{ system ? builtins.currentSystem }:
let
  pkgs = import <nixpkgs> { inherit system; };

in
let
  img = spec: {
    streamed = pkgs.dockerTools.streamLayeredImage spec;
    layered = pkgs.dockerTools.buildLayeredImage spec;
    image = pkgs.dockerTools.buildImage spec;
  };

in
{

  #  ejabberd = pkgs.dockerTools.buildImage {
  #    name = "docker.benkard.de/mulk/ejabberd";
  #    tag = "latest";
  #    contents = [
  #      pkgs.ejabberd
  #      pkgs.bash
  #      pkgs.nano
  #    ];
  #    config = {
  #      Env = [ ];
  #      ExposedPorts = { };
  #      WorkingDir = "/";
  #      Volumes = {
  #        "/data" = { };
  #      };
  #    };
  #  };

  prosody = img {
    name = "docker.benkard.de/mulk/prosody";
    #tag = "latest";
    contents = with pkgs; [
      prosody
      bash
      coreutils
      nano
    ];
    config = {
      Entrypoint = [ "/bin/bash" ];
      Cmd = [ ];
      Env = [ ];
      ExposedPorts = { };
      WorkingDir = "/";
      Volumes = {
        "/data" = { };
      };
    };
  };

  mailcow = pkgs.callPackage ./mailcow/default.nix { };

  nextcloud = img {
    name = "docker.benkard.de/mulk/nextcloud";
    contents =
      let
        baseDependencies = with pkgs; [
          # Service dependencies.
          apacheHttpd
          apacheHttpdPackages.php

          # Optional dependencies.
          ffmpeg

          # Maintenance and manual upgrades.
          bash
          coreutils
          php
          unzip
        ];

        phpModules = with pkgs.php74Extensions; [
          # Required dependencies.
          ctype
          curl
          dom
          gd
          iconv
          json
          mbstring
          openssl
          pdo_pgsql
          posix
          session
          simplexml
          xml
          xmlreader
          xmlwriter
          zip
          zlib

          # Recommended dependencies.
          bz2
          intl
          fileinfo

          # Optional dependencies.
          apcu
          bcmath
          ftp
          gmp
          imagick
          memcached
          pcntl
          redis
          #smbclient
        ];
      in
      baseDependencies ++ phpModules;
    config = {
      WorkingDir = "/var/www/html";
      Volumes = {
        "/var/www/html" = { };
      };
    };
  };

  webcron = img {
    name = "docker.benkard.de/mulk/webcron";
    contents =
      with pkgs; [
        # Entry points.
        curl
      ];
    config = {
      Entrypoint = [ "curl" "-fsS" ];
      Cmd = [ ];
      Volumes = { };
    };
  };

  samba =
    let
      runner =
        pkgs.stdenv.mkDerivation {
          name = "mulk-samba-runner";
          buildInputs = with pkgs; [ bash ];
          src = ./samba;
          builder = builtins.toFile "builder.sh" ''
            source $stdenv/setup
            set -euo pipefail
            set -x

            install -Dm755 $src/init $out/init

            for svc in avahi dbus nmbd smbd sshd; do
                install -Dm755 $src/service/$svc/run $out/service/$svc/run
            done

            set +x
          '';
        };

    in
    img {
      name = "docker.benkard.de/mulk/samba";
      contents = with pkgs; [
        # Services.
        avahi
        (callPackage ./samba/bupstash.nix { })
        dbus
        openssh
        #samba4Full
        (samba.override { enableMDNS = true; enableProfiling = false; enableRegedit = false; })
        scponly

        # Control.
        execline
        gnused
        runner
        s6

        # Maintenance.
        busybox
      ];
      extraCommands =
        let
          dbusSystemConf =
            builtins.toFile "dbus-1-system.conf" ''
              <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
                                         "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
              <busconfig>
                <type>system</type>
                <auth>ANONYMOUS</auth>
                <!-- <auth>EXTERNAL</auth> -->
                <allow_anonymous/>
                <listen>unix:path=/run/dbus/system_bus_socket</listen>
                <standard_system_servicedirs/>

