{ config, pkgs, lib, ... }:
let
  net = import ../data/network.nix;
  serviceData = import ../data/services.nix;
  qbt = serviceData.qbittorrent;
in { 
  systemd.tmpfiles.rules = [
    "d ${qbt.root_dir} 0755 root root - -"
    "d ${qbt.root_dir}/gluetun 0755 root root - -"
    "d ${qbt.root_dir}/downloads 0755 root root - -"
    "d ${qbt.root_dir}/config 0755 root root - -"
  ];

  environment.etc."qbittorrent-compose/docker-compose.yml" = {
    mode = "0444";
    text = ''
services:
  gluetun:
    image: docker.io/qmcgaw/gluetun:latest
    pull_policy: always
    cap_add:
      - NET_ADMIN
    network_mode: bridge
    ports:
      - 127.0.0.1:8085:8085   # qBittorrent
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ${qbt.root_dir}/gluetun/:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - SERVER_HOSTNAME=node-nl-28.protonvpn.net,node-ch-06.protonvpn.net,node-nl-13.protonvpn.net,node-ch-06.protonvpn.net,node-es-04.protonvpn.net
      - UPDATER_PERIOD=24h

      - OPENVPN_USER=${qbt.vpn.username}
      - OPENVPN_PASSWORD=${qbt.vpn.password}

      - DOT_PROVIDERS=cloudflare,google
      - BLOCK_ADS=off
      - BLOCK_MALICIOUS=off
      - BLOCK_SURVEILLANCE=off

      - TZ=Europe/Berlin

  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    pull_policy: always
    network_mode: 'service:gluetun'
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - WEBUI_PORT=8085
    volumes:
      - ${qbt.root_dir}/config/:/config
      - ${qbt.root_dir}/downloads/:/downloads
    '';
  };
  systemd.services.qbittorrent-stack = {
    description = "qbittorrent stack";
    after = ["docker.service" "network.target"];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      WorkingDirectory = qbt.root_dir;
      ExecStart = "${pkgs.writeShellScript "torrent-start" ''
        set -e
        # Copy compose file to working directory
        cp /etc/qbittorrent-compose/docker-compose.yml ${qbt.root_dir}/
        cd ${qbt.root_dir}
        ${pkgs.docker-compose}/bin/docker-compose up -d
      ''}";
      ExecStop = "${pkgs.writeShellScript "torrent-stop" ''
        cd ${qbt.root_dir}
        ${pkgs.docker-compose}/bin/docker-compose down
      ''}";
      ExecReload = "${pkgs.writeShellScript "torrent-reload" ''
        cd ${qbt.root_dir}
        ${pkgs.docker-compose}/bin/docker-compose restart
      ''}";

      Restart = "on-failure";
      RestartSec = 10;
    };
  };

  networking.firewall = {
    allowedTCPPorts = [8085];
  };
}