{ system ? builtins.currentSystem }:
let
  pkgs = import <nixpkgs> { inherit system; };

in
let
  img = spec: {
    streamed = pkgs.dockerTools.streamLayeredImage spec;
    layered = pkgs.dockerTools.buildLayeredImage spec;
    image = pkgs.dockerTools.buildImage spec;
  };

in
{

  #  ejabberd = pkgs.dockerTools.buildImage {
  #    name = "docker.benkard.de/mulk/ejabberd";
  #    tag = "latest";
  #    contents = [
  #      pkgs.ejabberd
  #      pkgs.bash
  #      pkgs.nano
  #    ];
  #    config = {
  #      Env = [ ];
  #      ExposedPorts = { };
  #      WorkingDir = "/";
  #      Volumes = {
  #        "/data" = { };
  #      };
  #    };
  #  };

  prosody = img {
    name = "docker.benkard.de/mulk/prosody";
    #tag = "latest";
    contents = with pkgs; [
      prosody
      bash
      coreutils
      nano
    ];
    config = {
      Entrypoint = [ "/bin/bash" ];
      Cmd = [ ];
      Env = [ ];
      ExposedPorts = { };
      WorkingDir = "/";
      Volumes = {
        "/data" = { };
      };
    };
  };

  mailcow =
    let
      dockerComposeOverrideYaml =
        pkgs.writeTextDir "docker-compose.override.yml" ''
          version: '2.1'

          services:
            mysql-mailcow:
              image: alpine/socat:1.0.3
              command:
                - UNIX-LISTEN:/var/run/mysqld/mysqld.sock,reuseaddr,fork,unlink-early,mode=0777
                - TCP-CONNECT:mysql.system.svc.cluster.local.:3306
              volumes:
                - mysql-socket-vol-1:/var/run/mysqld/:Z
              restart: always

            netfilter-mailcow:
              build: ./data/Dockerfiles/netfilter

            watchdog-mailcow:
              build: ./data/Dockerfiles/watchdog

          volumes:
            vmail-vol-1:                {driver: local, driver_opts: {o: bind, type: none, device: "/vol/vmail"}}
            vmail-index-vol-1:          {driver: local, driver_opts: {o: bind, type: none, device: "/vol/vmail-index"}}
            mysql-vol-1:                {driver: local, driver_opts: {o: bind, type: none, device: "/run/mysql"}}
            mysql-socket-vol-1:         {driver: local, driver_opts: {o: bind, type: none, device: "/run/mysql-socket"}}
            redis-vol-1:                {driver: local, driver_opts: {o: bind, type: none, device: "/vol/redis-data"}}
            rspamd-vol-1:               {driver: local, driver_opts: {o: bind, type: none, device: "/vol/rspamd-data"}}
            solr-vol-1:                 {driver: local, driver_opts: {o: bind, type: none, device: "/vol/solr-data"}}
            postfix-vol-1:              {driver: local, driver_opts: {o: bind, type: none, device: "/vol/postfix-data"}}
            crypt-vol-1:                {driver: local, driver_opts: {o: bind, type: none, device: "/vol/crypt-data"}}
            sogo-web-vol-1:             {driver: local, driver_opts: {o: bind, type: none, device: "/vol/sogo-web"}}
            sogo-userdata-backup-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/sogo-userdata-backup"}}
        '';

      init =
        pkgs.writeShellScriptBin "init" ''
          set -xeuo pipefail

          if ! [ -e /vol/docker-data/docker.ext4 ]; then
              ${pkgs.busybox}/bin/dd if=/dev/zero of=/vol/docker-data/docker.ext4 bs=1G count=0 seek=30
              ${pkgs.e2fsprogs}/bin/mkfs.ext4 /vol/docker-data/docker.ext4
          fi
          ${pkgs.e2fsprogs}/bin/e2fsck -y /vol/docker-data/docker.ext4
          ${pkgs.busybox}/bin/mkdir -p /var/lib/docker
          ${pkgs.busybox}/bin/mount -o loop,rw /vol/docker-data/docker.ext4 /var/lib/docker

          ${pkgs.docker}/bin/dockerd --storage-driver=overlay2 &
          sleep 10s

          ${pkgs.docker}/bin/docker kill $(${pkgs.docker}/bin/docker ps -a -q) || :
          ${pkgs.docker}/bin/docker system prune --volumes --force || :

