{
  lib,
  config,
  namespace,
  ...
}:
let
  inherit (lib.${namespace}) mkOpt mkContainerService;
  cfg = config.${namespace}.services.netbootxyz;
in
{
  imports = [
    (mkContainerService {
      inherit config;
      name = "netbootxyz";
      image = "ghcr.io/netbootxyz/netbootxyz:latest";
      internalPort = 3000;
      options = {
        assetPort = mkOpt lib.types.port 4001 "NGINX port for hosting assets";
        tftpPort = mkOpt lib.types.port 69 "TFTP port";
      };
      volumes = [
        "${cfg.configDir}/netbootxyz:/config"
        "${cfg.dataDir}/isos:/assets"
      ];
      extraConfig = {
        networking.firewall = lib.mkIf cfg.openFirewall {
          allowedTCPPorts = [
            cfg.assetPort
            cfg.tftpPort
          ];
          allowedUDPPorts = [
            cfg.assetPort
            cfg.tftpPort
          ];
        };
        virtualisation.oci-containers.containers.netbootxyz.ports = lib.mkForce [
          "${toString cfg.port}:3000"
          "${toString cfg.assetPort}:80"
          "${toString cfg.tftpPort}:69"
        ];
      };
    })
  ];
}