{
  pkgs,
  service_configs,
  config,
  ...
}:
{
  vpnNamespaces.wg = {
    portMappings = [
      {
        from = service_configs.ports.bitmagnet;
        to = service_configs.ports.bitmagnet;
      }
    ];

    openVPNPorts = [
      {
        port = service_configs.ports.bitmagnet;
        protocol = "both";
      }
    ];
  };

  services.bitmagnet = {
    enable = true;

    settings = {
      postgres = {
        host = service_configs.postgres.socket;
      };
      http_server = {
        # TODO! make issue about this being a string and not a `port` type
        port = ":" + (builtins.toString service_configs.ports.bitmagnet);
      };
    };
  };

  services.caddy.virtualHosts.

  "bitmagnet.${service_configs.https.domain}".extraConfig =
    ''
      # tls internal
      ${builtins.readFile ../secrets/caddy_auth}
      reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.bitmagnet}
    '';
  systemd.services.bitmagnet.vpnConfinement = {
    enable = true;
    vpnNamespace = "wg";
  };
}