{
  config,
  lib,
  pkgs-unstable,
  ...
}:
let
  cfg = config.custom.services.torrents;
in
{
  options.custom.services.torrents = {
    enable = lib.mkEnableOption "torrents";
  };

  config = lib.mkIf cfg.enable {
    sops.secrets = {
      vpnWireguardConfig = {
        key = "wireguard/torrents.conf";
      };
      transmissionRpcCredentials = {
        key = "transmission/rpc_config.json";
      };
    };

    containers.torrents = {
      ephemeral = true;
      autoStart = true;
      enableTun = true;

      privateNetwork = true;
      hostAddress = "192.168.1.1";
      localAddress = "192.168.1.2";

      bindMounts = {
        "${config.sops.secrets.vpnWireguardConfig.path}" = {
          hostPath = config.sops.secrets.vpnWireguardConfig.path;
        };
        "${config.sops.secrets.transmissionRpcCredentials.path}" = {
          hostPath = config.sops.secrets.transmissionRpcCredentials.path;
        };
        "/nix/var/data/media" = {
          hostPath = "/nix/var/data/media";
          isReadOnly = false;
        };
        "/nix/var/data/jackett" = {
          hostPath = "/nix/var/data/jackett";
          isReadOnly = false;
        };
        "/nix/var/data/sonarr" = {
          hostPath = "/nix/var/data/sonarr";
          isReadOnly = false;
        };
        "/nix/var/data/radarr" = {
          hostPath = "/nix/var/data/radarr";
          isReadOnly = false;
        };
        "/nix/var/data/lidarr" = {
          hostPath = "/nix/var/data/lidarr";
          isReadOnly = false;
        };
        "/nix/var/data/transmission" = {
          hostPath = "/nix/var/data/transmission";
          isReadOnly = false;
        };
      };

      config = {
        time.timeZone = "Europe/Amsterdam";
        users.users.www-data = {
          uid = 993;
          isSystemUser = true;
          group = config.users.groups.www-data.name;
        };
        users.groups.www-data = {
          gid = 991;
        };
        networking.wg-quick.interfaces.wg0 = {
          configFile = config.sops.secrets.vpnWireguardConfig.path;
          autostart = true;
        };

        services.transmission = {
          enable = true;
          package = pkgs-unstable.transmission_4;
          openRPCPort = true;
          user = config.users.users.www-data.name;
          group = config.users.groups.www-data.name;
          credentialsFile = config.sops.secrets.transmissionRpcCredentials.path;
          home = "/nix/var/data/transmission";
          settings = {
            rpc-bind-address = "0.0.0.0";
            rpc-whitelist = "127.0.0.1,192.168.1.1";
            rpc-authentication-required = true;
            rpc-host-whitelist-enabled = false;
            incomplete-dir = "/nix/var/data/transmission/.incomplete";
            watch-dir = "/nix/var/data/transmission/watchdir";
            download-dir = "/nix/var/data/transmission/downloads";
          };
        };

        # https://github.com/NixOS/nixpkgs/issues/258793
        systemd.services.transmission.serviceConfig = {
          RootDirectoryStartOnly = lib.mkForce false;
          RootDirectory = lib.mkForce "";
        };

        services.jackett = {
          enable = true;
          package = pkgs-unstable.jackett;
          openFirewall = true;
          user = config.users.users.www-data.name;
          group = config.users.groups.www-data.name;
          dataDir = "/nix/var/data/jackett";
        };
        services.sonarr = {
          enable = true;
          openFirewall = true;
          user = config.users.users.www-data.name;
          group = config.users.groups.www-data.name;
          dataDir = "/nix/var/data/sonarr";
        };
        services.radarr = {
          enable = true;
          openFirewall = true;
          user = config.users.users.www-data.name;
          group = config.users.groups.www-data.name;
          dataDir = "/nix/var/data/radarr";
        };
        services.lidarr = {
          enable = true;
          openFirewall = true;
          user = config.users.users.www-data.name;
          group = config.users.groups.www-data.name;
          dataDir = "/nix/var/data/lidarr";
        };

        system.stateVersion = "21.11";
      };
    };

    # virtualisation.oci-containers.containers.flaresolverr = {
    #   image = "ghcr.io/flaresolverr/flaresolverr:v3.3.11";
    #   environment = {
    #     "LOG_LEVEL" = "debug";
    #     "CAPTCHA_SOLVER" = "hcaptcha-solver";
    #   };
    #   ports = [ "192.168.1.1:8191:8191" ];
    #   autoStart = true;
    # };

    services.nginx.virtualHosts = {
      "transmission.${config.networking.domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://192.168.1.2:9091";
        };
      };
      "jackett.${config.networking.domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://192.168.1.2:9117";
        };
      };
      "sonarr.${config.networking.domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://192.168.1.2:8989";
        };
      };
      "radarr.${config.networking.domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://192.168.1.2:7878";
        };
      };
      "lidarr.${config.networking.domain}" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://192.168.1.2:8686";
        };
      };
    };
  };
}