{ lib
, pkgs
, config
, ...
}:
with lib; let
  cfg = config.eboskma.docker;
in
{
  options.eboskma.docker = {
    enable = mkEnableOption "docker";
    enableNvidia = mkEnableOption "docker NVidia support";
    # enableTcpSocket = mkEnableOption "docker TCP socket";
  };

  config = mkIf cfg.enable {
    environment.systemPackages = with pkgs; [ docker-compose ];

    virtualisation.docker = {
      enable = true;
      enableNvidia = cfg.enableNvidia;

      autoPrune = {
        enable = true;
        dates = "weekly";
      };

      daemon.settings = {
        insecure-registries = config.virtualisation.containers.registries.insecure;
        features = {
          buildkit = true;
        };
      };
    };

    virtualisation.containers = {
      registries = {
        insecure = [ "docker02.bedum.horus.nu:5000" "yocto-build-server.bedum.horus.nu:5000" "containers.internal.horus.nu" ];
        search = [
          "docker.io"
          "quay.io"
          "docker02.bedum.horus.nu:5000"
          "yocto-build-server.bedum.horus.nu:5000"
          "containers.internal.horus.nu"
        ];
      };
    };

    users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "docker" "podman" ];

    # services.ghostunnel = mkIf cfg.enableTcpSocket {
    #   enable = true;
    #   servers."podman-socket" = {
    #     listen = "0.0.0.0:2376";
    #     target = "unix:/run/podman/podman.sock";
    #     allowAll = mkDefault true;
    #     extraArguments = ''
    #       --auto-acme-cert=mimir.internal.horus.nu
    #       --auto-acme-email=erwin@horus.nu
    #       --auto-acme-ca=https://mimir.internal.horus.nu
    #     '';
    #   };
    # };
  };
}