{ stdenv
, lib
, fetchurl
, dpkg
, libredirect
, makeWrapper
, gzip
, fuse
, lsb-release
, rsync
, iptables
, jq
}:

stdenv.mkDerivation rec {
  pname = "sysbox";
  version = "0.6.2-0";

  src = fetchurl {
    url = "https://downloads.nestybox.com/sysbox/releases/v0.6.2/sysbox-ce_${version}.linux_amd64.deb";
    sha256 = "sha256-/Sh/LztaBytiw3j54e7uqizK0iu0jLOB0w2MhVxRtAE=";
  };

  nativeBuildInputs = [ dpkg makeWrapper ];

  # buildInputs = [ openssl ];

  unpackPhase = ''
    runHook preUnpack

    dpkg -x $src ./src

    runHook postUnpack
  '';

  installPhase = ''
    runHook preInstall

    mkdir -p "$out"
    cp -r src/* "$out"

    # Flatten /usr and manually merge lib/ and usr/lib/, since mv refuses to.
    # mv "$out/lib" "$out/orig_lib"
    # mv "$out/usr/"* "$out/"
    # mkdir -p "$out/lib/systemd/system/"
    # mv "$out/orig_lib/systemd/system/"* "$out/lib/systemd/system/"
    # rmdir "$out/orig_lib/systemd/system"
    # rmdir "$out/orig_lib/systemd"
    # rmdir "$out/orig_lib"
    # rmdir "$out/usr"

    for f in "$out/lib/systemd/system/"*.service; do
        substituteInPlace "$f" \
            --replace "/usr/" "$out/"
    done

    for p in "$out/bin/"*; do
        wrapProgram "$p" \
            --set NIX_REDIRECTS "/usr/share=$out/share:/usr/bin=$out/bin" \
            --prefix PATH : "${lib.makeBinPath [ fuse rsync iptables lsb-release jq ]}"
    done

    runHook postInstall
  '';

  meta = with lib; {
    description = "Improves container isolation";
    homepage = "https://github.com/nestybox/sysbox";
    license = licenses.asl20;
    platforms = with platforms; [ "x86_64-linux" ];
    mainProgram = "sysbox-runc";
  };
}