diff --git a/machines/fuuko/secrets.yaml b/machines/fuuko/secrets.yaml
index b409e14..4addc94 100644
--- a/machines/fuuko/secrets.yaml
+++ b/machines/fuuko/secrets.yaml
@@ -6,16 +6,16 @@ restic-password: ENC[AES256_GCM,data:IVFXmuzzvvqDS0T3P0R5ZMIn2wdkbE1AqwDMkWqMpDd
 restic-s3: ENC[AES256_GCM,data:VJ/jgYnUSkbsNMb1ciLiCcRVEpuaznsSFf0QkEnPhTRHpFv4Nt0f8ARnNtG5j3iXSIT4+H2+5HWKXEsjhvL85p0XE3xe4h45xGKnvvVO2obF+b/zsMDdceFJtLbcq+APzPBjchYU,iv:W+80GhAvYD/52dNZsNYiEhiLo4dhO8oxkd+GAbk42NU=,tag:Kj9CaGo/xAmYxdoLE/Lo1Q==,type:str]
 synapse-registration-shared-secret: ENC[AES256_GCM,data:lNzK/7QAk4Scv+lNM8bTTKvowI139c4R4Y7Qpq60n8R61aahlxrnWc/PUEOv85Pdx+8IdBOLnV0kp7OQF6tStGBBCOkAicYmnsLoR36DmuDCvTSKVArryV7BrxL8pv0=,iv:ZT9IIF7W0NHqvnU3lPQclVS5uXXK5HIQUzXNYwYFMIo=,tag:a/sUixOlHEvn5ZOINPwQlg==,type:str]
 synapse-turn-shared-secret: ENC[AES256_GCM,data:sAvP4/jVma7Uq9TR4W/zEoJA17Stj75uG+G4niYaQ1tflxRhE+/HfrhMn7whnmpSgXDb/ZPtLfVaW1DCfU2jovz3Y9Ij1kveXar2aAjlPSsSVwTbFmei,iv:S7uVlE2rhK7ta2S/eX+KXBMQyc69onHYjfMNro3OCjM=,tag:rvI299PQ9TVfVzQjgfUKww==,type:str]
-wg-aria-private-key: ENC[AES256_GCM,data:qbxpfNRocrXDbUJ3MwR5WMXX8LB4Vnv9HMXN403ANaBbCLrRTEL9hy93roY=,iv:l2DYXGY1wN1rP2bG/s9uSwRhbvCUm2T6IJy5LKzguqk=,tag:51S+m1P1EtHk1QWEjdUCUA==,type:str]
 wg-home-private-key: ENC[AES256_GCM,data:6l3CgB4qCsPuyYOWuwU2vNiEeC0D1wl6yZvXGGYVsZfYvdPjRz8j5yV7ekQ=,iv:slB/qr+cxi8r7cnTuZAd8CuzWVnvp24Li6A/AnZaFzo=,tag:ynh1Z2+IELAJcgBbHwFC0A==,type:str]
+wg-qbittorrent-private-key: ENC[AES256_GCM,data:9sjqTCMXqN0oWS95RQOmfLK0/2dH6V4Rs2LX8ydnYl+7zR55PG5pW3kROH8=,iv:m+4xKthKNCQBOEP9ExOHY5Dg3i+yTgREwrAci4zhqUk=,tag:L0vnwyiGOAoarr7FZFE91A==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-03-18T15:01:34Z"
-    mac: ENC[AES256_GCM,data:y7VqBCpINseuWdp4mnGUCawNZjqrNi8PbRsc49wMvsFALdW7LlsXF4Z/yVdjbn69/hfj6CXJUy2/lT5L8UUyJ3aX/gGd3lAcru4OuqN5goarF8IVINwch4IW/VEAVcknUTKdkQwNGJVEhOQhPBcy0gChaCGN0PhcaOYiYsK/+RY=,iv:c2bSraFo1n9tkVvNz97W1x9u+m/lwOBV2EMkXcl64Jg=,tag:kUf/2TzahSDo86touJ6iuA==,type:str]
+    lastmodified: "2022-03-18T21:16:29Z"
+    mac: ENC[AES256_GCM,data:r3wg7jnc9TS5gk4qGtdxbxIJ64tt/C6NehIR9w/RcNs7aF2SVNB2yYhZCPGgAwC7Zi3addlY7wGEGn76vN0ioA09L4JXQ8WfSh3wPZEN5msGzv48Jh7jViagsAn2h6ZchQtEBV8YuxC6lKuJFA29xisf1BBB7Bxw+7wU1LfEF8U=,iv:umLtAlDgc9Kup47e49BjNuCUX/49eiDxZJ4eD5s1jag=,tag:0ivpkGqEDGJyxD+oGJifMw==,type:str]
     pgp:
         - created_at: "2021-04-06T11:27:21Z"
           enc: |
diff --git a/machines/fuuko/secrets/aria2-wireguard.nix b/machines/fuuko/secrets/aria2-wireguard.nix
deleted file mode 100644
index f6c3908..0000000
Binary files a/machines/fuuko/secrets/aria2-wireguard.nix and /dev/null differ
diff --git a/machines/fuuko/secrets/wireguard-qbittorrent.nix b/machines/fuuko/secrets/wireguard-qbittorrent.nix
new file mode 100644
index 0000000..0ed6ca8
Binary files /dev/null and b/machines/fuuko/secrets/wireguard-qbittorrent.nix differ
diff --git a/machines/fuuko/services/prometheus.nix b/machines/fuuko/services/prometheus.nix
index 2717886..891632e 100644
--- a/machines/fuuko/services/prometheus.nix
+++ b/machines/fuuko/services/prometheus.nix
@@ -70,8 +70,8 @@ in
         ];
       }
       {
-        job_name = "aria2";
-        static_configs = mkStaticTarget "127.0.0.1:9578";
