{ config, lib, mylib, pkgs, ... }: let
  cfg = config.tv.x0vncserver;
in {
  options.tv.x0vncserver = {
    display = lib.mkOption {
      default = ":${toString config.services.xserver.display}";
      type = lib.types.str;
    };
    enable = lib.mkEnableOption "tv.x0vncserver";
    pwfile = lib.mkOption {
      default = "${config.krebs.secret.directory}/vncpasswd";
      description = ''
        Use vncpasswd to edit pwfile.
        See: nix-shell -p tigervnc --run 'man vncpasswd'
      '';
      type = mylib.types.absolute-pathname;
    };
    rfbport = lib.mkOption {
      default = 5900;
      type = lib.types.int;
    };
    user = lib.mkOption {
      default = config.krebs.build.user;
      type = mylib.types.user;
    };
  };
  config = lib.mkIf cfg.enable {
    krebs.systemd.services.x0vncserver.restartIfCredentialsChange = true;
    systemd.services.x0vncserver = {
      after = [ "graphical.target" ];
      requires = [ "graphical.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [
          "-display ${cfg.display}"
          "-passwordfile \${CREDENTIALS_DIRECTORY}/pwfile"
          "-rfbport ${toString cfg.rfbport}"
        ]}";
        LoadCredential = "ssh_key:${cfg.pwfile}";
        User = cfg.user.name;
      };
    };
    tv.iptables.input-retiolum-accept-tcp = [ (toString cfg.rfbport) ];
  };
}