{
  config,
  inputs,
  lib,
  libNginx,
  this,
  ...
}:
with lib;
let
  cfg = config.nixfiles.modules.piracy.sonarr;

  port = 8989;
in
{
  options.nixfiles.modules.piracy.sonarr = {
    enable = mkEnableOption "Sonarr";

    domain = mkOption {
      description = "Domain name sans protocol scheme.";
      type = with types; str;
      default = "sonarr.${config.networking.domain}";
    };
  };

  config = mkIf cfg.enable {
    secrets.sonarr-api-key.file = "${inputs.self}/secrets/sonarr-api-key";

    ark.directories = [ "/var/lib/sonarr" ];

    nixfiles.modules = {
      nginx = {
        enable = true;
        upstreams.sonarr.servers."127.0.0.1:${toString port}" = { };
        virtualHosts.${cfg.domain} = {
          locations."/".proxyPass = "http://sonarr";
          extraConfig = libNginx.config.internalOnly;
        };
      };

      piracy = {
        enable = true;
        jackett.enable = true;
      };
    };

    services = {
      sonarr = {
        enable = true;
        group = "piracy";
      };

      prometheus.exporters.exportarr-sonarr = {
        enable = true;
        url = "http://127.0.0.1";
        port = port + 10000;
        apiKeyFile = config.secrets.sonarr-api-key.path;
        inherit (config.services.sonarr) user;
        inherit (config.services.sonarr) group;
        listenAddress = this.wireguard.ipv4.address;
        environment.CONFIG = "/var/lib/sonarr/.config/Sonarr/config.xml";
      };
    };

    systemd = {
      tmpfiles.rules = with config.services.sonarr; [
        "d /var/lib/sonarr/root 0755 ${user} ${group} - -"
      ];

      services.sonarr.after = [
        "flood.service"
        "jackett.service"
        "local-fs.target"
      ];
    };

    topology = with cfg; {
      nodes.${this.hostname}.services.sonarr = {
        info = domain;
        details.listen.text = "127.0.0.1:${toString port}";
      };
    };
  };
}