+        job_name = "qbittorrent";
+        static_configs = mkStaticTarget "127.0.0.1:9561";
         relabel_configs = lib.singleton {
           target_label = "instance";
           replacement = "torrent.sbruder.de";
@@ -146,8 +146,8 @@ in
               }
               {
                 name = "TorrentNoPeers";
-                expr = "sum by (instance) (aria2_torrent_peers) == 0";
-                description = "Aria2 instance {{ $labels.instance }} has no peers. There might be a network connectivity problem";
+                expr = "sum by (instance) (qBittorrent_torrent_connected_leechs) == 0";
+                description = "qBittorrent instance {{ $labels.instance }} has no peers. There might be a network connectivity problem";
               }
             ];
           };
diff --git a/machines/fuuko/services/torrent.nix b/machines/fuuko/services/torrent.nix
index d39a906..d967b04 100644
--- a/machines/fuuko/services/torrent.nix
+++ b/machines/fuuko/services/torrent.nix
@@ -1,199 +1,7 @@
-{ config, inputs, lib, pkgs, ... }:
-let
-  homeDir = "/var/lib/aria2";
-  downloadDir = "/data/torrent";
-  sessionFile = "${homeDir}/session";
-
-  settings = {
-    # locations
-    dir = downloadDir;
-
-    # logging
-    show-console-readout = false;
-    summary-interval = 0;
-
-    # rpc
-    enable-rpc = true;
-
-    # permanent queue
-    bt-load-saved-metadata = true;
-    bt-save-metadata = true;
-    force-save = true;
-    input-file = sessionFile;
-    save-session = sessionFile;
-    save-session-interval = 900; # automatic saving
-
-    # network
-    async-dns-server = "193.138.218.74"; # aria2 does not respect netns resolv.conf
-    dht-listen-port = 56595;
-    listen-port = 56718;
-    interface = "wg-aria";
-
-    # limits
-    max-concurrent-downloads = 65536;
-    max-overall-download-limit = "6M";
-    max-overall-upload-limit = "4M";
-    seed-ratio = 0; # do not stop seeding after reaching ratio
-  };
-
-  toString' = value:
-    if lib.isBool value
-    then (if value then "true" else "false")
-    else (toString value);
-
-  configFile = pkgs.writeText "aria2.conf" (lib.concatStringsSep
-    "\n"
-    (lib.mapAttrsToList
-      (k: v: "${k}=${toString' v}")
-      settings));
-
-  mkProxyService = socket: port: {
-    wantedBy = [ "multi-user.target" ];
-    after = [ "wireguard-wg-aria.service" ];
-    partOf = [ "wireguard-wg-aria.service" ];
-
-    serviceConfig = {
-      PrivateNetwork = true;
-      NetworkNamespacePath = "/run/netns/aria2";
-
-      Restart = "always";
-      ExecStart = "${pkgs.socat}/bin/socat UNIX-LISTEN:${socket},fork,reuseaddr,mode=660,unlink-early TCP:127.0.0.1:${toString port}";
-      User = "aria2";
-      Group = "nginx";
-
-      # systemd-analyze --no-pager security aria2-rpc-proxy.service
-      CapabilityBoundingSet = null;
-      PrivateDevices = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProtectHome = true;
-      RestrictNamespaces = true;
-      SystemCallFilter = "@system-service";
-    };
-  };
-in
 {
-  users.users.aria2 = {
-    group = "aria2";
-    uid = config.ids.uids.aria2;
-    home = homeDir;
-  };
-
-  users.groups.aria2.gid = config.ids.gids.aria2;
-
-  systemd.tmpfiles.rules = [
