{
  config,
  lib,
  pkgs,
  ...
}:
{
  networking.firewall.interfaces.wg0.allowedTCPPorts = [
    7878
    8989
    8686
  ];

  verify.closed.public.ports.arr = [
    7878
    8989
    8686
  ];
  verify.localCommands =
    let
      curl = lib.getExe pkgs.curl;
      grep = lib.getExe pkgs.gnugrep;

      command = domain: grepString: ''
        if ${curl} -s -o /dev/null -w "%{http_code}" ${domain} | ${grep} -q "200"; then
          if ${curl} -s ${domain} | ${grep} -q "${grepString}"; then
            echo "[ OK ] Die Seite hat Statuscode 200 und enthält den String '${grepString}'."
          else
            echo "[Fail] Der Statuscode ist 200, aber die Seite enthält den String '${grepString}' nicht."
          fi
        else
          echo "[Fail] Die Seite hat keinen Statuscode 200."
        fi
      '';
    in
    {
      sonarr = command "sonarr.ingolf-wagner.de" "Sonarr";
      radarr = command "radarr.ingolf-wagner.de" "Radarr";
    };

  # download series
  services.sonarr = {
    enable = true;
    group = "media";
    user = "media";
  };

  # download movies
  services.radarr = {
    enable = true;
    group = "media";
    user = "media";
  };

  # download music
  services.lidarr = {
    enable = true;
    group = "media";
    user = "media";
  };

  # better indexer apis
  services.prowlarr = {
    enable = true;
    #group = "media";
    #user = "media";
  };

  services.jellyseerr = {
    enable = true;
  };

  services.permown."/media/arr" = {
    owner = "media";
    group = "media";
    directory-mode = "770";
    file-mode = "770";
  };

  services.nginx.virtualHosts = {
    "radarr.${config.networking.hostName}.private" = {
      serverAliases = [ "radarr.ingolf-wagner.de" ];
      extraConfig = ''
        allow ${config.tinc.private.subnet};
        allow ${config.wireguard.wg0.subnet};
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://localhost:7878";
        proxyWebsockets = true;
      };
    };
    "sonarr.${config.networking.hostName}.private" = {
      serverAliases = [ "sonarr.ingolf-wagner.de" ];
      extraConfig = ''
        allow ${config.tinc.private.subnet};
        allow ${config.wireguard.wg0.subnet};
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://localhost:8989";
        proxyWebsockets = true;
      };
    };
    "lidarr.${config.networking.hostName}.private" = {
      serverAliases = [ "lidarr.ingolf-wagner.de" ];
      extraConfig = ''
        allow ${config.tinc.private.subnet};
        allow ${config.wireguard.wg0.subnet};
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://localhost:8686";
        proxyWebsockets = true;
      };
    };
    "prowlarr.${config.networking.hostName}.private" = {
      extraConfig = ''
        allow ${config.tinc.private.subnet};
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://localhost:9696";
        proxyWebsockets = true;
      };
    };
    "jellyseerr.${config.networking.hostName}.private" = {
      extraConfig = ''
        allow ${config.tinc.private.subnet};
        deny all;
      '';
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.jellyseerr.port}";
        proxyWebsockets = true;
      };
    };
  };

}