{
  pkgs,
  lib,
  config,
  ...
}:
let
  cfg = config.services.jellyfin;
in
{
  services.jellyfin = {
    enable = true;
  };
  users.users.jellyfin.extraGroups = [
    "input"
    "render"
    "video"
  ];
  networking.firewall.allowedUDPPorts = [
    1900
    7359
  ];
  services.prometheus.scrapeConfigs = lib.mkIf cfg.enable [
    {
      job_name = "jellyfin_server";
      static_configs = [ { targets = [ "127.0.0.1:8096" ]; } ];
    }
    {
      job_name = "jellyfin";
      static_configs = [ { targets = [ "127.0.0.1:30103" ]; } ];
    }
  ];
  systemd.services.jellyfin-exporter = lib.mkIf cfg.enable {
    enable = true;
    wantedBy = [ "multi-user.target" ];
    after = [
      "network.target"
      "jellyfin.service"
    ];
    description = "Jellyfin Metrics Exporter for Prometheus";
    serviceConfig = {
      ExecStart = "${lib.getExe pkgs.py.jellyfin-exporter} @${config.age.secrets.jellyfin-exporter-config.path}";
      ReadOnlyPaths = [ config.age.secrets.jellyfin-exporter-config.path ];
      Restart = "always";
      DynamicUser = true;
      User = "jellyfin-exporter";
      Group = "jellyfin-exporter";
      StateDirectory = "jellyfin-exporter";
      CacheDirectory = "stalwart-mail";

      # Hardening
      MemoryDenyWriteExecute = true;
      PrivateDevices = true;
      PrivateTmp = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
    };
  };
  age.secrets.jellyfin-exporter-config = lib.mkIf cfg.enable {
    file = ./secrets/jellyfin-exporter-config.age;
    mode = "444";
  };
}