{
  config,
  flake,
  pkgs,
  ...
}:
let
  inherit (flake.config.people) user0;
  inherit (flake.config.services) instances;
  serviceCfg = instances.torrent;
  host = instances.torrent;
in
{
  microvm.vms.${serviceCfg.name} = {
    autostart = true;
    config = {
      system.stateVersion = "25.05";

      networking.firewall.allowedTCPPorts = [
        22
        80
      ];

      services = {
        rqbit = {
          enable = true;
          dataDir = "/var/lib/rqbit/downloads";
          listenAddress = "0.0.0.0";
          openFirewall = true;
          extraArgs = [ ];
        };

        openssh = {
          enable = true;
          settings.PasswordAuthentication = false;
        };
      };

      users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;

      systemd = {
        network = {
          enable = true;
          networks."10-enp" = {
            matchConfig.Name = "enp0s5";
            addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ];
            gateway = [ serviceCfg.interface.gate ];
          };
        };
        tmpfiles.rules = [
          "d ${serviceCfg.varPaths.path0} 755 ${serviceCfg.name} ${serviceCfg.name} -"
        ];
      };

      microvm = {
        vcpu = 4;
        mem = 1024 * 4;
        hypervisor = "qemu";
        interfaces = [
          {
            type = "tap";
            id = serviceCfg.interface.id;
            mac = serviceCfg.interface.mac;
          }
        ];

        shares = [
          {
            source = "/nix/store";
            mountPoint = "/nix/.ro-store";
            tag = "ro-store";
            proto = "virtiofs";
          }
          {
            mountPoint = "/var/lib/${serviceCfg.name}";
            proto = "virtiofs";
            source = serviceCfg.mntPaths.path0;
            tag = "${serviceCfg.name}_data";
          }
          {
            mountPoint = "/run/secrets";
            proto = "virtiofs";
            source = "/run/secrets/${serviceCfg.name}";
            tag = "host_secrets";
          }

        ];
      };
      environment.systemPackages = [ ];
    };
  };

  services = {
    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            basic_auth {
              {$CADDY_AUTH_USER} {$CADDY_AUTH_PASSWORD_HASH}
            }

            reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} {
              header_up X-Real-IP {remote_host}
            }

            tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}

            encode zstd gzip
          '';
        };
      };
    };
  };

  sops.secrets = {
    "caddy/${serviceCfg.name}-auth" = {
      owner = "caddy";
      group = "caddy";
      mode = "0400";
    };
  };

  security.acme.certs.${host} = {
    dnsProvider = instances.web.dns.provider1;
    environmentFile = config.sops.secrets."dns/${instances.web.dns.provider1}".path;
  };

  systemd = {
    services.caddy = {
      serviceConfig = {
        EnvironmentFile = config.sops.secrets."caddy/${serviceCfg.name}-auth".path;
      };
    };
    tmpfiles.rules = [
      "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -"
      "d ${serviceCfg.secretPaths.path0}/caddy 755 caddy caddy -"
      "d /var/log/caddy 755 caddy caddy -"

    ];
  };
}