                <policy context="default">
                  <allow user="*"/>

                  <deny own="*"/>
                  <deny send_type="method_call"/>
              
                  <allow send_type="signal"/>
                  <allow send_requested_reply="true" send_type="method_return"/>
                  <allow send_requested_reply="true" send_type="error"/>
              
                  <allow receive_type="method_call"/>
                  <allow receive_type="method_return"/>
                  <allow receive_type="error"/>
                  <allow receive_type="signal"/>
              
                  <allow send_destination="org.freedesktop.DBus"
                         send_interface="org.freedesktop.DBus" />
                  <allow send_destination="org.freedesktop.DBus"
                         send_interface="org.freedesktop.DBus.Introspectable"/>
                  <allow send_destination="org.freedesktop.DBus"
                         send_interface="org.freedesktop.DBus.Properties"/>

                  <deny send_destination="org.freedesktop.DBus"
                        send_interface="org.freedesktop.DBus"
                        send_member="UpdateActivationEnvironment"/>
                  <deny send_destination="org.freedesktop.DBus"
                        send_interface="org.freedesktop.DBus.Debug.Stats"/>
                  <deny send_destination="org.freedesktop.DBus"
                        send_interface="org.freedesktop.systemd1.Activator"/>
                </policy>

                <policy context="default">
                  <allow own="org.freedesktop.Avahi"/>
                </policy>

                <includedir>/share/dbus-1/system.d</includedir>
              </busconfig>
            '';

          avahiDaemonConf =
            builtins.toFile "avahi-daemon.conf" ''
              [server]
              use-ipv4=yes
              use-ipv6=yes
              enable-dbus=yes
              ratelimit-interval-usec=1000000
              ratelimit-burst=1000
              
              [wide-area]
              enable-wide-area=no
              
              [publish]
              add-service-cookie=no
              publish-addresses=no
              publish-hinfo=no
              publish-workstation=no
              publish-domain=no
              publish-aaaa-on-ipv4=yes
              publish-a-on-ipv6=no
              
              [reflector]
              
              [rlimits]
            '';

          group =
            builtins.toFile "group" ''
              root::0:
              sshd::996:
              dbus::997:
              avahi::998:
            '';

          passwd =
            builtins.toFile "passwd" ''
              root::0:0::/tmp:/nonexistent
              sshd::996:996::/tmp:/nonexistent
              dbus::997:997::/tmp:/nonexistent
              avahi::998:998::/tmp:/nonexistent
              nobody::999:999::/tmp:/nonexistent
            '';
        in
        ''
          #!${pkgs.runtimeShell}

          rm -rf -- etc/avahi/services/*

          install -dm755 tmp run run/dbus var/run/samba var/log/samba var/lock/samba var/locks/samba var/lib/samba/private var/cache/samba

          touch var/lib/samba/registry.tdb var/lib/samba/account_policy.tdb

          install -Dm644 ${dbusSystemConf} etc/dbus-1/system.conf
          install -Dm644 ${avahiDaemonConf} etc/avahi/avahi-daemon.conf
          install -Dm644 ${group} etc/group
          install -Dm644 ${passwd} etc/passwd
        '';
      config = {
        Entrypoint = [ "/init" ];
        Cmd = [ ];
        Volumes = {
          "/vol/shares" = { };
        };
      };
    };

  #  nano = img {
  #    name = "docker.benkard.de/mulk/nano";
  #    tag = "latest";
  #    contents = [
  #      pkgs.nano
  #    ];
  #  };
  #
  #  vim = img {
  #    name = "docker.benkard.de/mulk/vim";
  #    tag = "latest";
  #    contents = [
  #      pkgs.vim
  #    ];
  #  };

}