{
  pkgs,
  config,
  service_configs,
  ...
}:
{
  # network namespace that is proxied through mullvad
  vpnNamespaces.wg = {
    enable = true;
    wireguardConfigFile = ../secrets/wg0.conf;
    accessibleFrom = [
      "192.168.0.0/24"
    ];
    portMappings = [
      {
        from = config.services.qbittorrent.webuiPort;
        to = config.services.qbittorrent.webuiPort;
      }
    ];
    openVPNPorts = [
      {
        port = config.services.qbittorrent.webuiPort;
        protocol = "both";
      }
    ];
  };

  services.qbittorrent = {
    enable = true;
    package = pkgs.qbittorrent-nox;
    webuiPort = service_configs.ports.torrent;
    serverConfig.LegalNotice.Accepted = true;
    serverConfig.Preferences.WebUI = {
      AlternativeUIEnabled = true;
      RootFolder = "${pkgs.fetchzip {
        url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.17.0/vuetorrent.zip";
        hash = "sha256-PpumQCgIZp9wENL1XZvf7CdUAW9W0pQP5wqtG9oOUpM=";
      }}";
      Password_PBKDF2 = "@ByteArray(U6PmgkmajHD6Nu5rLbazHw==:ycEEnAMGTxwAhkFiQtdkc6mbGArmnZ2Tkujk6wt4CCytlX0mzGgjQVLKzRb8vSV/S1Yu6+PuAO5gC8IxGR97jA==)";
    };

    serverConfig.Preferences.Downloads = {
      SavePath = service_configs.hdd_path + "/torrents";
      TempPath = service_configs.hdd_path + "/torrents/incomplete";
    };

    serverConfig.BitTorrent.Session = {
      GlobalUPSpeedLimit = 1000; # 1 MiB/s
      QueueingSystemEnabled = false; # seed all torrents all the time
    };
  };

  # make qbittorrent use a vpn
  systemd.services.qbittorrent.vpnConfinement = {
    enable = true;
    vpnNamespace = "wg";
  };
}