{ ... }:
let
  containerIp = "192.168.100.11";
in
{
  networking = {
    localCommands = ''
      # Route outgoing traffic over mullvad
      ip rule add from ${containerIp} table 1000 priority 1000
      ip route add blackhole default table 1000 metric 999

      ip rule add from ${containerIp} to 192.168.1.0/24 table main priority 999
    '';

    nat = {
      extraCommands = ''
        iptables -t nat -A POSTROUTING -s ${containerIp} -o mullvad -j MASQUERADE

        iptables -A PREROUTING -t mangle -i mullvad -s 192.168.100.0/24 -j DROP
        iptables -A PREROUTING -t mangle -i mullvad -s 192.168.1.0/24 -j DROP
      '';
    };
  };

  services.nginx.privateVirtualHosts."qbt.lan" = {
    locations."/" = {
      proxyPass = "http://${containerIp}:8080";
    };
  };

  systemd.tmpfiles.rules = [
    "d /data/torrent 0755 root root -"
  ];

  containers.torrent = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.100.10";
    localAddress = containerIp;

    bindMounts = {
      "/var/lib/qBittorrent/qBittorrent/downloads" = {
        hostPath = "/data/torrent";
        isReadOnly = false;
      };
    };

    config =
      { ... }:
      {
        boot.isContainer = true;
        # networking.nameservers = [ "10.64.0.1" ];
        environment.etc."resolv.conf".text = ''
          nameserver 10.64.0.1
          options edns0 trust-ad
        '';
        services.resolved.enable = false;
        networking.resolvconf.enable = false;
        services.qbittorrent = {
          enable = true;
          openFirewall = true;
          serverConfig = {
            LegalNotice.Accepted = true;
            Preferences = {
              General.Locale = "en";
              WebUI = {
                Username = "admin";
                Password_PBKDF2 = "nNQGvR+niYyKVaT5SQ+Kpw==:0lzflYcsj6d3p5B50ceOS9tZBbxnlkdY5hkK5Ki8ZE4zMI8ZfyJYfWDThjCOULPFNPkUnOWGKhnSPaOibzaNGw==";
              };
            };
          };
        };
        system.stateVersion = "25.04";
      };
  };
}