{ pkgs, ... }:

{
  # Enable jellyfin
  services.jellyfin.enable = true;

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      # Create a default vhost to deny traffic, so traffic has to actually match a vhost
      default = {
        default = true;
        locations."/".return = "444";
      };
      "jellyfin" = {
        listen = [
          # Available on the local network (host managed by router)
          { addr = "jellyfin.backyard.lan"; port = 80; }
          # Available by name on beatific (host managed by beatific module)
          { addr = "jellyfin.backyard.home"; port = 80; }
          # Available by port on beatific until I solve DNS for non-NixOS hosts
          { addr = "10.22.20.8"; port = 8096; }
        ];
        locations."/".extraConfig = ''
          proxy_buffering off;
          proxy_pass http://localhost:8096/;
        '';
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80    # http
    8096  # jellyfin
  ];
}