{ config, pkgs, lib, ... }:
let
  host = "127.0.1.2";
  port = "5003";
  uid = config.ids.uids.transmission;
  gid = config.ids.gids.transmission;
in {
  sops.secrets."transmission/vpncreds" = {
    owner = "transmission";
    group = "transmission";
  };

  users.users.transmission = {
    inherit uid;
    group = "transmission";
    isSystemUser = true;
    useDefaultShell = true;
    description = "Transmission torrent service";
  };

  users.groups.transmission = {
    inherit gid;
  };

  # Transmission+PIA: Torrent client, Integrated VPN, Web interface
  virtualisation.oci-containers.containers.transmission = {
    image = "haugene/transmission-openvpn";
    ports = [ "${host}:${port}:9091" ];
    volumes = [
      "/var/lib/transmission/config:/config"
      "/tank/media/transmission:/data"
    ];
    environment = {
      OPENVPN_PROVIDER = "PIA";
      OPENVPN_CONFIG = "sweden,norway,de_frankfurt";
      LOCAL_NETWORK = "192.168.10.0/24";
      TRANSMISSION_WEB_UI = "flood-for-transmission";
      PUID = toString uid;
      PGID = toString gid;
    };
    environmentFiles = [
      # OPENVPN_USERNAME and password is set here
      # and optionally TRANSMISSION_RPC_USERNAME and password
      config.sops.secrets."transmission/vpncreds".path
    ];
    extraOptions = [
      /* "--cap-add=net_admin,net_raw,mknod" */
      "--cap-add=NET_ADMIN"
      "--device=/dev/net/tun"
    ];
  };
  services.nginx.virtualHosts."transmission.home.feal.no" = {
    locations."/" = {
      proxyPass = "http://${host}:${port}";
    };
  };

  fileSystems = {
    "/tank/media/transmission/jellyfin" = {
      device = "/tank/media/jellyfin";
      options = [ "bind" ];
    };
    "/tank/media/transmission/music" = {
      device = "/tank/media/music";
      options = [ "bind" ];
    };
    "/tank/media/transmission/inbox" = {
      device = "/tank/inbox";
      options = [ "bind" ];
    };
    "/tank/media/transmission/other" = {
      device = "/tank/media/other";
      options = [ "bind" ];
    };
  };
}