{ service_configs, ... }:
{
  virtualisation.quadlet = {
    containers =
      let
        baseContainerConfig = {
          autoUpdate = "registry";
          environments = {
            PUID = 1000;
            PGID = 1000;
          };
        };
      in
      {
        gluetun.containerConfig = baseContainerConfig // {
          image = "docker.io/qmcgaw/gluetun";
          name = "gluetun";

          addCapabilities = [
            "NET_ADMIN"
            "MKNOD"
          ];

          environments = import ../secrets/mullvad.nix;

          publishPorts = [
            "6081:6081"
            "6081:6081/udp"
            "${builtins.toString service_configs.ports.torrent}:6011"
          ];

          volumes = [ "${service_configs.gluetun.dir}:/gluetun:z" ];
          podmanArgs = [
            "--device=/dev/net/tun"
            "--security-opt label=disable"
          ];
        };

        qbittorrent = {
          containerConfig = baseContainerConfig // {
            image = "lscr.io/linuxserver/qbittorrent:latest";
            name = "qbittorrent";
            environments = {
              WEBUI_PORT = service_configs.ports.torrent;
              DOCKER_MODS = "ghcr.io/gabe565/linuxserver-mod-vuetorrent";
              PUID = 1000;
              PGID = 1000;
            };

            volumes = [
              "${service_configs.torrent.config_dir}:/config:z"
              "${service_configs.torrent.download_dir}:/downloads:z"
            ];

            networks = [ "container:gluetun" ];
          };

          serviceConfig = {
            requires = [ "gluetun.service" ];
            after = [ "gluetun.service" ];
          };
        };
      };
    networks = {
      internal.networkConfig.subnets = [ "10.0.123.1/24" ];
    };
  };
}