{ pkgs, lib, config, ... }: with lib; {
  options.virtualisation.kata = with types; {
    enable = mkEnableOption "kata containers";
    sudoGroup = mkOption {
      type = bool;
      default = false;
    };

    qemuPackage = mkOption { type = package; default = pkgs.qemu; };
  };

  config =
    let
      cfg = config.virtualisation.kata;
      inherit (pkgs) kata;

      configFile = writeText "configuration.toml" ''
        [hypervisor.qemu]
        path = ${cfg.qemuPackage}/bin/qemu-system-${pkgs.system}
        kernel 

        kernel_params = ""
        firmware = ""
        machine_accelerators = ""

        default_vcpus = 1
        default_maxvcpus = 0
        default_bridges = 1
        default_memory = 2048
        disable_block_device_use = false
        block_device_driver = "virtio-scsi"
        enable_iothreads = false

        [proxy.kata]
        path = "${kata.proxy}/libexec/kata-containers/kata-proxy"

        [shim.kata]
        path = "${kata.shim}/libexec/kata-containers/kata-shim"

        [agent.kata]

        [runtime]
        internetworking_model = "macvtap"
      '';
    in {
    environment.systemPackages = optional cfg.enable kata.runtime;

    users.groups = mkIf cfg.sudoGroup { kata = {}; };
    security.sudo.extraConfig = mkIf cfg.sudoGroup ''
      %kata ALL=NOPASSWD: ${kata.runtime}/bin/kata-runtime
    '';

    environment.etc."hyper/config".text = ''
      # configurations for hyperd

      # Root directory for hyperd
      # Root=/var/lib/hyper/

      # Specify the hypervisor: libvirt, qemu, qemu-kvm, kvm, xen, vbox (for linux)
      #                         vbox (for mac).
      # "kvm"  is equivalent to "qemu-kvm" which uses qemu with kvm acceleration.
      # "qemu" is equivalent to "qemu-kvm" when the system enables kvm, otherwise
      #        the hypervisor is "qemu-tcg" (qemu without kvm acceleration).
      # When Hypervisor is not set, the hyperd will try to probe "qemu-kvm" or "xen"
      # as the containers' hypervisor according to the host, if the host doesn't
      # support any hardware-assisted technology, it will use "qemu-tcg".
      #
      Hypervisor=kvm

      # Boot kernel
      Kernel=${hypercontainer.hyperstart.kernel}

      # Boot initrd
      Initrd=${hypercontainer.hyperstart.initrd}

      # BIOS image, qboot bios will accelarate the bootup
      # Bios=/var/lib/hyper/bios-qboot.bin

      # CBFS coreboot fs for boot image, if it is set, Kernel and Initrd will be ignored
      # Cbfs=/var/lib/hyper/cbfs-qboot.rom

      # Boot CDROOM for "vbox" hypervisor (for mac only)
      # Vbox=/opt/hyper/static/iso/hyper-vbox-boot.iso

      # Storage driver for hyperd, valid value includes rawblock, devicemapper, overlay, and aufs
      StorageDriver=overlay

      # Bridge device for hyperd, default is hyper0
      # Bridge=

      # Bridge ip address for the bridge device
      # BridgeIP=

      # If the host IP is provided, a TCP port will be listened for, same as the '--host' option
      # Host=

      # This is only useful for hypernetes, to disable the iptables setup by hyperd
      # DisableIptables=false

      # Enable vsock support. This only works with libvirt/qemu hypervisor and template disabled
      # EnableVsock=false

      # VmFactoryPolicy defines the policies to create factories
      # VmFactoryPolicy = [FactoryConfig,]*FactoryConfig
      # FactoryConfig   = {["cache":NUMBER,]["template":(true|false),]"cpu":NUMBER,"memory":NUMBER}
      # Examples:
      # VmFactoryPolicy={"cache":10, "cpu":1, "memory":128}
      # VmFactoryPolicy={"cpu":3, "memory":1024}
      # VmFactoryPolicy={"template":true, "cpu":1, "memory":128}
      # VmFactoryPolicy={"cache":1, "template":true, "cpu":1, "memory":128}
      # VmFactoryPolicy={"cache":10, "template":true, "cpu":1, "memory":128},{"template":true, "cpu":3, "memory":1024}
      # It is recommended to specify the "cache" when VmFactoryPolicy is set,
      # otherwise it is a less efficient factory
      VmFactoryPolicy=

      [Log]
      # PodLogPrefix=/var/run/hyper/Pods
      # PodIdInPath=true
    '';

    systemd.services.hyperd = {
      enable = cfg.enable;

      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      path = with pkgs; [
        hypercontainer.hyperd
        leveldb
        e2fsprogs utillinux lvm2
        kmod
        kvm
        iptables
      ];

      script = ''
        ${hypercontainer.hyperd}/bin/hyperd --alsologtostderr -v=3
      '';

      serviceConfig = {
        MountFlags= "shared";
        LimitNOFILE = 1048576;
        LimitNPROC = 1048576;
        LimitCORE = "infinity";
      };
    };

    systemd.services.hyper-vmlogd = {
      enable = cfg.enable;

      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      script = ''
        ${hypercontainer.vmlogd}/bin/vmlogd
      '';

      serviceConfig = {
        MountFlags= "shared";
        LimitNOFILE = 1048576;
        LimitNPROC = 1048576;
        LimitCORE = "infinity";
      };
    };
  };
}