{
  config,
  lib,
  pkgs,
  ...
}:

with lib;

let
  cfg = config.services.newt;
in
{
  options.services.newt = {
    enable = mkEnableOption "Newt container service";

    id = mkOption {
      type = types.str;
      description = "Newt ID for authentication";
    };

    image = mkOption {
      type = types.str;
      default = "fosrl/newt";
      description = "Docker image to use for Newt";
    };

    networkName = mkOption {
      type = types.str;
      default = "newt";
      description = "Docker network name to use";
    };

    networkAlias = mkOption {
      type = types.str;
      default = "newt";
      description = "Network alias for the container";
    };

    pangolinEndpoint = mkOption {
      type = types.str;
      default = "https://pangolin.ryot.foo";
      description = "Pangolin endpoint URL";
    };

    secret = mkOption {
      type = types.str;
      description = "Newt secret for authentication";
    };

    useHostNetwork = mkOption {
      type = types.bool;
      default = false;
      description = "Whether to use host networking instead of Docker networks";
    };
  };

  config = mkIf cfg.enable {
    virtualisation.oci-containers.containers."newt" = {
      image = cfg.image;
      environment = {
        "DOCKER_SOCKET" = "/var/run/docker.sock";
        "NEWT_ID" = cfg.id;
        "NEWT_SECRET" = cfg.secret;
        "PANGOLIN_ENDPOINT" = cfg.pangolinEndpoint;
      };
      volumes = [
        "/var/run/docker.sock:/var/run/docker.sock:rw"
      ];
      log-driver = "journald";
      extraOptions =
        if cfg.useHostNetwork then
          [
            "--network=host"
          ]
        else
          [
            "--network-alias=${cfg.networkAlias}"
            "--network=${cfg.networkName}"
          ];
    };

    systemd.services."docker-newt" = {
      serviceConfig = {
        Restart = lib.mkOverride 90 "always";
        RestartMaxDelaySec = lib.mkOverride 90 "1m";
        RestartSec = lib.mkOverride 90 "100ms";
        RestartSteps = lib.mkOverride 90 9;
      };
      after = mkIf (!cfg.useHostNetwork) [
        "docker-network-${cfg.networkName}.service"
      ];
      requires = mkIf (!cfg.useHostNetwork) [
        "docker-network-${cfg.networkName}.service"
      ];
      partOf = [
        "docker-compose-newt-root.target"
      ];
      wantedBy = [
        "docker-compose-newt-root.target"
      ];
    };

    # Docker network service (only when not using host network)
    systemd.services."docker-network-${cfg.networkName}" = mkIf (!cfg.useHostNetwork) {
      path = [ pkgs.docker ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStop = "docker network rm -f ${cfg.networkName}";
      };
      script = ''
        docker network inspect ${cfg.networkName} || docker network create ${cfg.networkName}
      '';
      partOf = [ "docker-compose-newt-root.target" ];
      wantedBy = [ "docker-compose-newt-root.target" ];
    };

    # Root target
    systemd.targets."docker-compose-newt-root" = {
      unitConfig = {
        Description = "Root target generated by compose2nix.";
      };
      wantedBy = [ "multi-user.target" ];
    };
  };
}