          ${pkgs.docker-compose}/bin/docker-compose -f /mailcow-dockerized/docker-compose.yml -f ${dockerComposeOverrideYaml}/docker-compose.override.yml build

          ${pkgs.busybox}/bin/mkdir -p /tmp /run/{mysql,mysql-socket}
          exec ${pkgs.docker-compose}/bin/docker-compose --env-file /mailcow-dockerized/mailcow.conf -f /mailcow-dockerized/docker-compose.yml -f ${dockerComposeOverrideYaml}/docker-compose.override.yml up --remove-orphans
        '';

      src = ./mailcow/src;

      extraDeps = with pkgs; [
        # for Docker
        cacert

        # for update.sh
        bash
        coreutils
        curl
        docker
        docker-compose
        findutils
        gawk
        gitMinimal
      ];

      maintenanceDeps = with pkgs; [
        bash
        busybox
        coreutils
        findutils
        pxattr
        strace
      ];
    in
    img {
      name = "docker.benkard.de/mulk/mailcow";
      tag = "latest";
      maxLayers = 125;
      contents = extraDeps ++ maintenanceDeps;
      extraCommands =
        ''
          #!${pkgs.runtimeShell}

          install -dm755 vol/{crypt-data,postfix-data,redis-data,rspamd-data,sogo-web,sogo-userdata-backup,solr-data,vmail,vmail-index,web-data}

          cp -a ${src}/* .
        '';
      config = {
        Entrypoint = [ "${init}/bin/init" ];
        Cmd = [ ];
        Workdir = "/mailcow-dockerized";
        Volumes = {
          "/mailcow-dockerized/data/conf" = { };
          "/mailcow-dockerized/data/assets/ssl" = { };
          "/vol/crypt-data" = { };
          "/vol/docker-data" = { };
          "/vol/postfix-data" = { };
          "/vol/redis-data" = { };
          "/vol/rspamd-data" = { };
          "/vol/sogo-web" = { };
          "/vol/sogo-userdata-backup" = { };
          "/vol/solr-data" = { };
          "/vol/vmail" = { };
          "/vol/vmail-index" = { };
          "/vol/web-data" = { };
        };
      };
    };

  nextcloud = img {
    name = "docker.benkard.de/mulk/nextcloud";
    contents =
      let
        baseDependencies = with pkgs; [
          # Service dependencies.
          apacheHttpd
          apacheHttpdPackages.php

          # Optional dependencies.
          ffmpeg

          # Maintenance and manual upgrades.
          bash
          coreutils
          php
          unzip
        ];

        phpModules = with pkgs.php74Extensions; [
          # Required dependencies.
          ctype
          curl
          dom
          gd
          iconv
          json
          mbstring
          openssl
          pdo_pgsql
          posix
          session
          simplexml
          xml
          xmlreader
          xmlwriter
          zip
          zlib

          # Recommended dependencies.
          bz2
          intl
          fileinfo

          # Optional dependencies.
          apcu
          bcmath
          ftp
          gmp
          imagick
          memcached
          pcntl
          redis
          #smbclient
        ];
      in
      baseDependencies ++ phpModules;
    config = {
      WorkingDir = "/var/www/html";
      Volumes = {
        "/var/www/html" = { };
      };
    };
  };

  webcron = img {
    name = "docker.benkard.de/mulk/webcron";
    contents =
      with pkgs; [
        # Entry points.
        curl
      ];
    config = {
      Entrypoint = [ "curl" "-fsS" ];
      Cmd = [ ];
      Volumes = { };
    };
  };

  samba =
    let
      runner =
        pkgs.stdenv.mkDerivation {
          name = "mulk-samba-runner";
          buildInputs = with pkgs; [ bash ];
          src = ./samba;
          builder = builtins.toFile "builder.sh" ''
            source $stdenv/setup
            set -euo pipefail
            set -x

            install -Dm755 $src/init $out/init

            for svc in avahi dbus nmbd smbd; do
                install -Dm755 $src/service/$svc/run $out/service/$svc/run
            done

            set +x
          '';
        };

    in
    img {
      name = "docker.benkard.de/mulk/samba";
      contents = with pkgs; [
        # Services.
        avahi
        dbus
        #samba4Full
        (samba.override { enableMDNS = true; enableProfiling = false; enableRegedit = false; })

