{
  config,
  pkgs,
  ...
}: {
  clan.core.vars.generators."nixarr-prowlarr" = {
    prompts.password = {
      type = "hidden";
      persist = true;
      description = "Leave empty to generate automatically";
    };

    files.password.deploy = false;

    runtimeInputs = [
      pkgs.coreutils
      pkgs.xkcdpass
    ];

    script = ''
      prompt_value="$(cat "$prompts/password")"
      if [[ -n "''${prompt_value-}" ]]; then
        echo "$prompt_value" | tr -d "\n" > "$out"/password
      else
        xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/password
      fi
    '';
  };
  nixarr.prowlarr = {
    # NOTE: cannot set password so just set the generated one manually
    enable = true;
    vpn.enable = true;
  };
  services.flaresolverr.enable = true;
  systemd.services.flaresolverr.vpnConfinement = {
    enable = true;
    vpnNamespace = "wg";
  };
  services.nginx.virtualHosts."prowlarr.moritz.place" = {
    forceSSL = true;
    useACMEHost = "any.moritz.place";
    locations."/" = {
      proxyPass = "http://127.0.0.1:${builtins.toString config.nixarr.prowlarr.port}";
    };
  };
}