{
  config,
  pkgs,
  ...
}:

let
  radarrPort = 7878;
  sonarrPort = 8989;
  sabnzbdPort = 8280;
  delugePort = 8112;
  jackettPort = 9117;
  radarrDataDir = "/var/lib/radarr";
  downloadDir = "/downloads";
  incompleteDir = "/downloads-incomplete";
  sonarrDataDir = "/var/lib/sonarr";
  sabnzbdConfig = "/var/lib/sabnzbd";
  jackettDir = "/var/lib/jackett/.config/Jackett";
  mediaDir = "/media";
  arrUserId = config.users.users.nix-apps.uid;
  arrGroupId = config.users.groups.jallen-nas.gid;
  radarrPkg = pkgs.unstable.radarr;
  sonarrPkg = pkgs.unstable.sonarr;
  delugePkg = pkgs.unstable.deluge;
  jackettPkg = pkgs.unstable.jackett;
  sabnzbdPkg = pkgs.unstable.sabnzbd;
in
{
  containers.arrs = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "10.0.1.18";
    localAddress = "10.0.1.51";

    config =
      {
        pkgs,
        lib,
        ...
      }:
      {
        nixpkgs.config.allowUnfree = true;

        # Enable radarr service
        services.radarr = {
          enable = true;
          openFirewall = true;
          user = "arrs";
          group = "media";
          dataDir = radarrDataDir;
          package = radarrPkg;
        };

        # Enable Sonarr service
        services.sonarr = {
          enable = true;
          openFirewall = true;
          user = "arrs";
          group = "media";
          dataDir = sonarrDataDir;
          package = sonarrPkg;
        };

        # Enable Sabnzbd service
        services.sabnzbd = {
          enable = true;
          openFirewall = true;
          user = "arrs";
          group = "media";
          configFile = "${sabnzbdConfig}/sabnzbd.ini";
          package = sabnzbdPkg;
        };

        services.deluge = {
          enable = true;
          user = "arrs";
          group = "media";
          openFirewall = true;
          dataDir = "/media";
          package = delugePkg;
          web = {
            enable = true;
            port = 8112;
            openFirewall = true;
          };
        };

        services.jackett = {
          enable = true;
          user = "arrs";
          group = "media";
          openFirewall = true;
          package = jackettPkg;
        };

        # Create required users and groups
        users.users.arrs = {
          isSystemUser = true;
          uid = lib.mkForce arrUserId;
          group = "media";
          extraGroups = [ "downloads" ];
        };

        users.groups = {
          media = {
            gid = lib.mkForce arrGroupId;
          };
          downloads = { };
        };

        # System packages
        environment.systemPackages = with pkgs; [
          glib
          sqlite
          mono
          mediainfo
          protonvpn-cli_2
        ];

        # Create and set permissions for required directories
        system.activationScripts.radarr-dirs = ''
          mkdir -p ${radarrDataDir}
          mkdir -p ${sonarrDataDir}
          mkdir -p ${sabnzbdConfig}
          mkdir -p ${downloadDir}
          mkdir -p ${incompleteDir}
          mkdir -p ${mediaDir}

          chown -R arrs:media ${radarrDataDir}
          chown -R arrs:media ${sonarrDataDir}
          chown -R arrs:media ${sabnzbdConfig}
          chown -R arrs:media ${downloadDir}
          chown -R arrs:media ${incompleteDir}
          chown -R arrs:media ${mediaDir}

          chmod -R 775 ${radarrDataDir}
          chmod -R 775 ${sonarrDataDir}
          chmod -R 775 ${sabnzbdConfig}
          chmod -R 775 ${downloadDir}
          chmod -R 775 ${incompleteDir}
          chmod -R 775 ${mediaDir}

        '';

        networking = {
          firewall = {
            enable = true;
            allowedTCPPorts = [
              radarrPort
              sonarrPort
              sabnzbdPort
            ];
          };
          # Use systemd-resolved inside the container
          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
          useHostResolvConf = lib.mkForce false;
        };

        services.resolved.enable = true;
        system.stateVersion = "23.11";
      };

    # Bind mount directories from host
    bindMounts = {
      "${radarrDataDir}" = {
        hostPath = "/media/nas/ssd/nix-app-data/radarr";
        isReadOnly = false;
      };
      "${sonarrDataDir}" = {
        hostPath = "/media/nas/ssd/nix-app-data/sonarr";
        isReadOnly = false;
      };
      "${sabnzbdConfig}" = {
        hostPath = "/media/nas/ssd/nix-app-data/sabnzbd";
        isReadOnly = false;
      };
      "${downloadDir}" = {
        hostPath = "/media/nas/ssd/ssd_app_data/downloads";
        isReadOnly = false;
      };
      "${incompleteDir}" = {
        hostPath = "/media/nas/ssd/ssd_app_data/downloads-incomplete";
        isReadOnly = false;
      };
      "${jackettDir}" = {
        hostPath = "/media/nas/ssd/nix-app-data/jackett";
        isReadOnly = false;
      };
      "/media/movies" = {
        hostPath = "/media/nas/main/movies";
        isReadOnly = false;
      };
      "/media/tv" = {
        hostPath = "/media/nas/main/tv";
        isReadOnly = false;
      };
      "/media/isos" = {
        hostPath = "/media/nas/main/isos";
        isReadOnly = false;
      };
    };
  };

  networking.nat = {
    forwardPorts = [
      {
        destination = "10.0.1.51:7878";
        sourcePort = radarrPort;
      }
      {
        destination = "10.0.1.51:8989";
        sourcePort = sonarrPort;
      }
      {
        destination = "10.0.1.51:8080";
        sourcePort = sabnzbdPort;
      }
      {
        destination = "10.0.1.51:8112";
        sourcePort = delugePort;
      }
      {
        destination = "10.0.1.51:9117";
        sourcePort = jackettPort;
      }
    ];
  };
}