{ pkgs, config, lib, ... }:

let
  cfg = config.modules.services.qbittorrent;
  default_port = 8080;
  data_dir = "/var/lib/qBittorrent";
  ids = 2003;
  vpn_inf = "enp89s0.69"; # vpn interfacve
in
{
  options.modules.services.qbittorrent = {
    enable = lib.mkEnableOption "enables qbittorrent";

    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 7103;
      description = "set port for qbittorrent (default: ${toString default_port}";
    };

    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for qbittorrent";
    };
  };

  config = lib.mkIf cfg.enable {
    
    # declare qbittorrent group
    users.groups.qbittorrent = { gid = ids; };

    # declare qbittorrent user
    users.users.qbittorrent = {
      description = "qbittorrent server user";
      uid = ids;
      isSystemUser = true;
      home = data_dir;
      createHome = true;
      group = "qbittorrent";
      extraGroups = [ "media" ];
    };

    # enable the qbittorrent service
    services.qbittorrent = {
      enable = true;
      openFirewall = true;
      user = "qbittorrent";
      group = "qbittorrent";
      profileDir = data_dir;
      webuiPort = cfg.port;
#      torrentingPort = cfg.port;
    };

    # override umask to make permissions work out
    systemd.services.qbittorrent = {
      serviceConfig = {
        UMask = lib.mkForce "0007";
      };
    };

    networking.firewall.extraCommands = ''
      iptables -F QBIT
      iptables -X QBIT
      iptables -N QBIT
      iptables -N QBIT
      iptables -A OUTPUT -m owner --uid-owner ${toString ids} -j QBIT
      iptables -A QBIT -o ${vpn_inf} -j ACCEPT
      iptables -A QBIT -p tcp -d 127.0.0.1 --dport ${toString cfg.port} -j ACCEPT
      iptables -A QBIT -p tcp -o enp89s0 -d 10.0.0.0/8 --dport ${toString cfg.port} -j ACCEPT
      iptables -A QBIT -j DROP
    '';



# ------------------------------------------------------------------------------
#      # add systemd service to VPN network namespace
#      vpnConfinement = {
#        enable = true;
#        vpnNamespace = "wgmex";
#      };
# ------------------------------------------------------------------------------

#    # open firewall
#    networking.firewall.allowedTCPPorts = [ cfg.port ];

    # internal reverse proxy entry
    services.nginx.virtualHosts."qbit.snowbelle.lan" = {
      enableACME = false;
      forceSSL = true;
      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
      };
    };

     # add to backups
     modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
  };
}