{
  lib,
  pkgs,
  config,
  ...
}:
with lib;
let
  cfg = config.eboskma.podman;

  podmanInterfaces = if config.networking.nftables.enable then "podman*" else "podman+";
in
{
  options.eboskma.podman = {
    enable = mkEnableOption "podman";
    enableNvidia = mkEnableOption "podman NVidia support";
    # enableTcpSocket = mkEnableOption "podman TCP socket";
    insecureRegistries = mkOption {
      description = "List of insecure registries that don't have a (valid) certificate";
      type = types.listOf types.str;
      default = [ ];
    };
  };

  config = mkIf cfg.enable {
    environment.systemPackages = [
      pkgs.podman-compose
      pkgs.netavark
    ];

    virtualisation.podman = {
      enable = true;
      dockerCompat = true;

      autoPrune = {
        enable = true;
        dates = "weekly";
      };

      defaultNetwork.settings.dns_enabled = true;
    };

    virtualisation.containers = {
      enable = true;
      registries = {
        insecure = cfg.insecureRegistries;
      };
      # containersConf.settings = {
      #   engine = {
      #     helper_binaries_dir = [
      #       "${pkgs.podman}/libexec/podman"
      #     ];
      #   };
      #   containers = {
      #     log_driver = "k8s-file";
      #     events_logger = "journald";
      #   };
      # };
    };

    hardware.nvidia-container-toolkit.enable = cfg.enableNvidia;

    users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "podman" ];

    # Make DNS work in containers
    networking.firewall.interfaces.${podmanInterfaces} = {
      allowedUDPPorts = [ 53 ];
    };

    # services.ghostunnel = mkIf cfg.enableTcpSocket {
    #   enable = true;
    #   servers."podman-socket" = {
    #     listen = "0.0.0.0:2376";
    #     target = "unix:/run/podman/podman.sock";
    #     allowAll = mkDefault true;
    #     extraArguments = ''
    #       --auto-acme-cert=mimir.internal.horus.nu
    #       --auto-acme-email=erwin@horus.nu
    #       --auto-acme-ca=https://mimir.internal.horus.nu
    #     '';
    #   };
    # };
  };
}