{ stdenv
, fetchFromGitHub
, lib
, MODEL ? "4"
, RELEASE_TYPE ? "RELEASE"
, EDK2_FLAGS ? ""
, nasm
, perl
, python3
, python3Packages
, openssl
, git
, libuuid
, pkgs
, namespace
}:
let
  pname = "edk2";
  version = "stable202511";

  edk2Src = fetchFromGitHub rec {
    owner = "mjallen18";
    repo = "edk2";
    name = repo;
    #tag = "edk2-${version}";
    rev = "9765be56f1f816ef737153f5588b3294fcc69a63";
    hash = "sha256-oqfJbNeOj2BVJqWE+snD6ri3lUO1aNcmPg+eJpjyr5E=";
    fetchSubmodules = true;
  };

  edk2NonOsiSrc = fetchFromGitHub rec {
    owner = "mjallen18";
    repo = "edk2-non-osi";
    name = repo;
    rev = "09ee44f07ded544d976be8a03dec3715719homeassistant-apif638e";
    hash = "sha256-k7nUb3WaRUIr9IlXdam2WGKPOzKjLNVFLfuD5h4veMc=";
  };

  edk2PlatformsSrc = fetchFromGitHub rec {
    owner = "mjallen18";
    repo = "edk2-platforms";
    name = repo;
    rev = "933314d94a3d05f2f62b0f2148151d4a0f1e1183";
    hash = "sha256-Tnvrwk4g191LzfTkdoFw1BBN51EWhEQ7DRe9u5Mzc0w=";
  };

  baseTools = pkgs.${namespace}.edk2-basetools;

  pythonEnv = python3.withPackages (
    _ps: with python3Packages; [
      libfdt
    ]
  );
in
stdenv.mkDerivation rec {
  inherit pname version;

  srcs = [
    edk2Src
    edk2NonOsiSrc
    edk2PlatformsSrc
  ];

  # Add required host tools if needed:
  nativeBuildInputs = [
    openssl
    nasm
    perl
    pythonEnv
    git
    libuuid
    baseTools
  ];

  env = {
    NIX_CFLAGS_COMPILE =
      "-Wno-return-type -Wno-error"
      + lib.optionalString (stdenv.cc.isGNU) " -Wno-error=stringop-truncation"
      + lib.optionalString (stdenv.hostPlatform.isDarwin) " -Wno-error=macro-redefined";
    PYTHON_COMMAND = lib.getExe pythonEnv;
    # trick taken from https://src.fedoraproject.org/rpms/edk2/blob/08f2354cd280b4ce5a7888aa85cf520e042955c3/f/edk2.spec#_319
    ${"GCC5_AARCH64_PREFIX"} = stdenv.cc.targetPrefix;

  };

  # Don’t force a single root; we keep both dirs side by side
  sourceRoot = ".";

  unpackPhase = ''
    runHook preUnpack

    for src in $srcs; do
      unpackFile "$src"
    done

    chmod -R u+w .

    patchShebangs ./edk2

    runHook postUnpack
  '';

  prePatch = ''
    rm -rf ./edk2/BaseTools
    ln -sv ${baseTools}/BaseTools ./edk2/BaseTools
  '';

  postPatch = ''
    f=edk2/CryptoPkg/Library/OpensslLib/OpensslLib.inf
    if grep -q '^\[BuildOptions\]' "$f"; then
      # Add flag inside existing BuildOptions
      sed -i '/^\[BuildOptions\]/a\  GCC:*_*_*_CC_FLAGS = -Wno-error' "$f"
    else
      # Append a new BuildOptions block
      cat >> "$f" <<'EOF'

  [BuildOptions]
    GCC:*_*_*_CC_FLAGS = -Wno-error
  EOF
    fi
  '';

  configurePhase = ''
    runHook preConfigure
    export WORKSPACE=$PWD
    export PACKAGES_PATH=$WORKSPACE/edk2:$WORKSPACE/edk2-non-osi:$WORKSPACE/edk2-platforms
    export EDK_TOOLS_PATH=${baseTools}/BaseTools
    export ATF_BUILD_DIR="${pkgs.${namespace}.arm-trusted-firmware}/rpi${MODEL}/${RELEASE_TYPE}"

    . ${baseTools}/edksetup.sh BaseTools
    runHook postConfigure
  '';

  buildPhase = ''
    build \
        -a AARCH64 \
        -t GCC \
        -b ${RELEASE_TYPE} \
        -p edk2-platforms/Platform/RaspberryPi/RPi${MODEL}/RPi${MODEL}.dsc \
        -D TFA_BUILD_ARTIFACTS=$ATF_BUILD_DIR \
        --pcd gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwareVersionString=L${version} \
        ${EDK2_FLAGS}
  '';

  installPhase = ''
    mkdir -p $out
    cp -r /Build/RPi${MODEL}/${RELEASE_TYPE}_GCC/FV/RPI_EFI.fd $out/RPI_EFI.fd
  '';

  meta = with lib; {
    description = "ARM Trusted Firmware-A for Raspberry Pi";
    license = licenses.bsd3;
    platforms = [ "aarch64-linux" ];
    maintainers = with maintainers; [ kazenyuk ];
  };
}