{
  inputs,
  config,
  pkgs,
  lib,
  ...
}: let
  transmissionUserName = "admin";
in {
  imports = [inputs.nixarr.nixosModules.default];

  clan.core.vars.generators."nixarr-transmission" = {
    prompts.password = {
      type = "hidden";
      persist = true;
      description = "Leave empty to generate automatically";
    };

    files.credentialsFile = {};
    files.password.deploy = false;
    files.cross-seed-credentialsFile = {};

    runtimeInputs = [
      pkgs.coreutils
      pkgs.xkcdpass
      pkgs.mkpasswd
      pkgs.openssl
    ];

    script = ''
      prompt_value="$(cat "$prompts/password")"
      if [[ -n "''${prompt_value-}" ]]; then
        echo "$prompt_value" | tr -d "\n" > "$out"/password
      else
        xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/password
      fi

      PASS="$(cat "$out/password")"
      SALT="$(openssl rand -hex 4)"
      HASH="$(echo -n "$PASS$SALT" | sha1sum | cut -d" " -f 1)"

      echo "{\"rpc-password\": \"{$HASH$SALT\", \"rpc-authentication-required\": true, \"rpc-username\": \"${transmissionUserName}\"}" > $out/credentialsFile
      echo "{\"transmissionRpcUrl\": \"http://admin:$PASS@localhost:9091/transmission/rpc\"}" > $out/cross-seed-credentialsFile
    '';
  };
  nixarr.transmission = {
    enable = true;
    vpn.enable = true;
    peerPort = 39350;
    credentialsFile = config.clan.core.vars.generators.nixarr-transmission.files.credentialsFile.path;
  };
  services.nginx.virtualHosts."torrent.moritz.place" = {
    forceSSL = true;
    useACMEHost = "any.moritz.place";
    locations."/" = {
      proxyPass = "http://127.0.0.1:${builtins.toString config.nixarr.transmission.uiPort}";
    };
  };
  nixarr.transmission.privateTrackers.cross-seed = {
    enable = true;
    extraSettings = {
      delay = 30;
      matchMode = "partial";
      skipRecheck = true;
      autoResumeMaxDownload = 52428800;
      ignoreNonRelevantFilesToResume = false;
      linkDirs = [
        "${config.nixarr.mediaDir}/torrents/.linking"
      ];
      excludeOlder = "2 weeks";
      excludeRecentSearch = "3 days";
      searchCadence = "1 day";
      snatchTimeout = "30 seconds";
      searchTimeout = "2 minutes";
    };
    indexIds = [
      4
      1
    ];
  };
  systemd.services.cross-seed = {
    serviceConfig = {
      ExecStartPre = let
        cross-seed-credentialsFile = config.clan.core.vars.generators.nixarr-transmission.files.cross-seed-credentialsFile.path;
        cfg = config.util-nixarr.services.cross-seed;
      in
        lib.mkAfter [
          (
            "+"
            + pkgs.writeShellScript "transmission-prestart-custom" ''
              tmp="$(mktemp)"
              ${pkgs.jq}/bin/jq --slurp add '${cfg.dataDir}/config.json' '${cross-seed-credentialsFile}' > "$tmp"
              install -D -m 600 -o '${cfg.user}' "$tmp" '${cfg.dataDir}/config.json'
              rm -rf "$tmp"
            ''
          )
        ];
    };
  };
  systemd.tmpfiles.rules = let
    cfg = config.nixarr;
  in lib.mkAfter [
    "d '${cfg.mediaDir}/torrents/.linking'                     0750 cross-seed cross-seed - -"
    "d '${cfg.mediaDir}/torrents/.cross-seed'                  0750 cross-seed cross-seed - -"
  ];
}