diff --git a/common/fragments/bittorrent/default.nix b/common/fragments/bittorrent/default.nix
index 9f73937..87a88d3 100644
--- a/common/fragments/bittorrent/default.nix
+++ b/common/fragments/bittorrent/default.nix
@@ -1,12 +1,5 @@
+{ pkgs, ... }:
 {
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-{
-  imports = [ ./netns.nix ];
-
   system.fsPackages = with pkgs; [
     gocryptfs
     cifs-utils
@@ -29,63 +22,30 @@
     }
   ];
 
-  systemd.services."container@transmission" = {
-    bindsTo = [ "ve-transmission.service" ];
-    after = [
-      "ve-transmission.service"
-      "mnt-library.mount"
-    ];
+  virtualisation.oci-containers.containers = {
+    "qbittorrent" = {
+      image = "dyonr/qbittorrentvpn";
+      autoStart = true;
+      volumes = [
+        "/var/lib/qbittorrent:/config"
+        "/mnt/library:/downloads"
+      ];
+      environment = {
+        VPN_TYPE = "wireguard";
+        LAN_NETWORK = "10.21.0.0/16,10.42.0.0/24,100.64.0.0/24";
+      };
+      ports = [ "8080:8080" ];
+      extraOptions = [
+        "--cap-add=NET_ADMIN"
+        "--device=/dev/net/tun"
+        "--privileged"
+      ];
+    };
   };
 
-  containers.transmission = {
-    autoStart = true;
-
-    extraFlags = [ "--network-namespace-path=/run/netns/transmission" ];
-
-    bindMounts = {
-      "/var/lib/transmission" = {
-        hostPath = "/var/lib/transmission";
-        isReadOnly = false;
-      };
-      "/mnt/library" = {
-        hostPath = "/mnt/library";
-        isReadOnly = false;
-      };
-      "/etc/resolv.conf" = {
-        hostPath = toString (pkgs.writeText "resolv.conf" "nameserver 74.82.42.42");
-      };
-    };
-
-    config = {
-      services.transmission = {
-        enable = true;
-
-        package = pkgs.transmission_4;
-        webHome = pkgs.flood-for-transmission;
-
-        settings = {
-          rpc-bind-address = "::";
-          rpc-whitelist-enabled = false;
-          rpc-host-whitelist-enabled = false;
-
-          download-dir = "/mnt/library/Downloads";
-          incomplete-dir = "/mnt/library/.incomplete";
-          watch-dir = "/mnt/library/watchdir";
-        };
-        openRPCPort = true;
-        openPeerPorts = true;
-      };
-
-      users.users.transmission.extraGroups = [ "users" ];
-
-      # https://github.com/NixOS/nixpkgs/issues/258793
-      systemd.services.transmission.serviceConfig = {
-        RootDirectoryStartOnly = lib.mkForce (lib.mkForce false);
-        RootDirectory = lib.mkForce (lib.mkForce "");
-      };
-
-      system.stateVersion = config.system.stateVersion;
-    };
+  services.flood = {
+    enable = true;
+    extraArgs = [ "--baseuri=/flood" ];
   };
 
   # Jellyfin
@@ -115,4 +75,25 @@
       "guest ok" = "yes";
     };
   };
+
+  services.nginx.enable = true;
+  # TODO: change when headscale updates
+  services.nginx.virtualHosts."watchtower.agatha.thorns.home.arpa" = {
+    locations."/flood/api" = {
+      proxyPass = "http://127.0.0.1:3000";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_buffering off;
+        proxy_cache off;
+      '';
+    };
+    locations."/flood/" = {
+      alias = "${pkgs.flood}/lib/node_modules/flood/dist/assets/";
+      tryFiles = "$uri /flood/index.html";
+    };
+
+    extraConfig = ''
+      rewrite ^/(flood)$ $1/ permanent;
+    '';
+  };
 }
diff --git a/common/fragments/bittorrent/netns.nix b/common/fragments/bittorrent/netns.nix
index ebd9f60..3d76b09 100644
--- a/common/fragments/bittorrent/netns.nix
+++ b/common/fragments/bittorrent/netns.nix
@@ -1,9 +1,4 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
+{ pkgs, ... }:
 # Collectivized from https://gist.github.com/c0deaddict/53aedbb69c8cbfebfec8f4428dc03102 ☭
 let
   veth = "ve-transmission";
@@ -63,7 +58,7 @@ in
       ipGuest = "${ipHost} netns exec ${ns} ${pkgs.iproute}/bin/ip";
     in
     {
-      description = "Veth interface for download";
+      description = "Veth interface for transmission";
       bindsTo = [ "netns@${ns}.service" ];
       after = [ "netns@${ns}.service" ];
       wantedBy = [ "network.target" ];
@@ -92,5 +87,9 @@ in
       proxyPass = "http://10.0.0.2:9091/transmission";
       proxyWebsockets = true;
     };
+    locations."/bittorrent" = {
+      proxyPass = "http://localhost:8080";
+      proxyWebsockets = true;
+    };
   };
 }
diff --git a/flake.nix b/flake.nix
index 9539683..eb446df 100644
--- a/flake.nix
+++ b/flake.nix
@@ -177,8 +177,11 @@
             ./common/linux-specific.nix
             ./hosts/watchtower/configuration.nix
             (import "${home-manager}/nixos")
+            "${nixpkgs-unstable}/nixos/modules/services/torrent/flood.nix"
           ];
 
+          disabledModules = [ "services/torrent/flood.nix" ];
+
           deployment = {
             targetUser = "root";
             targetHost = "watchtower";
diff --git a/hosts/watchtower/hardware-configuration.nix b/hosts/watchtower/hardware-configuration.nix
index 4eb2049..7af403c 100644
--- a/hosts/watchtower/hardware-configuration.nix
+++ b/hosts/watchtower/hardware-configuration.nix
@@ -1,31 +1,45 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }: {
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+{
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules =
-    [ "nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
+  boot.kernelParams = [ "amd_pstate=guided" ];
+
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/eba0bc60-b96f-4b28-9447-f36209410ba3";
     fsType = "ext4";
   };
 
-  boot.initrd.luks.devices."luks-9c33d04a-b7f1-4dec-98a5-f8ec2771ef7d".device =
-    "/dev/disk/by-uuid/9c33d04a-b7f1-4dec-98a5-f8ec2771ef7d";
+  boot.initrd.luks.devices."luks-9c33d04a-b7f1-4dec-98a5-f8ec2771ef7d".device = "/dev/disk/by-uuid/9c33d04a-b7f1-4dec-98a5-f8ec2771ef7d";
 
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/D95C-66EE";
     fsType = "vfat";
-    options = [ "fmask=0022" "dmask=0022" ];
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
   };
 
-  swapDevices =
-    [{ device = "/dev/disk/by-uuid/8a64d656-8ba2-4c11-87bf-858e1ca3ec7e"; }];
+  swapDevices = [ { device = "/dev/disk/by-uuid/8a64d656-8ba2-4c11-87bf-858e1ca3ec7e"; } ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -35,6 +49,5 @@
   # networking.interfaces.enp1s0f1.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }