{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.services.netbootxyz;
in
{
  imports = [ ./options.nix ];

  config = mkIf cfg.enable {
    # Open firewall for netbootxyz if enabled
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        cfg.httpPort
        cfg.httpsPort
      ];
      allowedUDPPorts = [
        cfg.httpPort
        cfg.httpsPort
      ];
    };

    # Create data directory
    systemd.tmpfiles.rules = [
      "d ${cfg.dataDir} 0755 root root -"
    ];

    # Configure netbootxyz as a container service
    virtualisation.oci-containers = {
      backend = "podman";
      containers.netbootxyz = {
        image = "ghcr.io/netbootxyz/netbootxyz:latest";
        ports = [
          "${toString cfg.httpPort}:3000"
          "${toString cfg.httpsPort}:3001"
        ];
        volumes = [
          "${cfg.dataDir}:/app/src/config"
        ];
        environment = {
          MENU_VERSION = "2.0.76";
          PORT_RANGE = "30000:30010";
        };
        extraOptions = [
          "--restart=unless-stopped"
        ];
      };
    };

    # Enable podman for oci-containers
    virtualisation.podman.enable = true;
  };
}