{ pkgs, ... }:
let
  mediaGroup = "media";
in
{
  users.users.torrenter = {
    isSystemUser = true;
    group = "${mediaGroup}";
  };
  users.groups.${mediaGroup} = {
    members = [
      "ren"
      "prowlarr"
      "radarr"
    ];
  };

  age.secrets.wg-scribe = {
    file = ../../../keys/wg-scribe;
    path = "/etc/wireguard/wg-scribe.conf";
  };

  networking.firewall.trustedInterfaces = [ "wg-selene" "wg-scribe" ];
  networking.firewall.allowedUDPPorts = [ 23379 ];
  networking.firewall.allowedTCPPorts = [ 23379 ];

  networking.firewall.checkReversePath = false;
  services.prowlarr.enable = true;

  services.deluge = {
   enable = true;
   web.enable = true;
   user = "torrenter";
   group = mediaGroup;

  };

  services.radarr = {
    enable = true;
    group = mediaGroup;
    openFirewall = false;
  };

  services.sonarr = {
    enable = true;
    group = mediaGroup;
    openFirewall = false;
  };

  services.bazarr = {
    enable = true;
    group = mediaGroup;
    openFirewall = false;
  };

  environment.systemPackages = [
    pkgs.flood-for-transmission
  ];

  systemd.tmpfiles.rules = [
    "d /mnt/scratch/torrents 0775 torrenter media -"
    "d /mnt/scratch/torrents/.incomplete 0775 torrenter media -"
  ];
}