{
  pkgs,
  service_configs,
  eth_interface,
  ...
}:
{
  # network namespace that is proxied through mullvad
  vpnNamespaces.wg = {
    enable = true;
    wireguardConfigFile = ../secrets/wg0.conf;
    accessibleFrom = [
      # "192.168.0.0/24"
    ];
  };

  systemd.services."jellyfin-qbittorrent-monitor" = {
    description = "Monitor Jellyfin streaming and control qBittorrent rate limits";
    after = [
      "network.target"
      "jellyfin.service"
      "qbittorrent.service"
    ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "simple";
      ExecStart = pkgs.writeShellScript "jellyfin-monitor-start" ''
        export JELLYFIN_API_KEY=$(cat ${../secrets/jellyfin-api-key})
        exec ${
          pkgs.python3.withPackages (ps: with ps; [ requests ])
        }/bin/python ${./jellyfin-qbittorrent-monitor.py}
      '';
      Restart = "always";
      RestartSec = "10s";

      # Security hardening
      DynamicUser = true;
      NoNewPrivileges = true;
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      MemoryDenyWriteExecute = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RemoveIPC = true;
    };

    environment = {
      JELLYFIN_URL = "http://localhost:${builtins.toString service_configs.ports.jellyfin}";
      QBITTORRENT_URL = "http://${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.torrent}";
      CHECK_INTERVAL = "30";
    };
  };
}