{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (lib) mkIf mergeAttrsList last path;

  cfg = config.security.apparmor_d;
  apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
  in
{
  options.security.apparmor_d = with lib; let 
    profile = types.submodule ({ config, ... }: {
      options = {
      enable = mkOption {
        type = types.bool;
        default = true;
        description = "whether to enable this profile";
      };

      enforce = mkOption {
        type = types.bool;
        default = true;
        description = "whether to enforce this profile";
      };

      name = mkOption {
        type = types.nonEmptyStr;
        description = "name of the apparmor profile within apparmor.d";
        example = "vesktop";
      };
      };
    });
  in {
    enable = mkEnableOption "enable apparmor.d support";

    profiles = mkOption {
      type = types.listOf (types.either types.nonEmptyStr profile);
      default = [];
      description = "set of apparmor profiles to include from apparmor.d";
    };
  };

  options.test = lib.mkOption { default = null; };
  
  config = mkIf (cfg.enable) {
    security.apparmor.packages = [ apparmor-d ];
    security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then {
      "${p}" = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/${p}"
        '';
      };
    } else {
      ${p.name} = {
        inherit (p) enable enforce;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/${p.name}"
        '';
      };
    }) cfg.profiles );

    environment.systemPackages = [ apparmor-d ];
  };
}