMode = "755";
      StateDirectory = [ "tmux/%i" ];
      #TimeoutSec = 5;
      ExecStop = [
        # Send CTRL+u to clear the input line before /quit
        #"-${pkgs.tmux} -L %p send-keys -t irssi:0 C-u"
        #"-${pkgs.tmux} -L %p send-keys -t irssi:0 /quit Enter"
        # Sending /quit to irssi is asynchronous, so wait for irssi to exit
        # before killing the session in tmux
        #(pkgs.writeShellScript "stop-irssi" ''
        #  timeout 3 tail --pid=$(cat %t/irssi.pid || echo 0) -f /dev/null
        #'')
        #"-${pkgs.tmux} -L %p kill-session -t irssi-%i"
      ];
      WorkingDirectory = "/var/lib/tmux/%i";
      DynamicUser = true;
      #User = "%i";
      BindReadOnlyPaths = [
        "-/home/%i/.config/tmux/tmux.conf:/var/lib/tmux/%i/.config/tmux/tmux.conf"
      ];

      #IPAddressDeny = "any";
      #AmbientCapabilities = [""];
      #CapabilityBoundingSet = [""];
      #RestrictNamespaces = true;
      #PrivateUsers = true;
      ##NoNewPrivileges = true;
      ##ProtectSystem = true;
      ##PrivateTmp = true;
      #PrivateDevices = true;
      #ProtectClock = true;
      #ProtectControlGroups = true;
      #ProtectHome = true;
      #ProtectKernelLogs = true;
      #ProtectKernelModules = true;
      #ProtectKernelTunables = true;
      #ProtectProc = "invisible";
      #SystemCallArchitectures = "native";
      #SystemCallFilter = [
      #  "@system-service"
      #  "~@keyring" "~@clock" "~@debug" "~@module"
      #  "~@obsolete" "~@privileged" "~@process" "~@resources"
      #];
      #RestrictRealtime = true;
      #LockPersonality = true;
      #MemoryDenyWriteExecute = true;
      #UMask = 0077;
      #ProtectHostname = true;
      #ProcSubset = "pid";
      #StandardInput = "socket";
      #StandardOutput = "socket";
      #RestrictAddressFamilies = "";
    };
  };
}