{
  config,
  inputs,
  lib,
  libNginx,
  this,
  ...
}:
with lib;
let
  cfg = config.nixfiles.modules.piracy.lidarr;

  port = 8686;
in
{
  options.nixfiles.modules.piracy.lidarr = {
    enable = mkEnableOption "Lidarr";

    domain = mkOption {
      description = "Domain name sans protocol scheme.";
      type = with types; str;
      default = "lidarr.${config.networking.domain}";
    };
  };

  config = mkIf cfg.enable {
    secrets.lidarr-api-key.file = "${inputs.self}/secrets/lidarr-api-key";

    ark.directories = [ "/var/lib/lidarr" ];

    nixfiles.modules = {
      nginx = {
        enable = true;
        upstreams.lidarr.servers."127.0.0.1:${toString port}" = { };
        virtualHosts.${cfg.domain} = {
          locations."/".proxyPass = "http://lidarr";
          extraConfig = libNginx.config.internalOnly;
        };
      };

      piracy = {
        enable = true;
        jackett.enable = true;
      };
    };

    services = {
      lidarr = {
        enable = true;
        group = "piracy";
      };

      prometheus.exporters.exportarr-lidarr = {
        enable = true;
        url = "http://127.0.0.1";
        port = port + 10000;
        apiKeyFile = config.secrets.lidarr-api-key.path;
        inherit (config.services.lidarr) user;
        inherit (config.services.lidarr) group;
        listenAddress = this.wireguard.ipv4.address;
        environment.CONFIG = "/var/lib/lidarr/.config/Lidarr/config.xml";
      };
    };

    systemd = {
      tmpfiles.rules = with config.services.lidarr; [
        "d /var/lib/lidarr/root 0755 ${user} ${group} - -"
      ];

      services.lidarr.after = [
        "flood.service"
        "jackett.service"
        "local-fs.target"
      ];
    };

    topology = with cfg; {
      nodes.${this.hostname}.services.lidarr = {
        info = domain;
        details.listen.text = "127.0.0.1:${toString port}";
      };
    };
  };
}