inputs:

{ config, lib, pkgs, ... }:

{
  imports = [
    (inputs.nixpkgs-unstable.outPath + "/nixos/modules/services/misc/jellyfin.nix")
  ];

  disabledModules = [ "services/misc/jellyfin.nix" ];

  options = with lib; {
    services.jellyfin.allowedPaths = mkOption {
      type = with types; listOf str;
      description = ''
        A list of paths that Jellyfin is allowed to read
      '';
    };
  };

  config = {
    services.jellyfin = {
      enable = true;
      package = pkgs.unstable.jellyfin;
    };

    networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
      8096
    ];

    systemd.services.jellyfin.serviceConfig = {
      # TODO: remove when #108224 is merged

      # Allows access to drm devices for transcoding with hardware acceleration
      SupplementaryGroups = [ "video" ];
      # char-drm Allows ffmpeg to transcode with hardware acceleration
      DeviceAllow = lib.mkForce [ "char-drm rw" ];

      PrivateDevices = lib.mkForce false;

      # ================================

      # Personal:
      ProtectHome = true;
      ProtectSystem = "strict";

      BindReadOnlyPaths = [
        "/nix/store"

        "/etc/ssl/certs"
        "/etc/static/ssl/certs"

        "/etc/resolv.conf"
      ] ++ lib.optional config.hardware.opengl.enable [
        "/run/opengl-driver"
      ] ++ config.services.jellyfin.allowedPaths;

      CacheDirectory = "jellyfin";
      CacheDirectoryMode = "0700";

      StateDirectory = "jellyfin";
      StateDirectoryMode = "0700";

      RuntimeDirectory = "jellyfin";
      RootDirectory = "/run/jellyfin";
    };
  };
}