{
  config,
  lib,
  self,
  ...
}:
let
  cfg = config.services.pinchflat;
  age = config.age.secrets;
  d = self.lib.data.services.pinchflat;
in
{
  services.pinchflat = {
    enable = true;
    inherit (d) port;
    secretsFile = age.pinchflat-secrets.path;
    mediaDir = "/var/media/youtube";
    extraConfig = {
      YT_DLP_WORKER_CONCURRENCY = 2;
    };
  };
  systemd.services.pinchflat = lib.mkIf cfg.enable {
    serviceConfig = {
      DynamicUser = lib.mkForce false;
      User = lib.mkForce "pinchflat";
      Group = lib.mkForce "pinchflat";
    };
  };
  users.users.pinchflat = lib.mkIf cfg.enable {
    isSystemUser = true;
    group = "pinchflat";
  };
  users.groups.pinchflat = lib.mkIf cfg.enable { };
  age.secrets = lib.mkIf cfg.enable {
    pinchflat-secrets = {
      owner = "pinchflat";
      group = "pinchflat";
      file = ./secrets/pinchflat-secrets.age;
    };
  };
  # BGUtil Docker Container for yt-dlp
  virtualisation.oci-containers.containers.ytdlp-bgutil-provider = lib.mkIf cfg.enable {
    image = "brainicism/bgutil-ytdlp-pot-provider";
    ports = [
      "4416:4416"
    ];
  };
}