{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.services.netbootxyz;
in
{
  imports = [ ./options.nix ];

  config = mkIf cfg.enable {
    # Open firewall for netbootxyz if enabled
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        cfg.webPort
        cfg.assetPort
        cfg.tftpPort
      ];
      allowedUDPPorts = [
        cfg.webPort
        cfg.assetPort
        cfg.tftpPort
      ];
    };

    virtualisation.oci-containers = {
      containers.netbootxyz = {
        autoStart = true;
        image = "ghcr.io/netbootxyz/netbootxyz:latest";
        ports = [
          "${toString cfg.webPort}:3000"
          "${toString cfg.assetPort}:80"
          "${toString cfg.tftpPort}:69"
        ];
        volumes = [
          "${cfg.dataDir}:/config"
          "${cfg.assetDir}:/assets"
        ];
      };
    };
  };
}