{ depot, src, pkgs, lib, ... }:

let
  inherit (depot.third_party) poetry2nix;
  pyproject = pkgs.runCommand "authentik-pyproject" { src = "${src}/pyproject.toml"; } ''
    sed 's/extras = \["standard"\],//' $src > $out
    sed -i '/^ruff =/d' $out
  '';
  poetrylock = pkgs.runCommand "authentik-poetrylock" { src = "${src}/poetry.lock"; } ''
    sed -e 's/, markers = "extra == \\\"standard\\\""//' \
      -e 's/and extra == \\\"standard\\\"//' \
      $src > $out
  '';
  fixedSrc = pkgs.runCommand "authentik-src" { inherit src; } ''
    cp -R $src $out
    chmod -R u+w $out
    cp ${pyproject} $out/pyproject.toml
    cp ${poetrylock} $out/poetry.lock
  '';

  python = pkgs.python311.override {
    self = python;
    packageOverrides = final: prev: {
      wheel = prev.wheel.overridePythonAttrs (oldAttrs: rec {
        version = "0.45.0";
        src = oldAttrs.src.override (oldAttrs: {
          rev = "refs/tags/${version}";
          hash = "sha256-SkviTE0tRB++JJoJpl+CWhi1kEss0u8iwyShFArV+vw=";
        });
      });
    };
  };

