{ lib
, pkgs
, config
, ...
}:
with lib; let
  cfg = config.eboskma.podman;

  podmanInterfaces = if config.networking.nftables.enable then "podman*" else "podman+";
in
{
  options.eboskma.podman = {
    enable = mkEnableOption "podman";
    enableNvidia = mkEnableOption "podman NVidia support";
    # enableTcpSocket = mkEnableOption "podman TCP socket";
  };

  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.podman-compose pkgs.netavark ];

    virtualisation.podman = {
      enable = true;
      enableNvidia = cfg.enableNvidia;
      dockerCompat = true;

      autoPrune = {
        enable = true;
        dates = "weekly";
      };

      defaultNetwork.settings.dns_enabled = true;

    };

    virtualisation.containers = {
      registries = {
        insecure = [ "containers.internal.horus.nu" ];
        search = [
          "docker.io"
          "quay.io"
          "containers.internal.horus.nu"
        ];
      };
      containersConf.settings = {
        engine = {
          helper_binaries_dir = [
            "${pkgs.podman}/libexec/podman"
          ];
        };
        containers = {
          log_driver = "k8s-file";
          events_logger = "journald";
        };
      };
    };

    users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "podman" ];

    # Make DNS work in containers
    networking.firewall.interfaces.${podmanInterfaces} = {
      allowedUDPPorts = [ 53 ];
      allowedTCPPorts = [ 53 ];
    };

    # services.ghostunnel = mkIf cfg.enableTcpSocket {
    #   enable = true;
    #   servers."podman-socket" = {
    #     listen = "0.0.0.0:2376";
    #     target = "unix:/run/podman/podman.sock";
    #     allowAll = mkDefault true;
    #     extraArguments = ''
    #       --auto-acme-cert=mimir.internal.horus.nu
    #       --auto-acme-email=erwin@horus.nu
    #       --auto-acme-ca=https://mimir.internal.horus.nu
    #     '';
    #   };
    # };
  };
}