{ pkgs, lib, config, ... }:

let 
	marzban-volume = pkgs.stdenv.mkDerivation {
		name = "marzban-volume";
		phases = [ "buildPhase" "installPhase" ];

		buildInputs = with pkgs; [
			openssl
		];

		buildPhase = ''
			mkdir -p $out
			mkdir -p $out/certs
			touch $out/.env
			touch $out/xray-config.json
			echo "" > $out/.env
		'';

		installPhase =
			(if config.marzban.cert then ''
				${pkgs.openssl}/bin/openssl req -newkey rsa:4096 -x509 -sha512  -days 730 -nodes -out $out/certs/certificate.pem -keyout $out/certs/privatekey.pem -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=${config.marzban.domain}"
				echo 'UVICORN_SSL_CERTFILE="/code/certs/certificate.pem"' >> $out/.env
				echo 'UVICORN_SSL_KEYFILE="/code/certs/privatekey.pem"' >> $out/.env
				echo 'UVICORN_SSL_CA_TYPE="private"' >> $out/.env
			'' else '''')
		+
			''
				echo 'UVICORN_HOST="${config.marzban.env.UVICORN_HOST}"' >> $out/.env
				echo 'UVICORN_PORT=${toString config.marzban.env.UVICORN_PORT}' >> $out/.env
				echo 'SUDO_USERNAME="${config.marzban.env.SUDO_USERNAME}"' >> $out/.env
				echo 'SUDO_PASSWORD="${config.marzban.env.SUDO_PASSWORD}"' >> $out/.env
				echo 'DOCS=${if config.marzban.env.DOCS then "True" else "False"}' >> $out/.env
			''
		+
			''
				cat > $out/xray_config.json <<EOF
${builtins.toJSON config.marzban.xray}
EOF
			'';
	};
in {
	system.activationScripts.marzban-dir = ''
		mkdir -p /var/lib/marzban
		touch /var/lib/marzban/db.sqlite3
	'';

	virtualisation.docker = {
		enable = true;
		autoPrune.enable = true;
	};
	virtualisation.oci-containers.backend = "docker";

	virtualisation.oci-containers.containers."marzban-marzban" = 
	let
		xray-config = "${marzban-volume}/xray_config.json:/code/xray_config.json:ro";
		env = "${marzban-volume}/.env:/code/.env:ro";
		cert = "${marzban-volume}/certs:/code/certs:ro";
		database = "/var/lib/marzban/db.sqlite3:/code/db.sqlite3:rw";
	in {
		image = "gozargah/marzban:latest";
		volumes = if config.marzban.cert then [ xray-config env cert database ] else [ xray-config env database ];
		log-driver = "journald";
		extraOptions = [
			"--network=host"
		];
	};
	systemd.services."docker-marzban-marzban" = {
		serviceConfig = {
			Restart = lib.mkOverride 90 "always";
			RestartMaxDelaySec = lib.mkOverride 90 "1m";
			RestartSec = lib.mkOverride 90 "100ms";
			RestartSteps = lib.mkOverride 90 9;
		};
		partOf = [
			"docker-compose-marzban-root.target"
		];
		wantedBy = [
			"docker-compose-marzban-root.target"
		];
	};

	systemd.targets."docker-compose-marzban-root" = {
		unitConfig = {
			Description = "Root target generated by compose2nix.";
		};
		wantedBy = [ "multi-user.target" ];
	};
}