  maturin = python.pkgs.buildPythonPackage rec {
    inherit (pkgs.maturin) pname version meta src cargoDeps;
    format = "pyproject";
    nativeBuildInputs = [
      python.pkgs.setuptools-rust
      pkgs.rustPlatform.cargoSetupHook
      pkgs.cargo
      pkgs.rustc
    ];
  };
  app = poetry2nix.mkPoetryApplication rec {
    projectDir = fixedSrc;
    inherit python;
    overrides = let
      assertVersion = pkg: wantVersion: lib.assertMsg (pkg.version == wantVersion) "${pkg.pname} (${pkg.version}) is different to what I expected (${wantVersion}); maybe remove the override?";
    in poetry2nix.overrides.withDefaults (self: super: {
      pytest-runner = null;
      sphinx = super.sphinx.overridePythonAttrs (oldAttrs: {
        doCheck = false;
      });
      cython = super.cython.overridePythonAttrs (oldAttrs: rec {
        version = "0.29.33";
        src = self.fetchPypi {
          pname = "Cython";
          inherit version;
          sha256 = "0si8f96kyk7ljrmjrffsjm4i8n5fs7q29nlmldjfjb2d9967ch2h";
        };
        patches = [ ./cython-trashcan.patch ./cython-disable-trashcan.patch ];
      });
      dumb-init = super.dumb-init.overridePythonAttrs (old: {
        nativeBuildInputs = old.nativeBuildInputs ++ [ self.setuptools ];
      });
      click-didyoumean = super.click-didyoumean.overridePythonAttrs (old: {
        nativeBuildInputs = old.nativeBuildInputs ++ [ self.poetry ];
      });
      bump2version = super.bump2version.overridePythonAttrs (old: {
        nativeBuildInputs = old.nativeBuildInputs ++ [ self.setuptools ];
      });
      opencontainers = super.opencontainers.overridePythonAttrs (old: {
        nativeBuildInputs = old.nativeBuildInputs ++ [ self.setuptools ];
        postPatch = ''
          substituteInPlace setup.py \
            --replace-fail '["pytest-runner"]' '[]'
        '';
      });
      xmlsec = super.xmlsec.overridePythonAttrs (old: rec {
        version = "1.3.14";
        src = self.fetchPypi {
          inherit (old) pname;
          inherit version;
          hash = "sha256-k0+ATy+JW824bx6u4ja2YQE1YO5p7BCNKc3W5fKSotk=";
        };
        nativeBuildInputs = (old.nativeBuildInputs or []) ++ [ self.pkgconfig ];
        buildInputs = (old.buildInputs or []) ++ [ pkgs.xmlsec pkgs.libxslt pkgs.libxml2 pkgs.libtool ];
      });
      mistune = super.mistune.overridePythonAttrs (old: rec {
        version = "0.8.4";
        src = self.fetchPypi {
          inherit (old) pname;
          inherit version;
          sha256 = "59a3429db53c50b5c6bcc8a07f8848cb00d7dc8bdb431a4ab41920d201d4756e";
        };
      });
      urllib3-secure-extra = super.urllib3-secure-extra.overridePythonAttrs (old: {
        nativeBuildInputs = old.nativeBuildInputs ++ [ self.flit-core ];
      });
      asyncio = null; 
      pyrad = assert assertVersion super.pyrad "2.4"; super.pyrad.overridePythonAttrs (old: {
        patches = [ (pkgs.fetchpatch {
          url = "https://github.com/pyradius/pyrad/commit/ffe182a44909e8f8278fb3e2ea052ddc097b48b9.patch";
          hash = "sha256:116lnhrbcpf5ni87wmzqqg17m8havn4fb5575slpgw7svsv83i2z";
        }) ];
        nativeBuildInputs = (old.nativeBuildInputs or []) ++ [ self.poetry-core ];
      });
      sqlparse = assert assertVersion super.sqlparse "0.4.4"; super.sqlparse.overridePythonAttrs (old: {
        buildInputs = (old.buildInputs or []) ++ [ self.flit-core ];
      });
      pytest-github-actions-annotate-failures = null;
      drf-jsonschema-serializer = assert assertVersion super.drf-jsonschema-serializer "2.0.0"; super.drf-jsonschema-serializer.overridePythonAttrs (old: {
        buildInputs = (old.buildInputs or []) ++ [ self.setuptools ];
      });
      django-otp = assert assertVersion super.django-otp "1.2.2"; super.django-otp.overridePythonAttrs (old: {
        buildInputs = (old.buildInputs or []) ++ [ self.hatchling ];
      });
      gunicorn = assert assertVersion super.gunicorn "21.2.0"; super.gunicorn.overridePythonAttrs (old: {
        buildInputs = (old.buildInputs or []) ++ [ self.packaging ];
      });
      django-tenants = assert assertVersion super.django-tenants "3.6.1"; super.django-tenants.overridePythonAttrs (old: {
        buildInputs = (old.buildInputs or []) ++ [ self.setuptools ];
      });
      psycopg-c = assert assertVersion super.psycopg-c "3.1.18"; super.psycopg-c.overridePythonAttrs (old: {
        propagatedBuildInputs = (old.propagatedBuildInputs or []) ++ [ self.tomli ];
        nativeBuildInputs = (old.nativeBuildInputs or []) ++ [ pkgs.postgresql ];
        buildInputs = (old.buildInputs or []) ++ [ self.setuptools ];
      });
      #rpds-py = assert assertVersion super.rpds-py "0.16.2"; super.rpds-py.overridePythonAttrs (old: {
      #  cargoDeps = pkgs.rustPlatform.importCargoLock {
      #    lockFile = ./Cargo.rpds-py.lock;
      #  };
      #  nativeBuildInputs = (old.nativeBuildInputs or []) ++ [
      #    pkgs.cargo
      #    pkgs.rustPlatform.cargoSetupHook
      #    pkgs.rustPlatform.maturinBuildHook
      #    pkgs.rustc
      #  ];
      #});
      #annotated-types = assert assertVersion super.annotated-types "0.6.0"; super.annotated-types.overridePythonAttrs (old: {
      #  buildInputs = (old.buildInputs or []) ++ [ self.hatchling ];
      #});
      #service-identity = assert assertVersion super.service-identity "24.1.0"; super.service-identity.overridePythonAttrs (old: {
      #  buildInputs = (old.buildInputs or []) ++ [ self.hatchling self.hatch-vcs self.hatch-fancy-pypi-readme ];
      #});
      lxml = assert assertVersion super.lxml "5.1.0"; super.lxml.overridePythonAttrs (old: {
        name = "lxml-4.9.4";
        version = "4.9.4";
        src = pkgs.fetchFromGitHub {
          owner = "lxml";
          repo = "lxml";
          rev = "lxml-4.9.4";
          sha256 = "sha256:160x1z93q916lqcj571g7295hyl8an8dnppni2lmcy1ppz0v8bd9";
        };
        buildInputs = (old.buildInputs or []) ++ [ pkgs.zlib ];
      });
      twisted = assert assertVersion super.twisted "23.10.0"; super.twisted.overridePythonAttrs (old: {
        buildInputs = (old.buildInputs or []) ++ [ self.hatchling self.hatch-fancy-pypi-readme self.incremental ];
      });
      argon2-cffi = assert assertVersion super.argon2-cffi "23.1.0"; super.argon2-cffi.overridePythonAttrs (old: {
        buildInputs = (old.buildInputs or []) ++ [ self.hatchling self.hatch-vcs self.hatch-fancy-pypi-readme ];
      });
      #referencing = assert assertVersion super.referencing "0.32.1"; super.referencing.overridePythonAttrs (old: {
      #  buildInputs = (old.buildInputs or []) ++ [ self.hatchling self.hatch-vcs ];
      #});
      #jsonschema-specifications = assert assertVersion super.jsonschema-specifications "2023.12.1"; super.jsonschema-specifications.overridePythonAttrs (old: {
      #  buildInputs = (old.buildInputs or []) ++ [ self.hatchling self.hatch-vcs ];
      #});
    });

    buildInputs = [ pkgs.bash ];

    postInstall = ''
      mkdir -p $out/share/authentik
      touch $out/share/authentik/__init__.py
      cp -r ${src}/schemas $out/share/authentik/schemas
      cp -r ${src}/lifecycle $out/share/authentik/lifecycle

      wrapProgram $out/bin/ak \
        --prefix PYTHONPATH ':' "$out/share/authentik"
    '';
  };
in
  app.dependencyEnv