{
  lib,
  stdenv,
  rustPlatform,
  fetchFromGitHub,
  asciidoctor,
  buildah,
  buildah-unwrapped,
  cargo,
  libiconv,
  libkrun,
  makeWrapper,
  rustc,
  sigtool,
}:

stdenv.mkDerivation rec {
  pname = "krunvm";
  version = "0.2.4";

  src = fetchFromGitHub {
    owner = "containers";
    repo = "krunvm";
    rev = "v${version}";
    hash = "sha256-YbK4DKw0nh9IO1F7QsJcbOMlHekEdeUBbDHwuQ2x1Ww=";
  };

  cargoDeps = rustPlatform.fetchCargoVendor {
    inherit src;
    hash = "sha256-TMV9xCcqBQgPsUSzsTJAi4qsplTOSm3ilaUmtmdaGnE=";
  };

  nativeBuildInputs = [
    rustPlatform.cargoSetupHook
    cargo
    rustc
    asciidoctor
    makeWrapper
  ]
  ++ lib.optionals stdenv.hostPlatform.isDarwin [ sigtool ];

  buildInputs = [
    libkrun
  ]
  ++ lib.optionals stdenv.hostPlatform.isDarwin [
    libiconv
  ];

  makeFlags = [ "PREFIX=${placeholder "out"}" ];

  postPatch = ''
    # do not pollute etc
    substituteInPlace src/utils.rs \
      --replace "etc/containers" "share/krunvm/containers"
  '';

  postInstall = ''
    mkdir -p $out/share/krunvm/containers
    install -D -m755 ${buildah-unwrapped.src}/docs/samples/registries.conf $out/share/krunvm/containers/registries.conf
    install -D -m755 ${buildah-unwrapped.src}/tests/policy.json $out/share/krunvm/containers/policy.json
  '';

  # It attaches entitlements with codesign and strip removes those,
  # voiding the entitlements and making it non-operational.
  dontStrip = stdenv.hostPlatform.isDarwin;

  postFixup = ''
    wrapProgram $out/bin/krunvm \
      --prefix PATH : ${lib.makeBinPath [ buildah ]}
  '';

  meta = {
    description = "CLI-based utility for creating microVMs from OCI images";
    homepage = "https://github.com/containers/krunvm";
    license = lib.licenses.asl20;
    maintainers = with lib.maintainers; [ nickcao ];
    platforms = libkrun.meta.platforms;
    mainProgram = "krunvm";
  };
}