inputs:

{ config, lib, pkgs, ... }:

{
  imports = [
    (inputs.nixpkgs-unstable.outPath + "/nixos/modules/services/misc/jellyfin.nix")
  ];

  disabledModules = [ "services/misc/jellyfin.nix" ];

  options = with lib; {
    services.jellyfin.allowedPaths = mkOption {
      type = with types; listOf str;
      description = ''
        A list of paths that Jellyfin is allowed to read
      '';
    };
  };

  config = {
    services.jellyfin = {
      enable = true;
      package = pkgs.unstable.jellyfin;
    };

    networking.firewall.interfaces.${config.topology.mainVpn.interfaceName}.allowedTCPPorts = [
      8096
    ];

    systemd.services.jellyfin.serviceConfig = {
      # TODO: remove when #108224 is merged

      # Allows access to drm devices for transcoding with hardware acceleration
      SupplementaryGroups = [ "video" "render" ];
      # char-drm Allows ffmpeg to transcode with hardware acceleration
      DeviceAllow = lib.mkForce [ "char-drm rw" ];

      PrivateDevices = lib.mkForce false;

      # ================================

      # Personal:
      ProtectHome = true;
      ProtectSystem = "strict";
    };
  };
}