{
  pkgs,
  config,
  service_configs,
  ...
}:
{
  # network namespace that is proxied through mullvad
  vpnNamespaces.wg = {
    portMappings = [
      {
        from = config.services.qbittorrent.webuiPort;
        to = config.services.qbittorrent.webuiPort;
      }
    ];

    openVPNPorts = [
      {
        port = config.services.qbittorrent.webuiPort;
        protocol = "both";
      }
    ];
  };

  services.qbittorrent = {
    enable = true;
    package = pkgs.qbittorrent-nox;
    webuiPort = service_configs.ports.torrent;
    serverConfig.LegalNotice.Accepted = true;
    serverConfig.Preferences.WebUI = {
      AlternativeUIEnabled = true;
      RootFolder = "${pkgs.fetchzip {
        url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.18.0/vuetorrent.zip";
        sha256 = "Z+N1RgcF67R6hWEfmfBls1+YLWkhEJQuOVqXXJCyptE=";
      }}";

      # disable auth because we use caddy for auth
      AuthSubnetWhitelist = "0.0.0.0/0";
      AuthSubnetWhitelistEnabled = true;
    };

    serverConfig.Preferences.Downloads = {
      SavePath = service_configs.torrent.SavePath;
      TempPath = service_configs.torrent.TempPath;
    };

    serverConfig.BitTorrent.Session = {
      GlobalUPSpeedLimit = 1000; # 1 MiB/s
      QueueingSystemEnabled = false; # seed all torrents all the time
    };
  };

  # make qbittorrent use a vpn
  systemd.services.qbittorrent.vpnConfinement = {
    enable = true;
    vpnNamespace = "wg";
  };
}