{ pkgs, lib, config, ... }:
let
  ensureNixPath = "${config.xdg.configHome}/dotfiles/ensure_nix.sh";
  # TODO Can we maybe use a lighter version of this?
in
{
  config = lib.mkIf config.frogeye.userNix {
    home.activation = {
      # When Nix is installed in the user directory via a proot, systemd --user
      # is started outside of it, so it cannot access /nix. So we need to:
      # - Ensure files systemd access aren't via /nix.
      #     Sometimes there's multiple layers of redirection, so easiest way is
      #     to copy the file outside the store.
      # - Wrap services entrypoints into a proot wrapper
      prootSystemd = lib.hm.dag.entryBetween [ "reloadSystemd" ] [ "linkGeneration" ] ''
        cd ${config.xdg.configHome}/systemd/user
        ${pkgs.findutils}/bin/find . -maxdepth 1 -type l | while read path
        do
          temp="$(mktemp -p "$PWD")"
          ${pkgs.gnused}/bin/sed 's|^Exec\S\+=|\0${ensureNixPath} |' "$path" > "$temp"
          $DRY_RUN_CMD mv $VERBOSE_ARG "$temp" "$path"
          rm -f "$temp"
        done
        # Targets (need to be symlinks to original)
        ${pkgs.findutils}/bin/find . -mindepth 2 -maxdepth 2 -type l | while read path
        do
          $DRY_RUN_CMD rm $VERBOSE_ARG "$path"
          $DRY_RUN_CMD ln $VERBOSE_ARG -s "../$(basename "$path")" "$path"
        done
      '';
      # Unless files were created by HM, it will complain that something is in the way, so we delete them.
      # This is very ugly, as you're not supposed to write things before writeBoundary, but hey
      prootSystemdClean = lib.hm.dag.entryBefore [ "checkLinkTargets" ] ''
        $DRY_RUN_CMD rm $VERBOSE_ARG -rf ${config.xdg.configHome}/systemd/user
      '';
      # I wonder if it's possible to do this in a slightly more Nix way, without causing infinite recursion

      # Create a graphical entrypoint by overriding one of the OS programs
      graphicalEntrypoints =
        let
          graphicalBin = "${config.home.homeDirectory}/.local/bin";
          graphicalProfile = pkgs.writeTextFile {
            name = "graphical-profile";
            text = ''
              export PATH="${graphicalBin}:$PATH"
            '';
          };
          graphicalEntrypoint = pkgs.writeTextFile {
            name = "graphical-entrypoint";
            text = ''
              #!/bin/sh
              exec ${ensureNixPath} ${config.xsession.scriptPath}
            '';
            executable = true;
          };
        in
        # lib.mkIf config.frogeye.desktop.xorg # TODO Removed because wrong ordering or something?
        lib.hm.dag.entryAfter [ "writeBoundary" ] ''
          $DRY_RUN_CMD cp $VERBOSE_ARG -L -f ${graphicalProfile} ${config.home.homeDirectory}/.xprofile
          $DRY_RUN_CMD cp $VERBOSE_ARG -L -f ${graphicalEntrypoint} ${graphicalBin}/cinnamon-session-cinnamon
        '';
    };

    # Ubuntu gives you this for some reason, but it just makes warnings
    xsession.initExtra = ''
      unset LD_PRELOAD
    '';

    # Some systemd options don't work if you're running a proot inside, so they need to be relaxed
    systemd.user = {
      services = {
        mpd.Service = {
          # This tries to override PATH for some reason, which makes ensure_nix not work
          Environment = lib.mkForce [ ];
          # Since we're wrapping in ensure_nix, notifications for Type=notify
          # will come from a process lower
          NotifyAccess = "all";
        };
        # Below might be applicable on all services that use those options, but none is to test right now
        syncthing.Service = {
          PrivateUsers = lib.mkForce [ ];
          RestrictNamespaces = lib.mkForce [ ];
          SystemCallFilter = lib.mkForce [ ];
        };
      };
    };
  };
}