{ config, pkgs, lib, ...}: let
  xpra-html5 = pkgs.fetchFromGitHub {
    owner = "Xpra-org";
    repo = "xpra-html5";
    rev = "e5fb000a9d4042c54e55c5e30c0936125ec3a045";
    hash = "sha256-nfPePTvOVBgx/aMx380vu4Kn9sxmo1QNb050N95ENPk=";
  };
  xpra-web = pkgs.writeScript "xpra-web" ''
    #!${pkgs.bash}/bin/bash
    ${pkgs.xpra}/bin/xpra $@ --html=${xpra-html5}/html5
  '';
in {
  environment.systemPackages = [ pkgs.xpra ];
  systemd.sockets.xpra-web = {
    description = "Xpra Web Socket";
    partOf = [ "xpra-web.service" ];
    wantedBy = [ "sockets.target" ];
    socketConfig = {
      # ListenStream = 14500;
      ListenStream = "/run/xpra/system";
      SocketUser = "root";
      SocketGroup = "users";
      PassCredentials = "true";
    };
  };
  systemd.services.xpra-web = {
    description = "xpra-web";
    after = [ "network.target" "xpra-web.socket" ];
    requires = [ "xpra-web.socket" ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "simple";
      ExecStart = ''${xpra-web} proxy :14500 --daemon=no \
                       --socket-dirs=/run/xpra --socket-permissions=666 \
                       --log-dir=/var/log --pidfile=/run/xpra/proxy.pid \
                       --auth=pam --bind-tcp=0.0.0.0:10000'';
      Restart = "always";
      # Security
      NoNewPrivileges = true;
      ReadWritePaths = [ "/run/xpra" "/tmp" ];
      # Sandboxing
      ProtectSystem = "strict";
      ProtectKernelTunables = true;
      ProtectControlGroups = true;
    };
  };  
}