{ service_configs, config, ... }:
{
  virtualisation.quadlet = {
    containers = {
      gluetun.containerConfig = {
        image = "docker.io/qmcgaw/gluetun";
        name = "gluetun";
        # autoUpdate = "registry";

        addCapabilities = [
          "NET_ADMIN"
          "MKNOD"
        ];

        environments = import ../secrets/mullvad.nix;

        publishPorts = [
          "6081:6081"
          "6081:6081/udp"
          "${builtins.toString service_configs.ports.torrent}:6011"
        ];

        volumes = [ "${service_configs.gluetun.dir}:/gluetun:z" ];
        podmanArgs = [
          "--device=/dev/net/tun"
          "--security-opt label=disable"
        ];
      };

      qbittorrent = {
        containerConfig = {
          image = "lscr.io/linuxserver/qbittorrent:latest";
          name = "qbittorrent";
          autoUpdate = "registry";

          environments = {
            WEBUI_PORT = service_configs.ports.torrent;
            DOCKER_MODS = "ghcr.io/gabe565/linuxserver-mod-vuetorrent";
            PGID = config.users.groups.${config.services.jellyfin.group}.gid;
          };

          volumes = [
            "${service_configs.torrent.config_dir}:/config:z"
            "${service_configs.torrent.download_dir}:/downloads:z"
          ];

          networks = [ "container:gluetun" ];
        };

        serviceConfig = {
          requires = [ "gluetun.service" ];
          after = [ "gluetun.service" ];
        };
      };
    };

    networks = {
      internal.networkConfig.subnets = [ "10.0.123.1/24" ];
    };
  };
}