{
  pkgs,
  service_configs,
  config,
  lib,
  ...
}:
{
  imports = [
    (lib.vpnNamespaceOpenPort service_configs.ports.bitmagnet)
  ];

  services.bitmagnet = {
    enable = true;

    settings = {
      postgres = {
        host = service_configs.postgres.socket;
      };
      http_server = {
        # TODO! make issue about this being a string and not a `port` type
        port = ":" + (builtins.toString service_configs.ports.bitmagnet);
      };
    };
  };

  services.caddy.virtualHosts."bitmagnet.${service_configs.https.domain}".extraConfig = ''
    ${builtins.readFile ../secrets/caddy_auth}
    reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.bitmagnet}
  '';

  systemd.services.bitmagnet.vpnConfinement = {
    enable = true;
    vpnNamespace = "wg";
  };
}