{
  config,
  pkgs,
  lib,
  user,
  dots,
  ...
}:
{
  options.custom.gui = with lib; {
    yabai = {
      enable = mkEnableOption "Enable yabai";
    };
  };

  config = lib.mkIf (config.custom.gui.yabai.enable && pkgs.stdenv.isDarwin) {
    # csrutil enable --without fs --without debug --without nvram
    # nvram boot-args=-arm64e_preview_abi

    # Generate sudoers file with SHA256 hash computed at activation time
    system.activationScripts.yabaiSudoers.text = ''
      echo "setting up yabai sudoers..." >&2
      YABAI_BIN="${pkgs.yabai}/bin/yabai"
      YABAI_HASH=$(shasum -a 256 "$YABAI_BIN" | ${pkgs.gawk}/bin/awk '{print $1}')

      echo "${user} ALL = (root) NOPASSWD: sha256:$YABAI_HASH $YABAI_BIN --load-sa" > /etc/sudoers.d/yabai
      chmod 0440 /etc/sudoers.d/yabai
    '';

    system.activationScripts.yabaiScriptingAddition.text = ''
      echo "loading yabai scripting addition..." >&2
      sudo ${pkgs.yabai}/bin/yabai --load-sa
    '';

    hm.home.packages = with pkgs; [
      yabai
    ];

    hm.xdg.configFile."yabai".source = config.hm.lib.file.mkOutOfStoreSymlink "${dots}/config/yabai";

    hm.home.activation.yabaiService = config.hm.lib.dag.entryAfter [ "writeBoundary" ] ''
      echo "Restarting yabai service..." >&2
      $DRY_RUN_CMD ${pkgs.yabai}/bin/yabai --uninstall-service || true
      $DRY_RUN_CMD ${pkgs.yabai}/bin/yabai --install-service
      $DRY_RUN_CMD ${pkgs.yabai}/bin/yabai --start-service
    '';

    hm.home.shellAliases = {
      restart-yabai = ''${pkgs.yabai}/bin/yabai --uninstall-service || ${pkgs.yabai}/bin/yabai --install-service || ${pkgs.yabai}/bin/yabai --start-service'';
    };
  };
}