{pkgs, ...}: {
  project.name = "media";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  services = {
    jellyfin.service = {
      image = "linuxserver/jellyfin:10.9.1";
      container_name = "jellyfin";
      ports = [
        "8096:8096"
      ];
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.jellyfin.entrypoints" = "websecure";
        "traefik.http.routers.jellyfin.rule" = "Host(`jellyfin.ghoscht.com`)";
        "traefik.http.services.jellyfin.loadbalancer.server.port" = "8096";
        "traefik.http.services.jellyfin.loadbalancer.passHostHeader" = "true";
        "traefik.http.routers.jellyfin.tls" = "true";
        "traefik.http.routers.jellyfin.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/jellyfin_data:/config"
        "/storage/dataset/data/media/tv:/tv"
        "/storage/dataset/data/media/anime:/anime"
        "/storage/dataset/data/media/movies:/movies"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      restart = "always";
      networks = [
        "dmz"
      ];
    };
    navidrome.service = {
      image = "deluan/navidrome:0.52.0";
      container_name = "navidrome";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.navidrome.entrypoints" = "websecure";
        "traefik.http.routers.navidrome.rule" = "Host(`navidrome.ghoscht.com`)";
        "traefik.http.services.navidrome.loadbalancer.server.port" = "4533";
        "traefik.http.routers.navidrome.tls" = "true";
        "traefik.http.routers.navidrome.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/navidrome_data:/data"
        "/storage/dataset/data/media/music:/music"
      ];
      environment = {
        ND_SESSIONTIMEOUT = "336h";
      };
      env_file = [
        "/home/ghoscht/.docker/media/navidrome.env"
      ];
      restart = "always";
      networks = [
        "dmz"
      ];
    };
    kavita.service = {
      image = "jvmilazz0/kavita:0.7.14";
      container_name = "kavita";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.kavita.entrypoints" = "websecure";
        "traefik.http.routers.kavita.rule" = "Host(`kavita.ghoscht.com`)";
        "traefik.http.services.kavita.loadbalancer.server.port" = "5000";
        "traefik.http.routers.kavita.tls" = "true";
        "traefik.http.routers.kavita.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/kavita_data:/kavita/config"
        "/storage/dataset/data/media/manga:/manga"
      ];
      restart = "always";
      networks = [
        "dmz"
      ];
    };
    vpn.service = {
      image = "haugene/transmission-openvpn:5.3.1";
      container_name = "transmission";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.transmission.entrypoints" = "websecure";
        "traefik.http.routers.transmission.rule" = "Host(`transmission.ghoscht.com`)";
        "traefik.http.services.transmission.loadbalancer.server.port" = "9091";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.transmission.tls" = "true";
        "traefik.http.routers.transmission.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/transmission_data:/config"
        "/storage/dataset/data/:/data"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
        OPENVPN_PROVIDER = "WINDSCRIBE";
        OPENVPN_CONFIG = "Vienna-Hofburg-udp";
        OVPN_PROTOCOL = "udp";
        OPENVPN_OPTS = "--pull-filter ignore ping --ping 10 --ping-restart 120";
        LOCAL_NETWORK = "192.168.0.0/16";
        TRANSMISSION_DOWNLOAD_DIR = "/data/torrents";
        TRANSMISSION_INCOMPLETE_DIR = "/data/torrents/incomplete";
        TRANSMISSION_WEB_UI = "flood-for-transmission";
        WEBPROXY_ENABLED = "true";
      };
      ports = ["8118:8118"];
      env_file = [
        "/home/ghoscht/.docker/media/windscribe.env"
      ];
      capabilities = {
        NET_ADMIN = true;
      };
      restart = "always";
      networks = [
        "dmz"
      ];
    };
    prowlarr.service = {
      image = "linuxserver/prowlarr:1.16.2";
      container_name = "prowlarr";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.prowlarr.entrypoints" = "websecure";
        "traefik.http.routers.prowlarr.rule" = "Host(`prowlarr.ghoscht.com`)";
        "traefik.http.services.prowlarr.loadbalancer.server.port" = "9696";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.prowlarr.tls" = "true";
        "traefik.http.routers.prowlarr.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/prowlarr_data:/config"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
      };
      restart = "always";
    };
    sonarr.service = {
      image = "linuxserver/sonarr:4.0.4";
      container_name = "sonarr";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.sonarr.entrypoints" = "websecure";
        "traefik.http.routers.sonarr.rule" = "Host(`sonarr.ghoscht.com`)";
        "traefik.http.services.sonarr.loadbalancer.server.port" = "8989";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.sonarr.tls" = "true";
        "traefik.http.routers.sonarr.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/sonarr_data:/config"
        "/storage/dataset/data/:/data"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
        prowlarr = {condition = "service_started";};
      };
      restart = "always";
    };
    radarr.service = {
      image = "linuxserver/radarr:5.4.6";
      container_name = "radarr";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.radarr.entrypoints" = "websecure";
        "traefik.http.routers.radarr.rule" = "Host(`radarr.ghoscht.com`)";
        "traefik.http.services.radarr.loadbalancer.server.port" = "7878";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.radarr.tls" = "true";
        "traefik.http.routers.radarr.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/radarr_data:/config"
        "/storage/dataset/data/:/data"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
