{ pkgs, ... }:

{
  # Enable jellyfin
  services.jellyfin.enable = true;

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      # Create a default vhost to deny traffic, so traffic has to actually match a vhost
      default = {
        default = true;
        locations."/".return = "444";
      };
      "jellyfin.home.ktvb.site" = {
        listen = [
          # The router should have a static lease for this IP and a host entry naming it
          { addr = "192.168.1.236"; port = 80; }
          # beatific module sends traffic over the vpn
          { addr = "10.22.20.8"; port = 80; }
          # Also available on an extra port in case of port 80 troubles
          { addr = "10.22.20.8"; port = 8096; }
        ];
        locations."/".extraConfig = ''
          proxy_buffering off;
          proxy_pass http://localhost:8096/;
        '';
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80    # http
    8096  # jellyfin
  ];

  users.users.tvb.extraGroups = [ "jellyfin" ];
}