{
  pkgs,
  config,
  lib,
  ...
}: let
  cfg = config.nixarr.autobrr;

  createAdminUser = pkgs.writeShellApplication {
    name = "create-admin-user";
    runtimeInputs = [config.nixarr.autobrr.package];
    text = ''
      file="${cfg.stateDir}/admin-created"
      if [ ! -f $file ]; then
        autobrrctl --config "${cfg.stateDir}" create-user admin < "${config.clan.core.vars.generators.nixarr-autobrr.files.password.path}"
        touch "$file"
      fi
    '';
  };
in {
  clan.core.vars.generators."nixarr-autobrr" = {
    prompts.password = {
      type = "hidden";
      persist = true;
      description = "Leave empty to generate automatically";
    };

    files.password = {};

    runtimeInputs = [
      pkgs.coreutils
      pkgs.xkcdpass
    ];

    script = ''
      prompt_value="$(cat "$prompts/password")"
      if [[ -n "''${prompt_value-}" ]]; then
        echo "$prompt_value" | tr -d "\n" > "$out"/password
      else
        xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/password
      fi
    '';
  };
  systemd.services.autobrr-setup = {
    description = "Setup autobrr user";
    wantedBy = ["default.target"];
    requires = ["autobrr.service"];
    after = ["autobrr.service"];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = lib.getExe createAdminUser;
    };
  };

  nixarr.autobrr = {
    enable = true;
    vpn.enable = true;
    settings = {
      checkForUpdates = false;
      port = 7474;
      host = lib.mkForce "192.168.15.1";
      logLevel = "INFO";
    };
  };
  services.nginx.virtualHosts."autobrr.moritz.place" = {
    forceSSL = true;
    useACMEHost = "any.moritz.place";
    locations."/" = {
      proxyPass = "http://192.168.15.1:${builtins.toString config.nixarr.autobrr.settings.port}";
    };
  };
}