        prowlarr = {condition = "service_started";};
      };
      restart = "always";
    };
    lidarr.service = {
      image = "linuxserver/lidarr:2.2.5";
      container_name = "lidarr";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.lidarr.entrypoints" = "websecure";
        "traefik.http.routers.lidarr.rule" = "Host(`lidarr.ghoscht.com`)";
        "traefik.http.services.lidarr.loadbalancer.server.port" = "8686";
        "traefik.http.routers.lidarr.service" = "lidarr";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.lidarr.tls" = "true";
        "traefik.http.routers.lidarr.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/lidarr_data:/config"
        "/storage/dataset/docker/media/lidarr_addons/custom-services.d:/custom-services.d"
        "/storage/dataset/docker/media/lidarr_addons/custom-cont-init.d:/custom-cont-init.d"
        "/storage/dataset/data/:/data"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
        prowlarr = {condition = "service_started";};
      };
      restart = "always";
    };
    bazarr.service = {
      image = "hotio/bazarr:release-1.4.2";
      container_name = "bazarr";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.bazarr.entrypoints" = "websecure";
        "traefik.http.routers.bazarr.rule" = "Host(`bazarr.ghoscht.com`)";
        "traefik.http.services.bazarr.loadbalancer.server.port" = "6767";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.bazarr.tls" = "true";
        "traefik.http.routers.bazarr.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/bazarr_data:/config"
        "/storage/dataset/data/:/data"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      networks = ["dmz"];
      restart = "always";
    };
    jellyseerr.service = {
      image = "fallenbagel/jellyseerr:1.7.0";
      container_name = "jellyseerr";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.jellyseerr.entrypoints" = "websecure";
        "traefik.http.routers.jellyseerr.rule" = "Host(`jellyseerr.ghoscht.com`)";
        "traefik.http.services.jellyseerr.loadbalancer.server.port" = "5055";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.jellyseerr.tls" = "true";
        "traefik.http.routers.jellyseerr.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/jellyseerr_data:/app/config"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      networks = ["dmz"];
      restart = "always";
    };
    autobrr.service = {
      image = "ghcr.io/autobrr/autobrr:v1.41.0";
      container_name = "autobrr";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.autobrr.entrypoints" = "websecure";
        "traefik.http.routers.autobrr.rule" = "Host(`autobrr.ghoscht.com`)";
        "traefik.http.services.autobrr.loadbalancer.server.port" = "7474";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.autobrr.tls" = "true";
        "traefik.http.routers.autobrr.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/media/autobrr_data:/config"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
        prowlarr = {condition = "service_started";};
        sonarr = {condition = "service_started";};
        radarr = {condition = "service_started";};
      };
      restart = "always";
    };
    deemix.service = {
      image = "finniedj/deemix:latest";
      container_name = "deemix";
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.deemix.entrypoints" = "websecure";
        "traefik.http.routers.deemix.rule" = "Host(`deemix.ghoscht.com`)";
        "traefik.http.services.deemix.loadbalancer.server.port" = "6595";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.deemix.tls" = "true";
        "traefik.http.routers.deemix.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/data/deemix:/downloads"
      ];
      environment = {
        PUID = 1000;
        PGID = 1000;
        UMASK_SET = 022;
        TZ = "Europe/Berlin";
      };
      network_mode = "service:vpn";
      depends_on = {
        vpn = {condition = "service_healthy";};
      };
      restart = "always";
    };
    unpackerr.service = {
      image = "golift/unpackerr:0.13";
      container_name = "unpackerr";
      volumes = [
        "/storage/dataset/data/:/data"
      ];
      user = "1000:1000";
      env_file = [
        "/home/ghoscht/.docker/media/unpackerr.env"
      ];
      environment = {
        TZ = "Europe/Berlin";
        # General config
        UN_DEBUG = "false";
        UN_INTERVAL = "2m";
        UN_START_DELAY = "1m";
        UN_RETRY_DELAY = "5m";
        UN_MAX_RETRIES = 3;
        UN_PARALLEL = 1;
        UN_FILE_MODE = 0644;
        UN_DIR_MODE = 0755;
        # Sonarr Config
        UN_SONARR_0_URL = "http://transmission:8989";
        UN_SONARR_0_PATHS_0 = "/data/torrents/tv";
        UN_SONARR_0_PROTOCOLS = "torrent";
        UN_SONARR_0_TIMEOUT = "10s";
        UN_SONARR_0_DELETE_ORIG = "false";
        UN_SONARR_0_DELETE_DELAY = "5m";
        # Radarr Config
        UN_RADARR_0_URL = "http://transmission:7878";
        UN_RADARR_0_PATHS_0 = "/data/torrents/movies";
        UN_RADARR_0_PROTOCOLS = "torrent";
        UN_RADARR_0_TIMEOUT = "10s";
        UN_RADARR_0_DELETE_ORIG = "false";
        UN_RADARR_0_DELETE_DELAY = "5m";
        # Lidarr Config
        UN_LIDARR_0_URL = "http://transmission:8686";
        UN_LIDARR_0_PATHS_0 = "/data/torrents/music";
        UN_LIDARR_0_PROTOCOLS = "torrent";
        UN_LIDARR_0_TIMEOUT = "10s";
        UN_LIDARR_0_DELETE_ORIG = "false";
        UN_LIDARR_0_DELETE_DELAY = "5m";
      };
      networks = ["dmz"];
      depends_on = {
        vpn = {condition = "service_healthy";};
        prowlarr = {condition = "service_started";};
        sonarr = {condition = "service_started";};
        radarr = {condition = "service_started";};
      };
      restart = "always";
    };
  };
}