{
  pkgs,
  config,
  ...
}: let
  mountdir = "/var/media/danflix";

  rclone_config = pkgs.writeText "" ''
    [danflix-storage-box]
    type = sftp

    [danflix-crypto]
    type = crypt
    remote = danflix-storage-box:danflix
  '';
in {
  age.secrets = {
    danflix_storage_box_crypt_obscured_pw.file = ../../secrets/danflix_storage_box_crypt_obscured_pw.age;
    danflix_hetzner_storage_box_pub_key.file = ../../secrets/danflix_hetzner_storage_box_pub_key.age;
    danflix_env_file.file = ../../secrets/danflix_env_file.age;
  };

  services = {
    jellyfin.enable = true;

    transmission = {
      enable = true;
      settings = {
        rpc-host-whitelist-enable = true;
        rpc-host-whitelist = "bigding.squirrel-clownfish.ts.net,bigding";
      };
    };
  };

  users.users."daniel".extraGroups = ["transmission"];

  systemd.services.transmission.serviceConfig = {
    Restart = "always";
    RuntimeMaxSec = 28800;
    MemoryMax = "1G";
  };

  systemd.services.danflix-mount = {
    description = "Mount the Hetzner Storage Box media store";
    wantedBy = ["multi-user.target"];
    path = [pkgs.fuse3];
    preStart = ''
      mkdir -p -m 777 ${mountdir}
    '';
    environment = {
      "RCLONE_SFTP_KEY_FILE" = config.age.secrets.danflix_hetzner_storage_box_pub_key.path;
    };
    script = ''
      ${pkgs.rclone}/bin/rclone --config="${rclone_config}" mount danflix-crypto: ${mountdir} \
         --vfs-cache-mode full \
         --vfs-cache-max-age 336h \
         --vfs-cache-max-size 60G \
         --allow-other \
         --no-modtime \
         --rc \
         --rc-addr=localhost:5572 \
         --rc-no-auth \
         -v
    '';
    postStart = ''
      sleep 5
      ${pkgs.rclone}/bin/rclone --config="${rclone_config}" rc vfs/refresh recursive=true _async=true
    '';
    postStop = ''
      sleep 3
      fusermount -u ${mountdir}
    '';
    serviceConfig = {
      EnvironmentFile = config.age.secrets.danflix_env_file.path;
      Restart = "on-failure";
    };
  };
}