{
  description = "NixOS flake for OpenLinkHub";

  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";

  outputs = { nixpkgs, ... }:
  let
    system = "x86_64-linux";

    pkgs = import nixpkgs {
      inherit system;
    };

    openlinkhubPkg = pkgs.buildGoModule rec {
      pname = "openlinkhub";
      version = "0.7.4";

      src = pkgs.fetchFromGitHub {
        owner = "jurkovic-nikola";
        repo = "OpenLinkHub";
        tag = version;
        sha256 = "sha256-isUi3GDGmZ5BwOrLkxlPRzfZZyPlTZNhwq/dCKVfsXo=";
      };

      # REQUIRED for Go deps
      vendorHash = "sha256-wLoDbaLfSP2VLbl5yzJSSA7cvsv5tXnfb5+jsy0BjGA=";

      buildInputs = [
        pkgs.udev
      ];

      subPackages = [ "." ];

      postInstall = ''
        # Udev rules (correct NixOS way)
        mkdir -p $out/lib/udev/rules.d
        cp 99-openlinkhub.rules $out/lib/udev/rules.d/
      '';

      meta = with pkgs.lib; {
        description = "Open source interface for iCUE LINK Hub & Corsair devices";
        homepage = "https://github.com/jurkovic-nikola/OpenLinkHub";
        license = licenses.gpl3;
        platforms = platforms.linux;
      };
    };

    module = { config, lib, ... }: {
      options.openlinkhub.enable =
        lib.mkEnableOption "Enable OpenLinkHub service";

      config = lib.mkIf config.openlinkhub.enable {

        environment.systemPackages = [ openlinkhubPkg ];

        users.groups.openlinkhub = {};
        users.users.openlinkhub = {
          isSystemUser = true;
          group = "openlinkhub";
          description = "OpenLinkHub service user";
          home = "/var/lib/openlinkhub";
          createHome = true;
        };

        services.udev.packages = [ openlinkhubPkg ];
        systemd.services.openlinkhub = {
          description = "OpenLinkHub service";
          wantedBy = [ "multi-user.target" ];
          after = [ "network.target" "udev.service" ];

          # On first service start, populate working dir
          preStart = ''
            # Create working directory if missing
            mkdir -p /var/lib/openlinkhub

            cd /var/lib/openlinkhub

            # Copy database if missing
            if [ ! -d database ]; then
              cp -r ${openlinkhubPkg.src}/database .
            fi

            rm -r static || true
            # Copy static assets if missing
            if [ ! -d static ]; then
              cp -r ${openlinkhubPkg.src}/static .
            fi

            rm -r static || true
            # Copy web UI if missing
            if [ ! -d web ]; then
              cp -r ${openlinkhubPkg.src}/web .
            fi

            rm -r api || true
            # Copy api docs if missing
            if [ ! -d api ]; then
              cp -r ${openlinkhubPkg.src}/api .
            fi

            # Ensure ownership
            chown -R openlinkhub:openlinkhub /var/lib/openlinkhub
            chmod u+w /var/lib/openlinkhub -R
          '';

          serviceConfig = {
            ExecStart = "${openlinkhubPkg}/bin/OpenLinkHub";

            StateDirectory = "openlinkhub";
            WorkingDirectory = "/var/lib/openlinkhub";

            User = "openlinkhub";
            Group = "openlinkhub";

            Restart = "on-failure";

            NoNewPrivileges = true;
            PrivateTmp = true;
            ProtectSystem = "strict";
            ProtectHome = true;
          };
        };
      };
    };
  in
  {
    packages.${system}.default = openlinkhubPkg;

    nixosModules.default = module;
    nixosModules.openlinkhub = module;
  };
}