{ pkgs, config, lib, ... }:

with lib;

let
  cfg = config.settings.services.incus;
in {
  options = {
    settings.services.incus.enable = lib.mkOption {
      type = lib.types.bool;
      description = ''
        Enable incus service
      '';
      default = false;
    };
  };

  config = mkIf cfg.enable {
    virtualisation.incus = {
      enable = true;
      package = pkgs.unstable.incus;
      ui.enable = true;
      ui.package = pkgs.unstable.incus.ui;
    };

    users.users.xeovalyte = {
      extraGroups = [ "incus-admin" ];
    };

    networking.nftables.enable = true;

    networking.firewall.trustedInterfaces = ["incusbr0"];
  };
}