{ pkgs, ... }:
let
  mediaGroup = "media";
in
{
  users.users.torrenter = {
    isSystemUser = true;
    group = "${mediaGroup}";
  };
  users.groups.${mediaGroup} = {
    members = [
      "ren"
      "prowlarr"
      "radarr"
    ];
  };

  age.secrets.mullvad = {
    file = ../../../keys/mullvad;
    path = "/etc/wireguard/mullvad.conf";
  };

  networking.firewall.trustedInterfaces = [ "wg-selene" ];
  services.prowlarr.enable = true;

  services.transmission = {
    enable = true;
    user = "torrenter";
    group = mediaGroup;
    settings = {
      incomplete-dir-enabled = true;
      download-dir = "/mnt/scratch/torrents";
      incomplete-dir = "/mnt/scratch/torrents/.incomplete";
      blocklist-enabled = true;
      blocklist-url = "https://github.com/Naunter/BT_BlockLists/raw/master/bt_blocklists.gz";
      utp-enabled = true;
      bind-address-ipv4 = "10.64.108.193";
      rpc-port = 3027;
      rpc-whitelist-enabled = false;
      rpc-whitelist = "192.168.1.*,127.0.0.1,localhost,10.100.0.*";
      rpc-authentication-required = false;
      rpc-bind-address = "0.0.0.0"; #Bind to own IP
    };
  };

  systemd.services.transmission.serviceConfig.IOSchedulingPriority = 7;

  services.radarr = {
    enable = true;
    group = mediaGroup;
    openFirewall = false;
  };

  services.sonarr = {
    enable = true;
    group = mediaGroup;
    openFirewall = false;
  };

  services.bazarr = {
    enable = true;
    group = mediaGroup;
    openFirewall = false;
  };

  environment.systemPackages = [
    pkgs.flood-for-transmission
  ];

  systemd.tmpfiles.rules = [
    "d /mnt/scratch/torrents 0775 torrenter media -"
    "d /mnt/scratch/torrents/.incomplete 0775 torrenter media -"
  ];
}