{
  pkgs,
  ...
}:
{
  systemd.services.actual-server = {
    enable = true;
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    description = "user service for the actual budgeting server instance";
    environment = {
      ACTUAL_PORT = "9002";
    };
    serviceConfig = {
      Type = "simple";
      ExecStart = "${pkgs.actual-server}";
      Restart = "on-failure";
      RestartSec = 3;
    };
  };

  # hardening
  RestrictAddressFamilies = [
    "AF_INET"
    "AF_INET6"
    "AF_UNIX"
    "AF_NETLINK"
  ];
  NoNewPrivileges = true;
  PrivateDevices = true;
  PrivateMounts = true;
  PrivateTmp = true;
  PrivateUsers = true;
  ProtectClock = true;
  ProtectControlGroups = true;
  ProtectHome = true;
  ProtectKernelLogs = true;
  ProtectKernelModules = true;
  ProtectKernelTunables = true;
  ProtectSystem = "strict";
  RemoveIPC = true;
  RestrictNamespaces = true;
  RestrictRealtime = true;
  RestrictSUIDSGID = true;
  SystemCallArchitectures = "native";
  SystemCallFilter = [
    "@system-service"
    "~@resources"
  ];
  ProtectProc = "invisible";
  ProtectHostname = true;
  UMask = "0077";
}