{
  lib,
  requireFile,
  release,
  gaudiHash ? null,
  ...
}: let
  inherit (release) srcPaths;

  src = requireFile {
    url = "https://soportefirmadigital.com";
    name = "${release.basename}.zip";

    inherit (release) hash;
  };

  gaudiUpdateSrc = {update-gaudi}:
    requireFile {
      url = "${update-gaudi}";
      name = "gaudi-update-${release.name}.zip";

      hash = gaudiHash;
    };

  moduleFromDeb = name: args @ {
    stdenv,
    dpkg,
    unzip,
    srcPath,
    ...
  }:
    stdenv.mkDerivation ({
        pname = "${name}-unwrapped";
        version = release.name;

        inherit src;

        nativeBuildInputs = [dpkg unzip] ++ (args.nativeBuildInputs or []);

        postUnpack = ''
          dpkg -x ${lib.escapeShellArg "${release.basename}/${srcPath}"} ${lib.escapeShellArg release.basename}
        '';
      }
      // lib.removeAttrs args ["stdenv" "dpkg" "unzip" "srcPath" "nativeBuildInputs"]);
in {
  ase-idprotect = {
    autoPatchelfHook,
    dpkg,
    fontconfig,
    freetype,
    pcsclite,
    stdenv,
    unzip,
    xorg,
    zlib,
    ...
  }:
    moduleFromDeb "ase-idprotect" {
      inherit dpkg stdenv unzip;
      srcPath = srcPaths.idprotect;

      buildInputs = [
        fontconfig
        freetype
        pcsclite
        stdenv.cc.cc.lib
        xorg.libX11
        xorg.libXext
        zlib
      ];

      nativeBuildInputs = [
        autoPatchelfHook
      ];

      outputs = ["out" "lib"];

      installPhase = ''
        runHook preInstall

        install -m755 -d $out/bin $lib/{etc,lib/x64-athena}
        install -m755 usr/bin/IDProtect{_Manager,PINTool} $out/bin/
        install -m755 usr/lib/x64-athena/* $lib/lib/x64-athena
        cp -r etc/Athena $lib/etc/Athena

        runHook postInstall
      '';

      preFixup = ''
        patchelf --set-rpath $lib/lib/x64-athena $out/bin/*
      '';
    };

  gaudi = {
    autoPatchelfHook,
    dpkg,
    makeWrapper,
    openjdk,
    pkgs,
    stdenv,
    unzip,
    writeShellScriptBin,
    update-gaudi,
    ...
  }: let
    jdk = openjdk.override {
      enableJavaFX = true;
      openjfx_jdk = pkgs."openjfx${lib.head (lib.splitString "." openjdk.version)}".override {withWebKit = true;};
    };

    fakeSudo = writeShellScriptBin "sudo" "";
    gaudiUpdate = gaudiUpdateSrc {inherit update-gaudi;};
  in
    moduleFromDeb "gaudi" {
      inherit dpkg stdenv unzip;
      srcPath = srcPaths.gaudi;

      nativeBuildInputs = [
        autoPatchelfHook
        jdk
        makeWrapper
      ];

      preBuild = lib.optionalString (gaudiHash != null) ''
        unzip -o ${gaudiUpdate} -d opt/Agente-GAUDI/lib/app
      '';

      buildPhase = ''
        runHook preBuild

        install -m755 -d $out/{bin,opt/Firmador-BCCR/lib}
        cp -r opt/Agente-GAUDI/lib/app $out/opt/Firmador-BCCR/lib/app

        # Preserves the original filename and avoids <hash>-LaunchGaudi.java
        ln -s ${./LaunchGaudi.java} LaunchGaudi.java

        javac \
          -cp opt/Agente-GAUDI/lib/app/bccr-firma-fva-clienteMultiplataforma.jar \
          -d $out/opt/Firmador-BCCR/lib/app \
          LaunchGaudi.java

        runHook postBuild
      '';

      installPhase = ''
        runHook preInstall

        install -m755 -d $out/{share,opt/Firmador-BCCR/lib/runtime/lib}
        install -m755 -D opt/Agente-GAUDI/bin/Agente-GAUDI $out/opt/Firmador-BCCR/bin/Agente-GAUDI
        install -m755 -D opt/Agente-GAUDI/lib/libapplauncher.so $out/opt/Firmador-BCCR/lib/libapplauncher.so

        ln -s ../opt/Firmador-BCCR/lib/app $out/share/java
        ln -s Firmador-BCCR $out/opt/Agente-GAUDI
        ln -s ${jdk}/lib/openjdk/lib/libjli.so $out/opt/Firmador-BCCR/lib/runtime/lib/libjli.so

        makeWrapper ${jdk}/bin/java $out/bin/gaudi \
          --prefix PATH : ${fakeSudo}/bin \
          --add-flags "-cp $out/share/java:$out/share/java/bccr-firma-fva-clienteMultiplataforma.jar" \
          --add-flags "-Djavax.net.ssl.trustStore=$out/opt/Firmador-BCCR/lib/app/bccr.cacerts" \
          --add-flags "LaunchGaudi"

        runHook postInstall
      '';
    };

  bccr-cacerts = {
    openssl,
    stdenv,
    unzip,
    ...
  }:
    stdenv.mkDerivation {
      pname = "bccr-cacerts";
      version = release.name;

      inherit src;

      nativeBuildInputs = [
        openssl
        unzip
      ];

      installPhase = ''
        cp -r Firma\ Digital/Certificados $out
        openssl x509 -in $out/CA\ RAIZ\ NACIONAL\ -\ COSTA\ RICA\ v2.crt -out $out/root-ca.pem -text
      '';
    };

  update-gaudi = {
    wget,
    writeShellScript,
    zip,
    bccr-cacerts,
    ...
  }:
    writeShellScript "update-gaudi" ''
      set -o errexit
      set -o pipefail
      set -o nounset

      temp_dir="$(mktemp -d)"
      trap 'cd / && rm -rf -- "$temp_dir"' EXIT
      cd "$temp_dir"

      PATH="${lib.makeBinPath [wget zip]}:$PATH"
      ca_cert="${bccr-cacerts}/root-ca.pem"
      base_url="https://www.firmadigital.go.cr/Bccr.Firma.Fva.Actualizador.ClienteFirmadorJava//recursosLiberica17/actualizador"

      wget --ca-certificate="$ca_cert" "$base_url/bccr.cacerts"
      wget --ca-certificate="$ca_cert" "$base_url/config.properties"
      wget --ca-certificate="$ca_cert" "$base_url/bccr-firma-fva-clienteMultiplataforma.jar"
      wget --ca-certificate="$ca_cert" "$base_url/ServicioActualizadorClienteBCCR.jar"

      # https://gist.github.com/stokito/c588b8d6a6a0aee211393d68eea678f2
      TZ=UTC find . -exec touch --no-dereference -a -m -t 198002010000.00 {} +
      zip_path="$PWD/gaudi-update-${release.name}.zip"
      TZ=UTC zip -q --move --recurse-paths --symlinks -X "$zip_path" .
      TZ=UTC touch -a -m -t 198002010000.00 "$zip_path"

      set -x
      nix-store --add-fixed sha256 "$zip_path"
      set +x

      echo -e "\ngaudiHash: $(nix-hash --to-sri --type sha256 $(sha256sum "$zip_path" | cut -d' ' -f1))"
    '';
}