{ depot, src, pkgs, ... }:

let
  inherit (pkgs) poetry2nix;
  pyproject = pkgs.runCommand "authentik-pyproject" { src = "${src}/pyproject.toml"; } ''
    sed 's/extras = \["standard"\],//' $src > $out
  '';
  poetrylock = pkgs.runCommand "authentik-poetrylock" { src = "${src}/poetry.lock"; } ''
    sed -e 's/, markers = "extra == \\\"standard\\\""//' \
      -e 's/and extra == \\\"standard\\\"//' \
      $src > $out
  '';
  fixedSrc = pkgs.runCommand "authentik-src" { inherit src; } ''
    cp -R $src $out
    chmod -R u+w $out
    cp ${pyproject} $out/pyproject.toml
    cp ${poetrylock} $out/poetry.lock
  '';
  app = poetry2nix.mkPoetryApplication rec {
    projectDir = fixedSrc;
    python = pkgs.python311;
    overrides = poetry2nix.overrides.withDefaults (self: super: {
      dumb-init = super.dumb-init.overridePythonAttrs (old: {
        nativeBuildInputs = old.nativeBuildInputs ++ [ self.setuptools ];
      });
      click-didyoumean = super.click-didyoumean.overridePythonAttrs (old: {
        nativeBuildInputs = old.nativeBuildInputs ++ [ self.poetry ];
      });
      bump2version = super.bump2version.overridePythonAttrs (old: {
        nativeBuildInputs = old.nativeBuildInputs ++ [ self.setuptools ];
      });
      opencontainers = super.opencontainers.overridePythonAttrs (old: {
        nativeBuildInputs = old.nativeBuildInputs ++ [ self.setuptools self.pytest-runner ];
      });
      xmlsec = super.xmlsec.overridePythonAttrs (old: {
        nativeBuildInputs = (old.nativeBuildInputs or []) ++ [ self.pkgconfig ];
        buildInputs = (old.buildInputs or []) ++ [ pkgs.xmlsec pkgs.libxslt pkgs.libxml2 pkgs.libtool ];
      });
      mistune = super.mistune.overridePythonAttrs (old: rec {
        version = "0.8.4";
        src = self.fetchPypi {
          inherit (old) pname;
          inherit version;
          sha256 = "59a3429db53c50b5c6bcc8a07f8848cb00d7dc8bdb431a4ab41920d201d4756e";
        };
      });
      urllib3-secure-extra = super.urllib3-secure-extra.overridePythonAttrs (old: {
        nativeBuildInputs = old.nativeBuildInputs ++ [ self.flit-core ];
      });
      watchfiles = self.callPackage "${pkgs.path}/pkgs/development/python-modules/watchfiles/default.nix" {};
    });

    buildInputs = [ pkgs.bash ];

    postInstall = ''
      mkdir -p $out/share/authentik
      touch $out/share/authentik/__init__.py
      cp -r ${src}/xml $out/share/authentik/xml
      cp -r ${src}/lifecycle $out/share/authentik/lifecycle

      wrapProgram $out/bin/ak \
        --prefix PYTHONPATH ':' "$out/share/authentik"
    '';
  };
in
  app.dependencyEnv