{ config, lib, ... }:
{
  forest.proxiedUsers = [ "prowlarr" ];

  sops = {
    secrets = {
      "prowlarr/apiKey" = { };
      "radarr/apiKey" = { };
      "sonarr/apiKey" = { };
    };
    templates = {
      prowlarr-env.content = "PROWLARR__AUTH__APIKEY=${config.sops.placeholder."prowlarr/apiKey"}";
      radarr-env.content = "RADARR__AUTH__APIKEY=${config.sops.placeholder."radarr/apiKey"}";
      sonarr-env.content = "SONARR__AUTH__APIKEY=${config.sops.placeholder."sonarr/apiKey"}";
    };
  };

  services = {
    prowlarr = {
      enable = true;
      openFirewall = true;
      environmentFiles = [ config.sops.templates.prowlarr-env.path ];
      settings = {
        log.level = "debug";
        server.bindaddress = "127.0.0.1";
      };
    };
    radarr = {
      enable = true;
      openFirewall = true;
      environmentFiles = [ config.sops.templates.radarr-env.path ];
      settings = {
        log.level = "debug";
        server.bindaddress = "127.0.0.1";
      };
    };
    sonarr = {
      enable = true;
      openFirewall = true;
      environmentFiles = [ config.sops.templates.sonarr-env.path ];
      settings = {
        log.level = "debug";
        server.bindaddress = "127.0.0.1";
      };
    };
    jellyseerr.enable = true;
  };

  forest.nginxHosts = [
    (lib.mkIf config.services.sonarr.enable {
      "sonarr.forest.monke" = {
        onlySSL = true;
        http2 = true;
        sslCertificate = config.sops.secrets."ssl/cert".path;
        sslCertificateKey = config.sops.secrets."ssl/key".path;
        locations."/".proxyPass = "http://127.0.0.1:8989";
      };
    })
    (lib.mkIf config.services.radarr.enable {
      "radarr.forest.monke" = {
        onlySSL = true;
        http2 = true;
        sslCertificate = config.sops.secrets."ssl/cert".path;
        sslCertificateKey = config.sops.secrets."ssl/key".path;
        locations."/".proxyPass = "http://127.0.0.1:7878";
      };
    })
    (lib.mkIf config.services.prowlarr.enable {
      "prowlarr.forest.monke" = {
        onlySSL = true;
        http2 = true;
        sslCertificate = config.sops.secrets."ssl/cert".path;
        sslCertificateKey = config.sops.secrets."ssl/key".path;
        locations."/".proxyPass = "http://127.0.0.1:9696";
      };
    })
    (lib.mkIf config.services.jellyseerr.enable {
      "reqs.forest.monke" = {
        onlySSL = true;
        http2 = true;
        sslCertificate = config.sops.secrets."ssl/cert".path;
        sslCertificateKey = config.sops.secrets."ssl/key".path;
        locations."/".proxyPass = "http://127.0.0.1:5055";
      };
    })
  ];
}