{ config, ... }:

let
  inherit (config.networking) ports;
  interfaces = import ../interfaces.nix;
  domain = "sturzbach.jalr.de";
  cfg = config.services.qbittorrent;
in
{
  sops.secrets.sturzbach-htpasswd = {
    owner = "nginx";
  };

  networking.firewall = {
    allowedTCPPorts = [ ports.qbittorrent-torrent.tcp ];
  };

  systemd.services.qbittorrent.serviceConfig = {
    # Increase number of open file descriptors (default: 1024)
    LimitNOFILE = 65536;
  };

  services = {
    qbittorrent = {
      enable = true;
      torrentingPort = ports.qbittorrent-torrent.tcp;
      webuiPort = ports.qbittorrent-webui.tcp;
      serverConfig = {
        Network.PortForwardingEnabled = false;
        Preferences.WebUI = {
          Address = "127.0.0.1";
          LocalHostAuth = false;
          SecureCookie = true;
          ServerDomains = domain;
          SessionTimeout = 24 * 60 * 60;
          UseUPnP = false;
        };
        BitTorrent.Session = {
          DHTEnabled = false;
          LSDEnabled = false;
          PeXEnabled = false;
          MaxActiveDownloads = 5;
          MaxActiveTorrents = 10000;
          MaxActiveUploads = 10000;
          TempPath = "${cfg.profileDir}/downloads/incomplete";
          TorrentContentLayout = "Subfolder";
          AddTorrentStopped = false;
          AnnounceToAllTiers = false;
          DefaultSavePath = "${cfg.profileDir}/downloads";
          DisableAutoTMMByDefault = false;
          Interface = interfaces.wan;
          InterfaceAddress = "0.0.0.0";
          InterfaceName = interfaces.wan;
          QueueingSystemEnabled = true;
          ReannounceWhenAddressChanged = false;
        };
      };
    };
    nginx.virtualHosts."${domain}" = {
      enableACME = true;
      forceSSL = true;

      basicAuthFile = config.sops.secrets.sturzbach-htpasswd.path;

      locations = {
        "/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.qbittorrent.webuiPort}";
          proxyWebsockets = true;
        };
      };
    };
  };
}