{ pkgs, config, ... }:

with import <stockholm/lib>;
let
  web-port = 8080;
in {
  services.sabnzbd.enable = true;
  services.sabnzbd.group = "download";
  systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";

  users.users.sabnzbd.group = mkForce "download";

  networking.firewall.extraCommands = ''
    iptables -A INPUT -i retiolum -p tcp --dport ${toString web-port} -j ACCEPT
  '';
}