{ usePodman ? false, pkgs, lib, ... }:

let
  # To make some prebuilt derivations available in the vm
  preEval = modules: import ../../src/nix/eval-composition.nix {
    inherit modules;
    inherit pkgs;
  };

  inherit (lib)
    optionalAttrs
    optionalString
    ;

  haveSystemd = usePodman || pkgs.arionTestingFlags.dockerSupportsSystemd;

in
{
  name = "arion-test";
  machine = { pkgs, lib, ... }: {
    environment.systemPackages = [
      pkgs.arion
    ] ++ lib.optional usePodman pkgs.docker;
    virtualisation.docker.enable = !usePodman;
    virtualisation.podman = optionalAttrs usePodman {
      enable = true;
      dockerSocket.enable = true;
    };
    
    # no caches, because no internet
    nix.binaryCaches = lib.mkForce [];

    # FIXME: Sandbox seems broken with current version of NixOS test
    #        w/ writable store. Error:
    #        machine# error: linking '/nix/store/7r8z2zvhwda85pgpdn5hzzz6hs1njklc-stdenv-linux.drv.chroot/nix/store/6v3y7s4q4wd16hsw393gjpxvcf9159bv-patch-shebangs.sh' to '/nix/store/6v3y7s4q4wd16hsw393gjpxvcf9159bv-patch-shebangs.sh': Operation not permitted
    #
    #        There should be no reason why arion can't run without
    #        sandboxing, so please re-enable.
    nix.useSandbox = false;

    virtualisation.writableStore = true;
    virtualisation.pathsInNixDB = [
      # Pre-build the image because we don't want to build the world
      # in the vm.
      (preEval [ ../../examples/minimal/arion-compose.nix ]).config.out.dockerComposeYaml
      (preEval [ ../../examples/full-nixos/arion-compose.nix ]).config.out.dockerComposeYaml
      (preEval [ ../../examples/nixos-unit/arion-compose.nix ]).config.out.dockerComposeYaml
      (preEval [ ../../examples/traefik/arion-compose.nix ]).config.out.dockerComposeYaml
      pkgs.stdenv
    ];

    virtualisation.memorySize = 1024;
    virtualisation.diskSize = 8000;
  };
  testScript = ''
    machine.fail("curl --fail localhost:8000")
    machine.succeed("docker --version")

    # Tests
    #  - arion up
    #  - arion down
    #  - examples/minimal
    with subtest("minimal"):
        machine.succeed(
            "rm -rf work && cp -frT ${../../examples/minimal} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d"
        )
        machine.wait_until_succeeds("curl --fail localhost:8000")
        machine.succeed(
            "cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down"
        )
        machine.wait_until_fails("curl --fail localhost:8000")

    # Tests
    #  - running same image again doesn't require a `docker load`
    with subtest("docker load only once"):
        # We assume image loading relies on the `docker images` and `docker load` commands, so this should fail
        machine.fail(
            "export REAL_DOCKER=$(which docker); rm -rf work && cp -frT ${../../examples/minimal} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' PATH=\"${pkgs.writeScriptBin "docker" ''
              #!${pkgs.runtimeShell} -eu
              echo 1>&2 "This failure is expected. Args were" "$@"
              echo "$@" >/tmp/docker-args
              exit 1
            ''}/bin:$PATH\" arion up -d"
        )
        machine.succeed(
            "export REAL_DOCKER=$(which docker); rm -rf work && cp -frT ${../../examples/minimal} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' PATH=\"${pkgs.writeScriptBin "docker" ''
              #!${pkgs.runtimeShell} -eu
              case $1 in
                load)
                  echo 1>&2 "arion must not docker load when upping the same deployment for the second time"
                  exit 1
                  ;;
                images)
                  echo 1>&2 "execing docker to list images"
                  exec $REAL_DOCKER "$@"
                  ;;
                *)
                  echo 1>&2 "Unknown docker invocation. This may be a shortcoming of this docker mock."
                  echo 1>&2 "Invocation: docker" "$@"
                  ;;
              esac
            ''}/bin:$PATH\" arion up -d"
        )
        machine.wait_until_succeeds("curl --fail localhost:8000")
        machine.succeed(
            "cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down"
        )
        machine.wait_until_fails("curl --fail localhost:8000")


    # Tests
    #  - examples/flake
    # This _test_ doesn't work because flake-compat fetches the github
    # tarballs without sha256 and/or Nix doesn't consult the store before
    # downloading.
    # See https://github.com/edolstra/flake-compat/pull/12
    # with subtest("flake"):
    #     machine.succeed(
    #         "rm -rf work && cp -frT ''${../../examples/flake} work && cd work && NIX_PATH= arion up -d"
    #     )
    #     machine.wait_until_succeeds("curl --fail localhost:8000")
    #     machine.succeed("cd work && NIX_PATH= arion down")
    #     machine.wait_until_fails("curl --fail localhost:8000")

    ${optionalString haveSystemd ''
    # Tests
    #  - arion exec
    #  - examples/full-nixos
    with subtest("full-nixos"):
        machine.succeed(
            "rm -rf work && cp -frT ${../../examples/full-nixos} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d"
        )
        machine.wait_until_succeeds("curl --fail localhost:8000")

        machine.succeed(
            """
            set -eux -o pipefail
            cd work
            export NIX_PATH=nixpkgs='${pkgs.path}'
            echo 'target=world; echo Hello $target; exit' \
              | script 'arion exec webserver' \
              | grep 'Hello world'
            """
        ),

        machine.succeed(
            "cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down"
        )
        machine.wait_until_fails("curl --fail localhost:8000")
    ''}

    # Tests
    #  - examples/nixos-unit
    with subtest("nixos-unit"):
        machine.succeed(
            "rm -rf work && cp -frT ${../../examples/nixos-unit} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d"
        )
        machine.wait_until_succeeds("curl --fail localhost:8000")
        machine.succeed(
            "cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down"
        )
        machine.wait_until_fails("curl --fail localhost:8000")

    # Tests
    # - examples/traefik
    # - labels
    with subtest("traefik"):
        machine.succeed(
            "rm -rf work && cp -frT ${../../examples/traefik} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d"
        )
        machine.wait_until_succeeds("curl --fail nix-docs.localhost")
        machine.succeed(
            "cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down"
        )
        machine.wait_until_fails("curl --fail nix-docs.localhost")
  '';
}