{ pkgs ? import <nixpkgs> {}
}:

let
  baseEnv = [
    "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
  ];


in rec {

  base = let
    minimalDocker =
      {
        imports = [ <nixpkgs/nixos/modules/profiles/minimal.nix> ];
        boot.isContainer = true;
        environment.etc.machine-id.text = "00000000000000000000000000000000";
      };
    eval =
      import <nixpkgs/nixos/lib/eval-config.nix> {
        modules = [
          minimalDocker
        ];
      };
    system =
      eval.config.system;

  in pkgs.dockerTools.buildImage rec {
    name = "base";

#    contents = pkgs.symlinkJoin {
#      name = "${name}-contents";
#      paths = [
#        system.build.etc
#        system.path
#      ];
#    };
    
    # Requires a VM to boot
    runAsRoot = ''
      #!${pkgs.stdenv.shell}
      ${pkgs.dockerTools.shadowSetup}
      groupadd users --gid 100
      useradd -g users -d /home/user -M --uid 1000 user
    '';

    config = {
      Env = baseEnv;
      WorkingDir = "/";
    };
  };

  interactiveBase = pkgs.dockerTools.buildImage {
    name = "interactiveBase";
    fromImage = base;
    contents = with pkgs; [
      procps
      zsh
      coreutils
      vim
    ];

    config = {
      Cmd = [ "/bin/zsh" ];
    };
  };

  s3ql = let 
    entrypoint = pkgs.writeScript "entrypoint" ''
      #!${pkgs.stdenv.shell}

      if [ -z "$S3QL_BUCKET" ]; then
        echo S3QL_BUCKET not set
        exit 1
      fi

      mkdir -p /buckets/"$S3QL_BUCKET"

      set -x
      exec mount.s3ql \
        --cachedir "$S3QL_CACHE_DIR" \
        --authfile "$S3QL_AUTHINFO2" \
        --cachesize "$S3QL_CACHESIZE" \
        --fg \
        --log none \
        --allow-root \
        s3c://e24files.com/steveej-backup \
        /buckets/"$S3QL_BUCKET"

      # FIXME: touch .isbucket after mount 
    '';
    in pkgs.dockerTools.buildImage {
      name = "s3ql";
      fromImage = interactiveBase;
      contents = [
        pkgs.s3ql
        pkgs.fuse
      ];

      runAsRoot = ''
        #!${pkgs.stdenv.shell}
        mkdir -p /usr/bin
        cp -a ${pkgs.fuse}/bin/fusermount /usr/bin 
        chmod +s /usr/bin/fusermount
        echo user_allow_other >> /etc/fuse.conf
      '';
      
      config = {
        Env = baseEnv ++ [
          "HOME=/home/s3ql"
          "S3QL_CACHE_DIR=/var/cache/s3ql"
          "S3QL_AUTHINFO2=/etc/s3ql/authinfo2"
          "S3QL_CACHESIZE=0"
          "CONTAINER_ENTRYPOINT=${entrypoint}"
        ];
        Cmd = [ entrypoint ];
        Volumes = {
          "/var/cache/s3ql" = {};
          "/etc/s3ql/authinfo2" = {};
          "/buckets" = {};
          "/tmp" = {};
      };
    };
  };

  syncthing = let 
    entrypoint = pkgs.writeScript "entrypoint" ''
      #!${pkgs.stdenv.shell}
      set -x
      if [ ! -e /data/.isbucket ]; then
        echo ERROR: Bucket not mounted at /data
        exit 1
      fi

      exec syncthing \
        -home $SYNCTHING_HOME \
        -gui-address=$SYNCTHING_GUI_ADDRESS \
        -no-browser
    '';
    in pkgs.dockerTools.buildImage {
      name = "syncthing";
      fromImage = interactiveBase;
      contents = pkgs.syncthing;
      
      config = {
        Env = baseEnv ++ [
          "SYNCTHING_HOME=/home/syncthing"
          "SYNCTHING_GUI_ADDRESS=0.0.0.0:8384"
        ];
        Cmd = [ entrypoint ];
        Volumes = {
          "/home/syncthing" = {};
          "/data" = {};
        };
      };
    };
}