{ stdenv, lib, fetchurl, gtk, glib, libSM, gdk_pixbuf, libX11, libXinerama, iproute,
  makeWrapper, libredirect, ppp, coreutils, gawk, pango }:
stdenv.mkDerivation rec {
  name = "forticlientsslvpn";
  # forticlient will be copied into /tmp before execution. this is necessary as
  # the software demands $base to be writeable

  # TODO: chroot and create the following files instead of copying files manually
  # mkdir /etc/ppp ; touch /etc/ppp/options
  # ln -s /run/current-system/sw/bin/tail /usr/bin/tail
  # ln -s /run/current-system/sw/bin/pppd /usr/sbin/pppd

  src = fetchurl {
    # archive.org mirror:
    # https://archive.org/download/ForticlientsslvpnLinux4.4.23171.tar/forticlientsslvpn_linux_4.4.2317.tar.gz
    url = http://www.zen.co.uk/userfiles/knowledgebase/FortigateSSLVPNClient/forticlientsslvpn_linux_4.4.2317.tar.gz;
    sha256 = "19clnf9rgrnwazlpah8zz5kvz6kc8lxawrgmksx25k5ywflmbcrr";
  };
  phases = [ "unpackPhase" "buildPhase" "installPhase" "fixupPhase" ];

  buildInputs = [ makeWrapper ];

  binPath = lib.makeBinPath [
    coreutils
    gawk
  ];


  libPath = lib.makeLibraryPath [
    stdenv.cc.cc
  ];

  guiLibPath = lib.makeLibraryPath [
    gtk
    glib
    libSM
    gdk_pixbuf
    libX11
    libXinerama
    pango
  ];

  buildPhase = ''
    # TODO: 32bit, use the 32bit folder
    patchelf --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker) \
      --set-rpath "$libPath" \
      64bit/forticlientsslvpn_cli

    patchelf --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker) \
      --set-rpath "$libPath:$guiLibPath" \
      64bit/forticlientsslvpn

    patchelf --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker) \
      --set-rpath "$libPath" \
      64bit/helper/subproc

    sed -i 's#\(export PATH=\).*#\1"${binPath}"#' 64bit/helper/waitppp.sh
  '';

  installPhase = ''
    mkdir -p "$out/opt/fortinet"

    cp -r 64bit/. "$out/opt/fortinet"
    wrapProgram $out/opt/fortinet/forticlientsslvpn \
      --set LD_PRELOAD "${libredirect}/lib/libredirect.so" \
      --set NIX_REDIRECTS /usr/bin/tail=${coreutils}/bin/tail:/usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/pppd=${ppp}/bin/pppd

    mkdir -p "$out/bin/"

    cat > $out/bin/forticlientsslvpn <<EOF
    #!/bin/sh
    # prepare suid bit in tmp
    # TODO maybe tmp does not support suid
    set -euf
    tmpforti=\$(${coreutils}/bin/mktemp -d)
    trap "rm -rf \$tmpforti;" INT TERM EXIT
    cp -r $out/opt/fortinet/. \$tmpforti
    chmod +s \$tmpforti/helper/subproc
    cd \$tmpforti
    "./forticlientsslvpn" "\$@"
    EOF

    chmod +x $out/bin/forticlientsslvpn
    chmod -x $out/opt/fortinet/helper/showlicense
  '';
  meta = {
    homepage = http://www.fortinet.com;
    description = "Forticlient SSL-VPN client";
    license = lib.licenses.unfree;
    maintainers = [ lib.maintainers.makefu ];
  };
}