{ lib, config, pkgs, ... }:

{
  config.virtualisation.docker = {
    enable = true;
    # enableNvidia = true;
    enableOnBoot = true;
    storageDriver = if config.fileSystems."/".fsType == "btrfs" then "btrfs" else null;
    rootless.enable = true;
    rootless.setSocketVariable = true;
    daemon.settings = {
      default-address-pools = [
        {base = "10.64.0.0/10"; size = 24;}
      ];
      bip = "10.127.0.1/16";
    };
  };
  config.users.users.indocker = {
    isSystemUser = true;
    hashedPassword = "!";
    uid = 900;
    group = "indocker";
  };
  config.users.groups.indocker = {
    gid = 900;
  };
  config.environment.systemPackages = with pkgs; [
    docker-compose
  ];

  # Docker enables firewall anyway, let's enable the firewall for it if it's disabled
  # TODO: Apply only when config.networking.firewall is false
  config.networking.firewall = {
    enable = lib.mkOverride 90 true;
    allowedTCPPorts = lib.mkOverride 90 [];
    allowedUDPPorts = lib.mkOverride 90 [];
    allowedTCPPortRanges = lib.mkOverride 90 [{ from = 0; to = 65535;}];
    allowedUDPPortRanges = lib.mkOverride 90 [{ from = 0; to = 65535;}];
  };
}