{
  me,
  config,
  lib,
  pkgs,
  auxiliaryPkgs,
  ...
}:

let
  inherit (pkgs) dockerTools;
  inherit (auxiliaryPkgs) common;

  torrentLocalPort = 2018;
  torrentDir = "/srv/torrent";

  mtu = 1280;

  # gluetun openvpn likes to ignore my mtu settings,
  # so we set it forcefully every 15 seconds.
  vpn-force-mtu = pkgs.writeTextFile {
    name = "vpn-force-mtu";
    destination = "/scripts/vpn-force-mtu.sh";
    executable = true;
    text = ''
      #!/bin/ash
      while true; do
        /bin/sleep 15
        /sbin/ip link set dev tun0 mtu ${toString mtu} 2>/dev/null || true
      done
    '';
  };
  vpn-entry = pkgs.writeTextFile {
    name = "vpn-entry";
    destination = "/scripts/vpn-entry.sh";
    executable = true;
    text = ''
      #!/bin/ash
      /scripts/vpn-force-mtu.sh &
      /gluetun-entrypoint
    '';
  };

  vpn-scripts = pkgs.symlinkJoin {
    name = "vpn-scripts";
    paths = [
      vpn-entry
      vpn-force-mtu
    ];
  };

  gluetunImage = common.pullImage {
    name = "qmcgaw/gluetun";
    tag = "v3.39";
    digest = "sha256:6a8058e626763cbf735ac2f78c774dbb24fec2490bd9d9f7d67e22592cb4a991";
    x86.sha256 = "1cg43lmp3ql64zsfwp2f52kigijs30n3hnja12msr9npbgq8a8ga";
  };

  vpnImage = dockerTools.streamLayeredImage {
    name = "vpn";
    tag = "3.39.0-renard";
    fromImage = gluetunImage.base;
    contents = [ vpn-scripts ];
  };

  piaCountries = [
    "Albania"
    "Austria"
    "Belgium"
    "Bosnia and Herzegovina"
    "Bulgaria"
    "Czech Republic"
    "ES Madrid"
    "ES Valencia"
    "Estonia"
    "Georgia"
    "Greece"
    "Hungary"
    "IT Milano"
    "Poland"
    "Portugal"
    "Romania"
    "Serbia"
    "Turkey"
    "Ukraine"
  ];
in
{
  imports = [
    ./flood.nix
    # pick current client through import
    ./transmission.nix
    #./qbittorrent.nix
  ];

  age.secrets.pia-login-secrets = {
    file = ../../secrets/pia-login-secrets.age;
  };

  foundation = {
    networks.vpn = {
      enable = true;
      driver = "bridge";
      # current vpn does not support ipv6!
      ipv6.enable = false;
      # lower MTU to prevent packet non-deliverability
      inherit mtu;
    };

    services = {
      vpn = {
        network = "vpn";

        image = vpnImage;

        ports = [
          (common.tailnetPort me [
            torrentLocalPort
            torrentLocalPort
          ])
        ];

        volumes = [
          [
            "${torrentDir}/gluetun"
            "/gluetun"
          ]
        ];

        entrypoint = "/scripts/vpn-entry.sh";

        capabilities = [ "NET_ADMIN" ];
        devices = [ "/dev/net/tun" ];

        environment = {
          VPN_SERVICE_PROVIDER = "private internet access";
          VPN_TYPE = "openvpn";
          OPENVPN_MSSFIX = toString mtu;
          SERVER_REGIONS = lib.concatStringsSep "," piaCountries;
        };

        environmentFiles = [ config.age.secrets.pia-login-secrets.path ];
      };
    };
  };
}