{
  me,
  config,
  lib,
  pkgs,
  auxiliaryPkgs,
  ...
}:

let
  inherit (pkgs) dockerTools;
  inherit (auxiliaryPkgs) common;

  torrentLocalPort = 2018;
  torrentDir = "/srv/torrent";

  mtu = 1280;

  # gluetun openvpn likes to ignore my mtu settings,
  # so we set it forcefully every 15 seconds.
  #vpn-force-mtu = pkgs.writeTextFile {
  #  name = "vpn-force-mtu";
  #  destination = "/scripts/vpn-force-mtu.sh";
  #  executable = true;
  #  text = ''
  #    #!/bin/ash
  #    while true; do
  #      /bin/sleep 15
  #      /sbin/ip link set dev tun0 mtu ${toString mtu} 2>/dev/null || true
  #    done
  #  '';
  #};
  vpn-entry = pkgs.writeTextFile {
    name = "vpn-entry";
    destination = "/scripts/vpn-entry.sh";
    executable = true;
    text = ''
      #!/bin/ash
      #/scripts/vpn-force-mtu.sh &
      /gluetun-entrypoint
    '';
  };

  vpn-scripts = pkgs.symlinkJoin {
    name = "vpn-scripts";
    paths = [
      vpn-entry
      #vpn-force-mtu
    ];
  };

  gluetunImage = common.pullImage {
    name = "qmcgaw/gluetun";
    tag = "v3.39";
    digest = "sha256:6a8058e626763cbf735ac2f78c774dbb24fec2490bd9d9f7d67e22592cb4a991";
    x86.sha256 = "1cg43lmp3ql64zsfwp2f52kigijs30n3hnja12msr9npbgq8a8ga";
  };

  vpnImage = dockerTools.streamLayeredImage {
    name = "vpn";
    tag = "3.39.0-renard";
    fromImage = gluetunImage.base;
    contents = [ vpn-scripts ];
  };

  vpnCountries = [
    "Albania"
    "Austria"
    "Belgium"
    "Bulgaria"
    "Croatia"
    "Czech Republic"
    "Estonia"
    "Greece"
    "Hungary"
    "Italy"
    "Latvia"
    "Poland"
    "Portugal"
    "Romania"
    "Serbia"
    "Slovakia"
    "Spain"
    "Ukraine"
  ];
in
{
  imports = [
    ./flood.nix
    # pick current client through import
    ./transmission.nix
    #./qbittorrent.nix
  ];

  age.secrets.mullvad-gluetun = {
    file = ../../secrets/mullvad-gluetun.age;
  };

  foundation = {
    networks.vpn = {
      enable = true;
      driver = "bridge";
      # we currenly avoid ipv6 for vpn.
      ipv6.enable = false;
      # lower MTU to prevent packet non-deliverability
      inherit mtu;
    };

    services = {
      vpn = {
        network = "vpn";

        image = vpnImage;

        ports = [
          (common.tailnetPort me [
            torrentLocalPort
            torrentLocalPort
          ])
        ];

        volumes = [
          [
            "${torrentDir}/gluetun"
            "/gluetun"
          ]
        ];

        entrypoint = "/scripts/vpn-entry.sh";

        capabilities = [ "NET_ADMIN" ];
        devices = [ "/dev/net/tun" ];

        environment = {
          # the mullvad device representing this vpn container
          # is named "driven fish".
          VPN_SERVICE_PROVIDER = "mullvad";
          VPN_TYPE = "wireguard";
          WIREGUARD_ADDRESSES = "10.73.131.255/32";
          WIREGUARD_MTU = toString mtu;
          SERVER_COUNTRIES = lib.concatStringsSep "," vpnCountries;
        };

        environmentFiles = [ config.age.secrets.mullvad-gluetun.path ];
      };
    };
  };
}