-    "d '${downloadDir}' 0775 aria2 users - -"
-    "d '${homeDir}' 0771 aria2 aria2 - -"
-  ];
-
-  sops.secrets.wg-aria-private-key.sopsFile = ../secrets.yaml;
-
-  networking.wireguard.interfaces.wg-aria = {
-    interfaceNamespace = "aria2";
-    preSetup = "ip netns add aria2 && ip -n aria2 link set lo up";
-    postShutdown = "ip netns del aria2";
-
-    privateKeyFile = config.sops.secrets.wg-aria-private-key.path;
-  } // (import ../secrets/aria2-wireguard.nix); # potentially sensitive data
-
-  environment.etc."netns/aria2/resolv.conf".text = ''
-    nameserver 193.138.218.74
-  '';
-
-  systemd.services.aria2 = {
-    description = "aria2 Service";
-    after = [ "wireguard-wg-aria.service" ];
-    requires = [ "wireguard-wg-aria.service" ];
-    wantedBy = [ "multi-user.target" ];
-    preStart = ''
-      if [[ ! -e "${sessionFile}" ]]; then
-        touch "${sessionFile}"
-      fi
-    '';
-
-    serviceConfig = {
-      PrivateNetwork = true;
-      NetworkNamespacePath = "/run/netns/aria2";
-
-      Restart = "always";
-      ExecStart = "${pkgs.aria2}/bin/aria2c --conf-path=${configFile}";
-      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-      User = "aria2";
-      Group = "aria2";
-
-      # Increase number of open file descriptors (default: 1024)
-      LimitNOFILE = 65536;
-
-      # systemd-analyze --no-pager security aria2.service
-      CapabilityBoundingSet = null;
-      PrivateDevices = true;
-      PrivateTmp = true;
-      PrivateUsers = true;
-      ProtectHome = true;
-      RestrictNamespaces = true;
-      SystemCallFilter = "@system-service";
-    };
-  };
-
-  systemd.services.aria2-rpc-proxy = mkProxyService "${homeDir}/rpc.sock" 6800;
-
-  services.aria2_exporter = {
+  sbruder.qbittorrent = {
     enable = true;
-    listenAddress = "localhost:9578";
+    downloadDir = "/data/torrent";
+    fqdn = "torrent.sbruder.de";
   };
-
-  systemd.services.aria2_exporter = {
-    after = [ "wireguard-wg-aria.service" ];
-    partOf = [ "wireguard-wg-aria.service" ];
-
-    serviceConfig = {
-      PrivateNetwork = true;
-      NetworkNamespacePath = "/run/netns/aria2";
-    };
-  };
-
-  systemd.services.aria2_exporter-proxy = mkProxyService "${homeDir}/metrics.sock" 9578;
-
-  services.nginx.virtualHosts."torrent.sbruder.de" = {
-    enableACME = true;
-    forceSSL = true;
-
-    # treated as state
-    basicAuthFile = "${homeDir}/htpasswd";
-
-    locations = {
-      "/" = {
-        root = inputs.AriaNg.packages.${config.nixpkgs.system}.AriaNg;
-      };
-      "/jsonrpc" = {
-        proxyPass = "http://unix:${homeDir}/rpc.sock";
-        proxyWebsockets = true;
-      };
-      "/download/" = {
-        alias = "${downloadDir}/";
-        extraConfig = ''
-          autoindex on;
-        '';
-      };
-      "=/metrics" = {
-        proxyPass = "http://unix:${homeDir}/metrics.sock";
-      };
-    };
-  };
-
-  services.nginx.virtualHosts."aria2-metrics" = {
-    listen = lib.singleton {
-      addr = "127.0.0.1";
-      port = 9578;
-    };
-
-    locations."=/metrics" = {
-      proxyPass = "http://unix:${homeDir}/metrics.sock";
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    aria2
-    mktorrent
-  ];
 }