diff --git a/hosts/nixos/lapetus/secrets.example.yaml b/hosts/nixos/lapetus/secrets.example.yaml
index 0f6a0a7..ca511cb 100644
--- a/hosts/nixos/lapetus/secrets.example.yaml
+++ b/hosts/nixos/lapetus/secrets.example.yaml
@@ -13,3 +13,7 @@ microbin_env: |
     MICROBIN_UPLOAD_PASSWORD=...
 forgejo_mail_password: ...
 javi_password: ...
+vpn_env: |
+    WIREGUARD_PRIVATE_KEY=...
+    WIREGUARD_ADDRESSES=...
+    SERVER_CITIES=...
diff --git a/hosts/nixos/lapetus/secrets.yaml b/hosts/nixos/lapetus/secrets.yaml
index 22cc542..2ed5783 100644
--- a/hosts/nixos/lapetus/secrets.yaml
+++ b/hosts/nixos/lapetus/secrets.yaml
@@ -7,6 +7,7 @@ cloudflare_tunnel_credentials: ENC[AES256_GCM,data:XuXXzhGdxYsF1ik2g7yS2wbaI08/A
 microbin_env: ENC[AES256_GCM,data:nxiE9GIvEb0xgqomDdMyy2UtG25pt7h+6JUZkAgIejZbJfsKfpIJcG02WJoj07I2VeTtN10Wd8IbrW9QEt64mLzlG7hqJN0Uwq8bjL1j5IaK,iv:pCWmF52MhMfZtdtMsL7wwt+KB33E/UPNtXzkiJ7NOWE=,tag:79e0u2yyRYckivY85hLqpg==,type:str]
 forgejo_mail_password: ENC[AES256_GCM,data:linrpmA8b+8e1+tWNl0=,iv:Mk7suPq0Jt960Zl9s2jj3SSAKt4t8Lv4eKdIo0o8JbE=,tag:TZ0qGJIVSFSUt/0cqamvdw==,type:str]
 javi_password: ENC[AES256_GCM,data:5Ifh/DclUz0/AL69Th/GckolrjerLOnDW77SOf+/L3v39T+EOYgK2GDNKtWGGWYX5sdxZ9JwLS3ZVsIOnN4zjFhgV+GChJWkkzjdpJEtpHlmmBKlyS31Fw7SixVkL3y3VJhw72aVv3bMKQ==,iv:FzAmvIlrhna5InsQCRrWVdrKZGmHMb0njWdvgBurdYs=,tag:/Iguu2FbdV/4RSGTnFdyYA==,type:str]
+vpn_env: ENC[AES256_GCM,data:Nj19qT0rVCL2WUXyhtjpme+d1szmziJjxxyvyrBffjI5lnWGfnG5x1BRuIzx1nFy3mZmdARSJ8ERxyYIgukfZARXQvchE4OkQuQKPGIwpFOcZUnTXleItyLN4Ga/MuH7DhA9r9WRCUWB5nky/JuKlleYMJO10aWV3v6xfzbG5lb8rQxkE+l382qy3554tWonejtuf5dOmw15nsqCSw==,iv:uo4VBEcckw47F9kK2oKSqzOLJhXLRprGTDfRv7Km3i0=,tag:S3R+29uD8FDiaPp6SjS5IA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -31,8 +32,8 @@ sops:
             RHZ6alYrUU5BZ2xlMkdGR1dWRG5aeGMKJdsdtVZ6Mk9Vo3a+tS+rzAgaF2wpH+8U
             lWhA+c0Kbe8EJT8hm7Vr8PqBmElz4V9AnXSCTp7D+Cu4pfWsHopLUQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-21T00:38:43Z"
-    mac: ENC[AES256_GCM,data:/Aq7fQaIQmaG67xqW1P1GMgh8FYSoerR+eLZFRWTjcOaa71ZBt7+a4RAGDqQuoXUYoTxn4bBUKQBBbseMA2Wep9Z5JhGDNtzxVJbLHqVxC8NjLKQUV/M8ycBgTGvxFqHhcTeBbYfoNBgvMsOZpUCe8Utf+Z6BdEAzaDfKkRfT7M=,iv:ndCIVUOLoolhe77wxdUFMXBTKyf21i4dRrKoxtLf92k=,tag:GRXhswxIktIj35p7cJWjKA==,type:str]
+    lastmodified: "2024-05-31T01:44:40Z"
+    mac: ENC[AES256_GCM,data:49iLRBMZ7Udg3oi5JuvqAyxrEl2Ek/hUB3vtNcbi1GdHMJ2SexmuyUS+a9SWPvklvUQcCnKeF4HLdH/w+lJQLrgdFj5rOrLSJPFSJB0LhffF0EzJKoo9ukm4VEtt/R9p6ZdwqgbujhxBiewNY/nHXhcIrxxvXioT693vvUKFQjc=,iv:R2N7YKmI2Jit77m2riYmpmPi4d3jXLEKGI2NuAin2P4=,tag:tbgHr43Yz3sFkuRUeLk3ZQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/hosts/nixos/lapetus/services/qbittorrent.nix b/hosts/nixos/lapetus/services/qbittorrent.nix
index b820fa1..07a98fa 100644
--- a/hosts/nixos/lapetus/services/qbittorrent.nix
+++ b/hosts/nixos/lapetus/services/qbittorrent.nix
@@ -1,3 +1,6 @@
+# Sources:
+# https://github.com/nickkjolsing/dockerMullvadVPN
+# https://www.reddit.com/r/HomeServer/comments/xapl93/a_minimal_configuration_stepbystep_guide_to_media/
 { config, pkgs, ... }:
 let
   port = 8417;
@@ -7,38 +10,45 @@ in
 {
   imports = [ ../../common/optional/services/nginx.nix ];
 
