{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.services.qbittorrent-nox;
in {
  options.services.qbittorrent-nox = {
    enable = mkEnableOption "Enables the qbittorrent-nox services.";

    port = mkOption rec {
      type = types.int;
      default = 6969;
      example = default;
      description = "Torrenting port.";
    };

    webuiPort = mkOption rec {
      type = types.port;
      default = 8080;
      example = default;
      description = "WebUI port.";
    };

    dataDir = mkOption rec {
      type = types.path;
      default = "/var/lib/qbittorrent-nox";
      example = default;
      description = "Directory to store qbittorrent-nox data files.";
    };

    user = mkOption {
      type = types.str;
      default = "qbittorrent-nox";
      description = "User account under which qbittorrent-nox runs.";
    };

    group = mkOption {
      type = types.str;
      default = "qbittorrent-nox";
      description = "Group under which qbittorrent-nox runs.";
    };

    openFirewall = mkOption {
      type = types.bool;
      default = false;
      description = "Open `services.qbittorrent-nox.port`.";
    };

    package = mkOption {
      type = types.package;
      default = pkgs.qbittorrent-nox;
      defaultText = literalExpression "pkgs.qbittorrent-nox";
      description = "The qbittorrent package to use.";
    };
  };

  config = mkIf cfg.enable {
    users.users.qbittorrent-nox = {
      description = "qbittorrent-nox service user.";
      home = cfg.dataDir;
      createHome = true;
      isSystemUser = true;
      group = "qbittorrent-nox";
    };
    users.groups.qbittorrent-nox = {};

    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [cfg.port];
      allowedUDPPorts = [cfg.port];
    };

    systemd.services.qbittorrent-nox = {
      wantedBy = ["multi-user.target"];
      after = ["network.target"];

      serviceConfig = {
        Type = "simple";
        ExecStart = "${cfg.package}/bin/qbittorrent-nox --torrenting-port=${toString cfg.port} --webui-port=${toString cfg.webuiPort}";
        Restart = "always";
        User = cfg.user;
        Group = cfg.group;
        WorkingDirectory = cfg.dataDir;
        # Runtime directory and mode
        RuntimeDirectory = "qbittorrent-nox";
        RuntimeDirectoryMode = "0755";
        # Proc filesystem
        ProcSubset = "pid";
        ProtectProc = "invisible";
        # Access write directories
        ReadWritePaths = [cfg.dataDir];
        UMask = "0027";
        # Capabilities
        CapabilityBoundingSet = "";
        # Security
        NoNewPrivileges = true;
        # Sandboxing
        ProtectSystem = "strict";
        ProtectHome = true;
        PrivateTmp = true;
        PrivateDevices = true;
        PrivateUsers = true;
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
        RestrictNamespaces = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        RemoveIPC = true;
        PrivateMounts = true;
      };
    };
  };
}