{ pkgs, pythonEnv, python, buildDate ? "unknown", buildCommit ? "unknown" }:

let
  # Build animaltrack as a package
  animaltrack = python.pkgs.buildPythonApplication {
    pname = "animaltrack";
    version = "0.1.0";
    src = ./.;
    format = "pyproject";

    nativeBuildInputs = [ python.pkgs.setuptools ];

    propagatedBuildInputs = [ pythonEnv ];

    doCheck = false;

    # Don't wrap, we'll handle PATH manually
    dontWrapPythonPrograms = true;
  };
in
pkgs.dockerTools.buildImage {
  name = "gitea.v.paler.net/alo/animaltrack";
  tag = "latest";

  copyToRoot = pkgs.buildEnv {
    name = "animaltrack-env";
    paths = with pkgs; [
      # System utilities
      busybox
      bash
      sqlite

      # Python environment with all packages
      pythonEnv

      # Animaltrack application
      animaltrack
    ] ++ [
      # Docker filesystem helpers
      pkgs.dockerTools.usrBinEnv
      pkgs.dockerTools.binSh
      pkgs.dockerTools.fakeNss
      pkgs.dockerTools.caCertificates
    ];
  };

  # Create required directories without runAsRoot (which needs KVM)
  extraCommands = ''
    mkdir -p -m 1777 tmp
    # var may already exist from nix packages with restrictive permissions
    chmod 755 var 2>/dev/null || mkdir -p -m 755 var
    mkdir -p -m 755 var/lib
    mkdir -p var/lib/animaltrack
  '';

  config = {
    Env = [
      "DB_PATH=/var/lib/animaltrack/animaltrack.db"
      "PATH=${pkgs.lib.makeBinPath [ pkgs.busybox pkgs.bash pkgs.sqlite pythonEnv animaltrack ]}"
      "PYTHONPATH=${pythonEnv}/${pythonEnv.sitePackages}:${animaltrack}/${pythonEnv.sitePackages}"
      "PYTHONUNBUFFERED=1"
      "BUILD_DATE=${buildDate}"
      "BUILD_COMMIT=${buildCommit}"
    ];
    ExposedPorts = {
      "5000/tcp" = {};
    };
    Cmd = [ "sh" "-c" "animaltrack migrate && animaltrack serve" ];
    WorkingDir = "/var/lib/animaltrack";
  };
}