{config, ...}: let
  openVpnPwd = config.sops.secrets."software/proton/openvpn_password".path;
  openVpnUser = config.sops.secrets."software/proton/openvpn_user".path;
in {
  sops.secrets = {
    "software/proton/openvpn_password" = {};
    "software/proton/openvpn_user" = {};
  };

  networking = {
    firewall = {
      enable = true;
      allowedTCPPorts = [
        6887
      ];
      allowedUDPPorts = [
        6887
      ];
    };
  };

  virtualisation.arion = {
    backend = "podman-socket";
    projects.arrstack = {
      settings = {
        services.gluetun.service = {
          ports = [
            "8076:8076" # qbittorrent webui port
            "6887:6887" # qbittorrent torrenting port
            "6887:6887/udp" # qbittorrent torrenting port
          ];
          image = "qmcgaw/gluetun";
          capabilities = {NET_ADMIN = true;};
          container_name = "glutun";
          restart = "always";
          volumes = [
            "/srv/docker/media-server/arrstack/gluetun:/gluetun"
            "${openVpnPwd}:/run/secrets/openvpn_password"
            "${openVpnUser}:/run/secrets/openvpn_user"
          ];
          environment = {
            VPN_SERVICE_PROVIDER = "protonvpn";
            VPN_TYPE = "openvpn";
            SERVER_COUNTRIES = "Switzerland";
            VPN_PORT_FORWARDING = "on";
          };
          devices = ["/dev/net/tun:/dev/net/tun"];
        };

        services.qbittorrent.service = {
          image = "lscr.io/linuxserver/qbittorrent:latest";
          container_name = "qbittorrent";
          restart = "always";
          volumes = [
            "/srv/docker/media-server/arrstack/qbittorrent:/config"
            "/media/media/downloads:/downloads"
          ];
          environment = {
            TZ = "Europe/London";
            WEBUI_PORT = 8076;
            TORRENTING_PORT = 6887;
            PUID = 1000;
            PGID = 1000;
          };
          network_mode = "service:gluetun";
        };
      };
    };
  };
}