{
  config,
  lib,
  pkgs,
  ...
}:

with lib;

let
  cfg = config.services.rqbit;
in
{
  options.services.rqbit = {
    enable = mkEnableOption "rqbit BitTorrent client";

    package = mkOption {
      type = types.package;
      default = pkgs.rqbit;
      defaultText = literalExpression "pkgs.rqbit";
      description = "The rqbit package to use.";
    };

    dataDir = mkOption {
      type = types.path;
      default = "/var/lib/rqbit";
      description = "Directory to store downloaded torrents.";
    };

    listenAddress = mkOption {
      type = types.str;
      default = "127.0.0.1";
      description = "IP address to listen on for the web UI and API.";
    };

    listenPort = mkOption {
      type = types.port;
      default = 3030;
      description = "Port for the web UI and API.";
    };

    openFirewall = mkOption {
      type = types.bool;
      default = false;
      description = "Open the firewall for the web UI port.";
    };

    user = mkOption {
      type = types.str;
      default = "rqbit";
      description = "User account under which rqbit runs.";
    };

    group = mkOption {
      type = types.str;
      default = "rqbit";
      description = "Group under which rqbit runs.";
    };

    extraArgs = mkOption {
      type = types.listOf types.str;
      default = [ ];
      description = "Extra command-line arguments to pass to rqbit.";
      example = literalExpression ''[ "--upnp" "--enable-upnp-server" ]'';
    };
  };

  config = mkIf cfg.enable {
    systemd.services.rqbit = {
      description = "rqbit BitTorrent Client";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        Type = "simple";
        User = cfg.user;
        Group = cfg.group;

        Environment = [
          "XDG_CACHE_HOME=/var/lib/rqbit/.cache"
          "XDG_DATA_HOME=/var/lib/rqbit/.local/share"
        ];

        ExecStart = ''
          ${cfg.package}/bin/rqbit \
            --http-api-listen-addr ${cfg.listenAddress}:${toString cfg.listenPort} \
            ${concatStringsSep " " cfg.extraArgs} \
            server start ${cfg.dataDir}
        '';
        Restart = "on-failure";

        StateDirectory = "rqbit";
        NoNewPrivileges = true;
        PrivateTmp = true;
        ProtectSystem = "strict";
        ReadWritePaths = [ cfg.dataDir ];
      };
    };

    users.users = mkIf (cfg.user == "rqbit") {
      rqbit = {
        isSystemUser = true;
        group = cfg.group;
        description = "rqbit BitTorrent client user";
      };
    };

    users.groups = mkIf (cfg.group == "rqbit") {
      rqbit = { };
    };

    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [ cfg.listenPort ];
    };
  };
}