{ ... }:

let
  delugeBase = {
    image = "binhex/arch-deluge";
    environment = {
      PUID = "600";
      PGID = "100";
      TZ = "America/New_York";
      UMASK = "000";
      DEBUG = "false";
      DELUGE_DAEMON_LOG_LEVEL = "debug";
      DELUGE_WEB_LOG_LEVEL = "debug";

    };
    extraOptions = [ "--restart=unless-stopped" ];
  };
in
{
  virtualisation.oci-containers.containers = {
    deluge = delugeBase // {
      volumes = [
        "/ZFS/ZFS-primary/docker/Qbit:/config"
        "/ZFS/ZFS-primary/torr/Qbit/:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      ports = [
        "8082:8112"
        "29432:29432"
      ];
    };
    delugeVPN = delugeBase // {
      extraOptions = [
        "--restart=unless-stopped"
        "--privileged=true"
        "--sysctl"
        "net.ipv4.conf.all.src_valid_mark=1"
      ];
      environment = delugeBase.environment // {
        VPN_ENABLED = "yes";
        VPN_CLIENT = "wireguard";
        VPN_PROV = "custom";
        ENABLE_PRIVOXY = "yes";
        LAN_NETWORK = "192.168.0.0/16";
        NAME_SERVERS = "9.9.9.9,1.1.1.1,8.8.8.8,8.8.4.4";
        # note, delete /config/perms.txt to force a bulk permissions update

      };
      volumes = [
        "/ZFS/ZFS-primary/docker/QbitVPN:/config"
        "/ZFS/ZFS-primary/torr/QbitVPN/:/data"
        "/etc/localtime:/etc/localtime:ro"
      ];
      ports = [
        "8081:8112"
        "8118:8118"
        "39274:39274"
        "39274:39274/udp"
      ];
    };
  };

  sops.secrets = {
    "docker/deluge" = {
      owner = "docker-service";
      path = "/ZFS/ZFS-primary/docker/QbitVPN/wireguard/wg0.conf";
    };
  };
}