        # Control.
        execline
        gnused
        runner
        s6

        # Maintenance.
        busybox
      ];
      extraCommands =
        let
          dbusSystemConf =
            builtins.toFile "dbus-1-system.conf" ''
              <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
                                         "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
              <busconfig>
                <type>system</type>
                <auth>ANONYMOUS</auth>
                <!-- <auth>EXTERNAL</auth> -->
                <allow_anonymous/>
                <listen>unix:path=/run/dbus/system_bus_socket</listen>
                <standard_system_servicedirs/>

                <policy context="default">
                  <allow user="*"/>

                  <deny own="*"/>
                  <deny send_type="method_call"/>
              
                  <allow send_type="signal"/>
                  <allow send_requested_reply="true" send_type="method_return"/>
                  <allow send_requested_reply="true" send_type="error"/>
              
                  <allow receive_type="method_call"/>
                  <allow receive_type="method_return"/>
                  <allow receive_type="error"/>
                  <allow receive_type="signal"/>
              
                  <allow send_destination="org.freedesktop.DBus"
                         send_interface="org.freedesktop.DBus" />
                  <allow send_destination="org.freedesktop.DBus"
                         send_interface="org.freedesktop.DBus.Introspectable"/>
                  <allow send_destination="org.freedesktop.DBus"
                         send_interface="org.freedesktop.DBus.Properties"/>

                  <deny send_destination="org.freedesktop.DBus"
                        send_interface="org.freedesktop.DBus"
                        send_member="UpdateActivationEnvironment"/>
                  <deny send_destination="org.freedesktop.DBus"
                        send_interface="org.freedesktop.DBus.Debug.Stats"/>
                  <deny send_destination="org.freedesktop.DBus"
                        send_interface="org.freedesktop.systemd1.Activator"/>
                </policy>

                <policy context="default">
                  <allow own="org.freedesktop.Avahi"/>
                </policy>

                <includedir>/share/dbus-1/system.d</includedir>
              </busconfig>
            '';

          avahiDaemonConf =
            builtins.toFile "avahi-daemon.conf" ''
              [server]
              use-ipv4=yes
              use-ipv6=yes
              enable-dbus=yes
              ratelimit-interval-usec=1000000
              ratelimit-burst=1000
              
              [wide-area]
              enable-wide-area=no
              
              [publish]
              add-service-cookie=no
              publish-addresses=no
              publish-hinfo=no
              publish-workstation=no
              publish-domain=no
              publish-aaaa-on-ipv4=yes
              publish-a-on-ipv6=no
              
              [reflector]
              
              [rlimits]
            '';

          group =
            builtins.toFile "group" ''
              dbus::997:
              avahi::998:
            '';

          passwd =
            builtins.toFile "passwd" ''
              dbus::997:997::/tmp:/nonexistent
              avahi::998:998::/tmp:/nonexistent
              nobody::999:999::/tmp:/nonexistent
            '';
        in
        ''
          #!${pkgs.runtimeShell}

          rm -rf -- etc/avahi/services/*

          install -dm755 tmp run run/dbus var/run/samba var/log/samba var/lock/samba var/locks/samba var/lib/samba/private var/cache/samba

          touch var/lib/samba/registry.tdb var/lib/samba/account_policy.tdb

          install -Dm644 ${dbusSystemConf} etc/dbus-1/system.conf
          install -Dm644 ${avahiDaemonConf} etc/avahi/avahi-daemon.conf
          install -Dm644 ${group} etc/group
          install -Dm644 ${passwd} etc/passwd
        '';
      config = {
        Entrypoint = [ "/init" ];
        Cmd = [ ];
        Volumes = {
          "/vol/shares" = { };
        };
      };
    };

  #  nano = img {
  #    name = "docker.benkard.de/mulk/nano";
  #    tag = "latest";
  #    contents = [
  #      pkgs.nano
  #    ];
  #  };
  #
  #  vim = img {
  #    name = "docker.benkard.de/mulk/vim";
  #    tag = "latest";
  #    contents = [
  #      pkgs.vim
  #    ];
  #  };

}