{
  config,
  lib,
  pkgs,
  ...
}:
{
  networking.firewall.interfaces.wg0.allowedTCPPorts = [
    7878
    8989
    8686
  ];

  healthchecks.closed.public.ports.arr = [
    7878
    8989
    8686
  ];

  healthchecks.http = {
    sonarr = {
      url = "sonarr.ingolf-wagner.de";
      expectedContent = "Sonarr";
    };
    radarr = {
      url = "radarr.ingolf-wagner.de";
      expectedContent = "Radarr";
    };
  };

  # download series
  services.sonarr = {
    enable = true;
    group = "media";
    user = "media";
  };

  # download movies
  services.radarr = {
    enable = true;
    group = "media";
    user = "media";
  };

  # download music
  services.lidarr = {
    enable = true;
    group = "media";
    user = "media";
  };

  # better indexer apis
  services.prowlarr = {
    enable = true;
    #group = "media";
    #user = "media";
  };

  #services.jellyseerr = {
  #  enable = true;
  #};

  services.permown."/media/arr" = {
    owner = "media";
    group = "media";
    directory-mode = "770";
    file-mode = "770";
  };

  services.nginx.virtualHosts = {
    "radarr.${config.networking.hostName}.private" = {
      serverAliases = [ "radarr.ingolf-wagner.de" ];
      extraConfig = ''
        allow ${config.tinc.private.subnet};
        allow ${config.wireguard.wg0.subnet};
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://localhost:7878";
        proxyWebsockets = true;
      };
    };
    "sonarr.${config.networking.hostName}.private" = {
      serverAliases = [ "sonarr.ingolf-wagner.de" ];
      extraConfig = ''
        allow ${config.tinc.private.subnet};
        allow ${config.wireguard.wg0.subnet};
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://localhost:8989";
        proxyWebsockets = true;
      };
    };
    "lidarr.${config.networking.hostName}.private" = {
      serverAliases = [ "lidarr.ingolf-wagner.de" ];
      extraConfig = ''
        allow ${config.tinc.private.subnet};
        allow ${config.wireguard.wg0.subnet};
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://localhost:8686";
        proxyWebsockets = true;
      };
    };
    "prowlarr.${config.networking.hostName}.private" = {
      extraConfig = ''
        allow ${config.tinc.private.subnet};
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://localhost:9696";
        proxyWebsockets = true;
      };
    };
    "jellyseerr.${config.networking.hostName}.private" = {
      extraConfig = ''
        allow ${config.tinc.private.subnet};
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.jellyseerr.port}";
        proxyWebsockets = true;
      };
    };
  };

}