{
  config,
  pkgs,
  lib,
  ...
}:
{
  imports = [ ./netns.nix ];

  system.fsPackages = with pkgs; [
    gocryptfs
    cifs-utils
  ];
  systemd.mounts = [
    {
      after = [ "network.target" ];
      what = "//library.technogothic.net/backup";
      where = "/mnt/library-raw";
      type = "cifs";
      options = "gid=users,file_mode=0664,dir_mode=0775";
      mountConfig.EnvironmentFile = "/var/lib/secrets/hetzner-env";
    }
    {
      what = "/mnt/library-raw";
      where = "/mnt/library";
      type = "fuse.gocryptfs";
      options = "allow_other,passfile=/var/lib/secrets/gocryptfs-pass";
      wantedBy = [ "multi-user.target" ];
    }
  ];

  systemd.services."container@transmission" = {
    bindsTo = [ "ve-transmission.service" ];
    after = [
      "ve-transmission.service"
      "mnt-library.mount"
    ];
  };

  containers.transmission = {
    autoStart = true;

    extraFlags = [ "--network-namespace-path=/run/netns/transmission" ];

    bindMounts = {
      "/var/lib/transmission" = {
        hostPath = "/var/lib/transmission";
        isReadOnly = false;
      };
      "/mnt/library" = {
        hostPath = "/mnt/library";
        isReadOnly = false;
      };
      "/etc/resolv.conf" = {
        hostPath = toString (pkgs.writeText "resolv.conf" "nameserver 74.82.42.42");
      };
    };

    config = {
      services.transmission = {
        enable = true;

        package = pkgs.transmission_4;
        webHome = pkgs.flood-for-transmission;

        settings = {
          rpc-bind-address = "::";
          rpc-whitelist-enabled = false;
          rpc-host-whitelist-enabled = false;

          download-dir = "/mnt/library/Downloads";
          incomplete-dir = "/mnt/library/.incomplete";
          watch-dir = "/mnt/library/watchdir";
        };
        openRPCPort = true;
        openPeerPorts = true;
      };

      users.users.transmission.extraGroups = [ "users" ];

      # https://github.com/NixOS/nixpkgs/issues/258793
      systemd.services.transmission.serviceConfig = {
        RootDirectoryStartOnly = lib.mkForce (lib.mkForce false);
        RootDirectory = lib.mkForce (lib.mkForce "");
      };

      system.stateVersion = config.system.stateVersion;
    };
  };

  # Jellyfin
  services.jellyfin = {
    enable = true;
    openFirewall = true;
  };
  environment.systemPackages = with pkgs; [
    jellyfin
    jellyfin-web
    jellyfin-ffmpeg
  ];

  # SMB Share
  services.samba = {
    enable = true;
    openFirewall = true;
    extraConfig = ''
      server string = Watchtower
      guest account = nobody
      map to guest = bad user
    '';
    shares.Library = {
      path = "/mnt/library";
      browseable = "yes";
      "read only" = "no";
      "guest ok" = "yes";
    };
  };
}