{ pkgs, ... }:
let
  wireguard-ui = pkgs.wireguard-ui.overrideAttrs (oldAttrs: {
    src = pkgs.applyPatches {
      src = oldAttrs.src;
      patches = [
        # - Always write config on run
        # - Activate with systemd sockets
        # - Remove telegram
        # - Automatically run wg-quick
        ./customization.patch
      ];
    };

    vendorHash = "sha256-ic9EUJLvU9mPmqU1mhjZozc6bQQqoR7XkhIKx1vuekA=";
  });
in
pkgs.dockerTools.buildImage {
  name = "wireguard-ui";
  fromImage = import ../base { inherit pkgs; };

  copyToRoot = pkgs.buildEnv {
    name = "root";
    paths =
      [ wireguard-ui ]
      ++ (with pkgs; [
        wireguard-tools
        iptables
        ipset
      ]);
    pathsToLink = [ "/bin" ];
  };

  runAsRoot = ''
    mkdir -p /etc/wireguard
  '';

  config = {
    Entrypoint = [ "wireguard-ui" ];
    ExposedPorts = {
      "5000/tcp" = { };
      "51820/udp" = { };
    };
    Volumes = {
      "/var/lib/wireguard-ui/db/clients" = { };
    };
    WorkingDir = "/var/lib/wireguard-ui";
  };
}