{ config, pkgs, lib, ... }:
let
  serviceValidation = import ../validation/service/qbittorrent.nix;
  serviceData = import ../config/services.nix;
  qbt = serviceValidation.getQbittorrent serviceData;

  webPort = qbt.port;

  rootDir = qbt.root_dir;

  vpnUserPath = qbt.vpn.username_file;
  vpnPasswordPath = qbt.vpn.password_file;
in { 
  systemd.tmpfiles.rules = [
    "d ${rootDir} 0755 root root - -"
    "d ${rootDir}/gluetun 0755 root root - -"
    "d ${rootDir}/downloads 0755 root root - -"
    "d ${rootDir}/config 0755 root root - -"
  ];

  environment.etc."qbittorrent-compose/docker-compose.yml" = {
    mode = "0444";
    text = ''
services:
  gluetun:
    image: docker.io/qmcgaw/gluetun:latest
    pull_policy: always
    cap_add:
      - NET_ADMIN
    network_mode: bridge
    ports:
      - 127.0.0.1:${toString webPort}:${toString webPort}   # qBittorrent
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ${rootDir}/gluetun/:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - SERVER_HOSTNAME=node-nl-28.protonvpn.net,node-ch-06.protonvpn.net,node-nl-13.protonvpn.net,node-ch-06.protonvpn.net,node-es-04.protonvpn.net
      - UPDATER_PERIOD=24h

      - OPENVPN_USER=$${OPENVPN_USER:-DUMMY_NOT_USED}
      - OPENVPN_PASSWORD=$${OPENVPN_PASSWORD:-DUMMY_NOT_USED}

      - DOT_PROVIDERS=cloudflare,google
      - BLOCK_ADS=off
      - BLOCK_MALICIOUS=off
      - BLOCK_SURVEILLANCE=off

      - TZ=Europe/Berlin

  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    pull_policy: always
    network_mode: 'service:gluetun'
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - WEBUI_PORT=${toString webPort}
    volumes:
      - ${rootDir}/config/:/config
      - ${rootDir}/downloads/:/downloads
    '';
  };
  systemd.services.qbittorrent-stack = {
    description = "qbittorrent stack";
    after = ["docker.service" "network.target"];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      WorkingDirectory = rootDir;
      ExecStart = "${pkgs.writeShellScript "torrent-start" ''
        set -eu
        export OPENVPN_USER="$(${pkgs.coreutils}/bin/cat ${vpnUserPath} | ${pkgs.coreutils}/bin/tr -d '\r\n')"
        export OPENVPN_PASSWORD="$(${pkgs.coreutils}/bin/cat ${vpnPasswordPath} | ${pkgs.coreutils}/bin/tr -d '\r\n')"

        # Copy compose file to working directory
        cp /etc/qbittorrent-compose/docker-compose.yml ${rootDir}/
        cd ${rootDir}
        ${pkgs.docker-compose}/bin/docker-compose up -d
      ''}";
      ExecStop = "${pkgs.writeShellScript "torrent-stop" ''
        cd ${rootDir}
        ${pkgs.docker-compose}/bin/docker-compose down
      ''}";
      ExecReload = "${pkgs.writeShellScript "torrent-reload" ''
        set -eu
        export OPENVPN_USER="$(${pkgs.coreutils}/bin/cat ${vpnUserPath} | ${pkgs.coreutils}/bin/tr -d '\r\n')"
        export OPENVPN_PASSWORD="$(${pkgs.coreutils}/bin/cat ${vpnPasswordPath} | ${pkgs.coreutils}/bin/tr -d '\r\n')"

        cd ${rootDir}
        ${pkgs.docker-compose}/bin/docker-compose restart
      ''}";

      Restart = "on-failure";
      RestartSec = 10;
    };
  };

  networking.firewall = {
    allowedTCPPorts = [ webPort ];
  };
}