{ lib
, pkgs
, config
, ...
}:
with lib; let
  cfg = config.eboskma.docker;
in
{
  options.eboskma.docker = {
    enable = mkEnableOption "docker";
    enableNvidia = mkEnableOption "docker NVidia support";
    # enableTcpSocket = mkEnableOption "docker TCP socket";
  };

  config = mkIf cfg.enable {
    # environment.systemPackages = with pkgs; [ docker-compose ];
    environment.systemPackages = [ pkgs.podman-compose pkgs.netavark ];

    virtualisation.podman = {
      enable = true;
      enableNvidia = cfg.enableNvidia;
      dockerCompat = true;

      autoPrune = {
        enable = true;
        dates = "weekly";
      };

      # daemon.settings = {
      #   insecure-registries = config.virtualisation.containers.registries.insecure;
      #   features = {
      #     buildkit = true;
      #   };
      # };
      defaultNetwork.settings.dns_enable = true;

    };

    virtualisation.containers = {
      registries = {
        insecure = [ "containers.internal.horus.nu" ];
        search = [
          "docker.io"
          "quay.io"
          "containers.internal.horus.nu"
        ];
      };
      containersConf.settings = {
        engine = {
          helper_binaries_dir = [ "${pkgs.netavark}/bin" ];
        };
      };
    };

    users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "docker" "podman" ];

    # Make DNS work in containers
    networking.firewall.interfaces."podman+" = {
      allowedUDPPorts = [ 53 ];
      allowedTCPPorts = [ 53 ];
    };

    # services.ghostunnel = mkIf cfg.enableTcpSocket {
    #   enable = true;
    #   servers."podman-socket" = {
    #     listen = "0.0.0.0:2376";
    #     target = "unix:/run/podman/podman.sock";
    #     allowAll = mkDefault true;
    #     extraArguments = ''
    #       --auto-acme-cert=mimir.internal.horus.nu
    #       --auto-acme-email=erwin@horus.nu
    #       --auto-acme-ca=https://mimir.internal.horus.nu
    #     '';
    #   };
    # };
  };
}