{
  config,
  lib,
  user,
  ...
}: let
  inherit (config) sops;
  inherit (sops) templates placeholder;
in {
  users.users.${user}.extraGroups = ["media"];
  users.groups.media = {
    gid = 979;
  };
  services.prowlarr = {
    enable = true;
  };
  services.flaresolverr.enable = true;
  services.lidarr = {
    enable = true;
    group = "media";
  };
  services.sonarr = {
    enable = true;
    group = "media";
  };
  services.radarr = {
    enable = true;
    group = "media";
  };
  services.bazarr = {
    enable = true;
    group = "media";
  };
  services.jellyseerr.enable = true;
  # probably easier if i just put this in a nixos-container
  virtualisation.oci-containers.containers.transmission = {
    image = "docker.io/haugene/transmission-openvpn:5.3.2";
    ports = ["9091:9091"];
    volumes = [
      "/var/lib/transmission/downloads:/data/incomplete"
      "/home/tristan/pods/transmission/config:/config"
      "/mnt/storage/media/unsorted:/data/completed"
    ];
    environmentFiles = [templates."transmission/env".path];
    environment = {
      PUID = "1000";
      PGID = toString config.users.groups.media.gid;
      LOCAL_NETWORK = "100.0.0.0/8";
      LOG_TO_STDOUT = "true";
      TRANSMISSION_WEB_UI = "flood-for-transmission";
    };
    privileged = true;
    capabilities = {
      "NET_ADMIN" = true;
      "NET_RAW" = true;
      "MKNOD" = true;
    };
  };
  sops.secrets = {
    "transmission/auth/OPENVPN_PROVIDER" = {};
    "transmission/auth/OPENVPN_CONFIG" = {};
    "transmission/auth/OPENVPN_USERNAME" = {};
    "transmission/auth/OPENVPN_PASSWORD" = {};
  };
  sops.templates."transmission/env" = {
    owner = "tristan";
    content = ''
      OPENVPN_PROVIDER=${placeholder."transmission/auth/OPENVPN_PROVIDER"}
      OPENVPN_CONFIG=${placeholder."transmission/auth/OPENVPN_CONFIG"}
      OPENVPN_USERNAME=${placeholder."transmission/auth/OPENVPN_USERNAME"}
      OPENVPN_PASSWORD=${placeholder."transmission/auth/OPENVPN_PASSWORD"}
    '';
  };

  sops.secrets."sonarr/api_key" = {};
  sops.secrets."radarr/api_key" = {};
  sops.secrets."prowlarr/api_key" = {};
  services.prometheus.exporters.exportarr-sonarr = {
    enable = true;
    url = "http://localhost:${toString config.services.sonarr.settings.server.port}/sonarr";
    port = 9708;
    apiKeyFile = config.sops.secrets."sonarr/api_key".path;
  };
  services.prometheus.exporters.exportarr-radarr = {
    enable = true;
    url = "http://localhost:${toString config.services.radarr.settings.server.port}";
    port = 9709;
    apiKeyFile = config.sops.secrets."radarr/api_key".path;
  };
  services.prometheus.exporters.exportarr-prowlarr = {
    enable = true;
    url = "http://localhost:${toString config.services.prowlarr.settings.server.port}";
    port = 9710;
    apiKeyFile = config.sops.secrets."prowlarr/api_key".path;
  };
  services.prometheus = {
    enable = true;
    scrapeConfigs = [
      {
        job_name = "exportarr";
        static_configs = [
          {
            targets = [
              "localhost:${toString config.services.prometheus.exporters.exportarr-radarr.port}"
              "localhost:${toString config.services.prometheus.exporters.exportarr-sonarr.port}"
              "localhost:${toString config.services.prometheus.exporters.exportarr-prowlarr.port}"
            ];
          }
        ];
      }
    ];
  };
}