{
  pkgs,
  service_configs,
  config,
  ...
}:
{
  systemd.services."jellyfin-qbittorrent-monitor" = {
    description = "Monitor Jellyfin streaming and control qBittorrent rate limits";
    after = [
      "network.target"
      "jellyfin.service"
      "qbittorrent.service"
    ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "simple";
      ExecStart = pkgs.writeShellScript "jellyfin-monitor-start" ''
        export JELLYFIN_API_KEY=$(cat ${config.age.secrets.jellyfin-api-key.path})
        exec ${
          pkgs.python3.withPackages (ps: with ps; [ requests ])
        }/bin/python ${./jellyfin-qbittorrent-monitor.py}
      '';
      Restart = "always";
      RestartSec = "10s";

      # Security hardening
      DynamicUser = true;
      NoNewPrivileges = true;
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      MemoryDenyWriteExecute = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RemoveIPC = true;
    };

    environment = {
      JELLYFIN_URL = "http://localhost:${builtins.toString service_configs.ports.jellyfin}";
      QBITTORRENT_URL = "http://${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.torrent}";
      CHECK_INTERVAL = "30";
    };
  };
}