# usage:
# 0.
#   systemctl status waydroid.target waydroid-container.service waydroid-dnsmasq.service
# 1.
#   tail -F /var/lib/waydroid/waydroid.log
#   journalctl -fu waydroid\*
# 2.
#   sudo systemctl start waydroid.target
#     TODO add polkit rule for user?
# 3. (in wayland)
#   waydroid session start
# 4.
#   waydroid show-full-ui
#   sudo waydroid shell
#   etc.
# 5.
#   sudo systemctl stop waydroid.target
{ config, pkgs, ... }: let
  lib = import ../../lib;
  cfg = config.tv.services.waydroid;
  # TODO confgure firewall
in {
  options.tv.services.waydroid = {
    enable = lib.mkEnableOption "tv.services.waydroid";
    #ipv4.gateway.address = lib.mkOption {
    #  type = lib.types.addr4;
    #  default = "10.66.250.1";
    #};
  };
  config = lib.mkIf cfg.enable {
    virtualisation.waydroid.enable = true;

    # TODO (this is from wayland-net)
    #   ip addr add 10.66.250.1/24 broadcast + dev waydroid0

    networking.bridges.waydroid0.interfaces = [ ];
    # TODO we can also find 40-waydroid0 by finding .name == "waydroid0"
    #systemd.network.networks."40-waydroid0".linkConfig.RequiredForOnline = false;
    systemd.network.networks."40-waydroid0".networkConfig.ConfigureWithoutCarrier = true;
    networking.interfaces.waydroid0.ipv4.addresses = [{
      address = "10.66.250.1";
      prefixLength = 24;
    }];
    boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
    systemd.targets.waydroid = {};
    systemd.services.waydroid-container = {
      wantedBy = lib.mkForce [ "waydroid.target" ];
      partOf = lib.mkForce [ "waydroid.target" ];
    };
    systemd.services.waydroid-dnsmasq = {
      description = "Dnsmasq Daemon for Waydroid";
      # XXX do we need this (it's from nixpkgs dnsmasq): after = [ "network.target" "systemd-resolved.service" ];
      wantedBy = [ "waydroid.target" ];
      partOf = [ "waydroid.target" ];

      serviceConfig = {
        # TODO DynamicUser = true;
        ExecStartPre = [
          "${pkgs.coreutils}/bin/touch /var/lib/waydroid-dnsmasq/dnsmasq.leases"
          # TODO "${pkgs.dnsmasq}/bin/dnsmasq --test" with correct config
        ];
        ExecStart = toString [
          "${pkgs.dnsmasq}/bin/dnsmasq"
              "-k"
              #"--port=16653" # TODO 0 to disable
              #"--dhcp-alternate-port=16667,16668"
              #"--enable-dbus=de.krebsco.tv.dnsmasq.waydroid" # TODO
              "--conf-file=/dev/null" # TODO ${dnsmasqConf}
              # TODO -s $LXC_DOMAIN -S /$LXC_DOMAIN/
              "--no-ping" # XXX ping requires NET_RAW
              "--dhcp-broadcast" # XXX otherwise NET_ADMIN is needed
              "--strict-order"
              "--bind-interfaces"
              # TODO "--pid-file=.../dnsmasq.pid"
              "--listen-address 10.66.250.1"
              "--dhcp-range 10.66.250.100,10.66.250.200"
              "--dhcp-lease-max=253"
              "--dhcp-no-override"
              "--except-interface=lo"
              "--interface=waydroid0"
              "--dhcp-leasefile=/var/lib/waydroid-dnsmasq/dnsmasq.leases"
              "--dhcp-authoritative"
              "--user=nobody" # TODO
              # TODO ipv6: --dhcp-range=${LXC_IPV6_ADDR},ra-only --listen-address ${LXC_IPV6_ADDR}"
        ];
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
        PrivateTmp = true;
        ProtectSystem = true;
        ProtectHome = true;
        #Restart = if cfg.alwaysKeepRunning then "always" else "on-failure";
        Restart = "always";
        StateDirectory = "waydroid-dnsmasq";
      };
      # TODO restartTriggers = [ config.environment.etc.hosts.source ];
    };
  };
}