{ config, pkgs, lib, ... }:

let
  domain = "media.giugl.io";
  port = 8096;
  allowLan = true;
in
{
  # needed since StateDirectory does not accept symlinks
  systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce "";

  architect.vhost.${domain} = with config.architect.networks; {
    dnsInterfaces = [ "lan" "tailscale" ];
    locations = {
      "/" = {
        inherit port allowLan;

        allow = [
          tailscale.net
        ];
      };

      "/socket" = {
        inherit port allowLan;

        proxyWebsockets = true;
        allow = [
          tailscale.net
        ];
      };
    };
  };

  services.jellyfin = {
    enable = true;
    group = "media";
    package = pkgs.unstablePkgs.jellyfin;
  };

  users.groups = {
    media.members = [ "jellyfin" ];
    video.members = [ "jellyfin" ];
    render.members = [ "jellyfin" ];
  };

  fileSystems."/tmp/jellyfin" = {
    device = "none";
    fsType = "tmpfs";
    options = [ "defaults" "size=20G" "uid=jellyfin" ];
  };
}