+  sops.secrets.vpn_env.sopsFile = ../secrets.yaml;
+
   services.nginx.virtualHosts."qbit.moonythm.dev" =
     config.satellite.proxy port { proxyWebsockets = true; };
 
   systemd.tmpfiles.rules = [
-    "d ${dataDir} 755 ${config.users.users.pilot.name} users"
-    "d ${configDir} 755 ${config.users.users.pilot.name} users"
+    "d ${dataDir} 777 ${config.users.users.pilot.name} users"
+    "d ${configDir}"
   ];
 
+  # {{{ qbit
   virtualisation.oci-containers.containers.qbittorrent = {
-    image = "trigus42/qbittorrentvpn";
-    extraOptions = [
-      "--cap-add=net_admin"
-      "--sysctl=net.ipv4.conf.all.src_valid_mark=1"
-      # "--sysctl=net.ipv6.conf.all.disable_ipv6=0"
-      "--device=/dev/net/tun"
-    ];
-
-    volumes = [
-      "${dataDir}:/downloads"
-      "${configDir}:/config/qBittorrent"
-      "/persist/state/var/lib/mullvad/openvpn:/etc/openvpn"
-      "/persist/state/var/lib/mullvad/openvpn:/config/openvpn"
-      "/persist/state/var/lib/mullvad/wireguard:/config/wireguard"
-    ];
-
-    ports = [ "${toString port}:8080" ];
+    image = "linuxserver/qbittorrent:latest";
+    extraOptions = [ "--network=container:gluetun" ];
+    dependsOn = [ "openvpn-client" ];
+    volumes = [ "${dataDir}:/downloads" "${configDir}:/config" ];
+    ports = [ "${toString port}:${toString port}" ];
 
     environment = {
-      VPN_TYPE = "openvpn";
-      TZ = "Europe/Amsterdam";
+      WEBUI_PORT = toString port;
       PGID = "100";
       PUID = "1000";
     };
   };
+  # }}}
+  # {{{ vpn
+  virtualisation.oci-containers.containers.gluetun = {
+    image = "qmcgaw/gluetun";
+    extraOptions = [
+      "--cap-add=net_admin"
+      "--device=/dev/net/tun"
+    ];
+
+    environmentFile = config.sops.secrets.vpn_env.path;
+    environment = {
+      VPN_TYPE = "wireguard";
+      VPN_SERVICE_PROVIDER = "mullvad";
+      KILL_SWITCH = "on"; # Turns off internet access if the VPN connection drops
+    };
+  };
+  # }}}
 }