{
  pkgs,
  config,
  service_configs,
  ...
}:
{
  # network namespace that is proxied through mullvad
  vpnNamespaces.wg = {
    portMappings = [
      {
        from = config.services.qbittorrent.webuiPort;
        to = config.services.qbittorrent.webuiPort;
      }
    ];

    openVPNPorts = [
      {
        port = config.services.qbittorrent.webuiPort;
        protocol = "both";
      }
    ];
  };

  services.qbittorrent = {
    enable = true;
    package = pkgs.qbittorrent-nox;
    webuiPort = service_configs.ports.torrent;

    serverConfig.LegalNotice.Accepted = true;

    serverConfig.Preferences = {
      WebUI = {
        AlternativeUIEnabled = true;
        RootFolder = "${pkgs.fetchzip {
          url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.19.0/vuetorrent.zip";
          sha256 = "cIY5fhcLyEPwt5D2T0S4KhAbb8Qmd9m3xcsQTa4FX+8=";
        }}";

        # disable auth because we use caddy for auth
        AuthSubnetWhitelist = "0.0.0.0/0";
        AuthSubnetWhitelistEnabled = true;
      };

      Downloads = {
        SavePath = service_configs.torrent.SavePath;
        TempPath = service_configs.torrent.TempPath;
      };
    };

    serverConfig.BitTorrent.Session = {
      GlobalUPSpeedLimit = 50; # in KiB/s
      GlobalDLSpeedLimit = 0;

      # Including overhead in limits ruins download because download
      # uses upload to communicate with seeders
      IncludeOverheadInLimits = false;
      GlobalMaxRatio = 6;
      QueueingSystemEnabled = false; # seed all torrents all the time
    };
  };

  systemd.tmpfiles.rules = [
    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
  ];

  # make qbittorrent use a vpn
  systemd.services.qbittorrent.vpnConfinement = {
    enable = true;
    vpnNamespace = "wg";
  };
}