{ pkgs, lib, config, ... }:
with lib;
let
  cfg = config.services.jellyfin;
  extraGroups = [
    "users"
    "audio"
    "video"
    "disk"
    "power"
    "plugdev"
  ] ++ lib.optionals config.hardware.raspberry-pi.enable [
    "i2c"
    "spi"
  ];
in
{
  imports = [
    (import ../../../../lib/genSslCert.nix {
      name = "jellyfin";
      inherit (cfg) dataDir user;
      domain = "pi0.odie.home.arpa";
      wantedBy = [ "jellyfin.service" ];
      Before = [ "jellyfin.service" ];
    })
  ];
  options = {
    services.jellyfin.domain = mkOption {
      type = types.str;
      default = "localhost";
    };
  };
  config = {
    services.jellyfin = {
      enable = true;
      openFirewall = true;
    };
    users.users.jellyfin = {
      inherit extraGroups;
    };
    networking.firewall = {
      allowedUDPPorts = [ 1900 ];
      allowedTCPPorts = [ 8920 ];
    };
  };
}