# posh makes use of podman to run an encapsulated shell session
{ pkgs, ... }:
let
  cniConfigDir =
    let
      loopback = pkgs.writeText "00-loopback.conf" ''
        {
          "cniVersion": "0.3.0",
          "type": "loopback"
        }
      '';

      podman-bridge = pkgs.writeText "87-podman-bridge.conflist" ''
        {
            "cniVersion": "0.3.0",
            "name": "podman",
            "plugins": [
              {
                "type": "bridge",
                "bridge": "cni0",
                "isGateway": true,
                "ipMasq": true,
                "ipam": {
                    "type": "host-local",
                    "subnet": "10.88.0.0/16",
                    "routes": [
                        { "dst": "0.0.0.0/0" }
                    ]
                }
              },
              {
                "type": "portmap",
                "capabilities": {
                  "portMappings": true
                }
              }
            ]
        }
      '';
    in
    pkgs.runCommand "cniConfig" { } ''
      set -x
      mkdir $out;
      ln -s ${loopback} $out/${loopback.name}
      ln -s ${podman-bridge} $out/${podman-bridge.name}
    '';

  podmanConfig = pkgs.writeText "libpod.conf" ''
    # libpod.conf is the default configuration file for all tools using libpod to
    # manage containers

    # Default transport method for pulling and pushing for images
    image_default_transport = "docker://"

    # Environment variables to pass into conmon
    conmon_env_vars = [
    ]

    # CGroup Manager - valid values are "systemd" and "cgroupfs"
    # cgroup_manager = "systemd"
    cgroup_manager = "cgroupfs"

    # Maximum size of log files (in bytes)
    # -1 is unlimited
    max_log_size = -1

    # Whether to use chroot instead of pivot_root in the runtime
    no_pivot_root = false

    # Directory containing CNI plugin configuration files
    cni_config_dir = "${cniConfigDir}"

    # Directories where the CNI plugin binaries may be located
    cni_plugin_dir = [
      "${pkgs.cni-plugins}/bin"
    ]

    # Default CNI network for libpod.
    # If multiple CNI network configs are present, libpod will use the network with
    # the name given here for containers unless explicitly overridden.
    # The default here is set to the name we set in the
    # 87-podman-bridge.conflist included in the repository.
    # Not setting this, or setting it to the empty string, will use normal CNI
    # precedence rules for selecting between multiple networks.
    cni_default_network = "podman"

    # Default libpod namespace
    # If libpod is joined to a namespace, it will see only containers and pods
    # that were created in the same namespace, and will create new containers and
    # pods in that namespace.
    # The default namespace is "", which corresponds to no namespace. When no
    # namespace is set, all containers and pods are visible.
    #namespace = ""

    # Default pause image name for pod pause containers
    pause_image = "k8s.gcr.io/pause:3.1"

    # Default command to run the pause container
    pause_command = "/pause"

    # Determines whether libpod will reserve ports on the host when they are
    # forwarded to containers. When enabled, when ports are forwarded to containers,
    # they are held open by conmon as long as the container is running, ensuring that
    # they cannot be reused by other programs on the host. However, this can cause
    # significant memory usage if a container has many ports forwarded to it.
    # Disabling this can save memory.
    enable_port_reservation = true

    # Default libpod support for container labeling
    # label=true
  '';

  policy-json = pkgs.writeText "policy.json" ''
    {
        "default": [
            {
                "type": "insecureAcceptAnything"
            }
        ],
        "transports":
            {
                "docker-daemon":
                    {
                        "": [{"type":"insecureAcceptAnything"}]
                    }
            }
    }
  '';
in
{
  image,
  pull ? "always",
  global_args ? "",
  run_args ? "",
  userns ? "keep-id",
}:
(pkgs.writeScriptBin "posh" ''
  #! ${pkgs.bash}/bin/bash
  source /etc/profile

  test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK"
  tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q"

  # define these as variables so we can override them at runtime
  POSH_IMAGE=${image}
  POSH_PULL=${pull}

  if [ "$1" == "-c" ]; then
    # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string
    shift
    # TODO parse the beginning of the command for POSH_* overrides
  fi

  test "$@" && cmd=( -c "$@")

  HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers"
  HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json"
  test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR
  ln -sf ${policy-json} $HOME_POLICY_JSON


  set -x
  exec ${pkgs.podman}/bin/podman \
    --cgroup-manager=cgroupfs \
    ${global_args} \
    run \
    --annotation=io.crun.keep_original_groups=1 \
    --config ${podmanConfig} \
    --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \
    --rm -i --network host --pull=''${POSH_PULL} \
    $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \
    ${if userns != null then "--userns=" + userns else ""} \
    ${run_args} \
    ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}"
'').overrideAttrs
  (
    attrs:
    attrs
    // {
      passthru = {
        shellPath = "/bin/posh";
      };
    }
  )