{
  pkgs,
  config,
  service_configs,
  username,
  ...
}:
{
  # network namespace that is proxied through mullvad
  vpnNamespaces.wg = {
    portMappings = [
      {
        from = config.services.qbittorrent.webuiPort;
        to = config.services.qbittorrent.webuiPort;
      }
    ];

    openVPNPorts = [
      {
        port = config.services.qbittorrent.webuiPort;
        protocol = "both";
      }
    ];
  };

  services.qbittorrent = {
    enable = true;
    package = pkgs.qbittorrent-nox;
    webuiPort = service_configs.ports.torrent;

    serverConfig.LegalNotice.Accepted = true;

    serverConfig.Preferences = {
      WebUI = {
        AlternativeUIEnabled = true;
        RootFolder = "${pkgs.fetchzip {
          url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.21.0/vuetorrent.zip";
          sha256 = "ELerk/4q+eR3rmCx/jFoDirrmx12D+5JBfDZjkPK5wA=";
        }}";

        # disable auth because we use caddy for auth
        AuthSubnetWhitelist = "0.0.0.0/0";
        AuthSubnetWhitelistEnabled = true;
      };

      Downloads = {
        SavePath = service_configs.torrent.SavePath;
        TempPath = service_configs.torrent.TempPath;
      };
    };

    serverConfig.BitTorrent = {
      Session = {
        GlobalUPSpeedLimit = 500; # in KiB/s
        GlobalDLSpeedLimit = 0;

        # Including overhead in limits ruins download because download
        # uses upload to communicate with seeders
        IncludeOverheadInLimits = false;

        GlobalMaxRatio = 2;
        QueueingSystemEnabled = false; # seed all torrents all the timei

        # add a few trackers TODO! add a script so I can just do a list
        AddTrackersEnabled = true;
        AdditionalTrackers = "udp://tracker.opentrackr.org:1337/announce\\nudp://open.stealth.si:80/announce\\nudp://open.demonii.com:1337\\nudp://exodus.desync.com:6969/announce";
      };
    };
  };

  systemd.tmpfiles.rules = [
    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0755 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
  ];

  # make qbittorrent use a vpn
  systemd.services.qbittorrent.vpnConfinement = {
    enable = true;
    vpnNamespace = "wg";
  };

  users.users.${username}.extraGroups = [
    config.services.qbittorrent.group
  ];

}