{ config, lib, pkgs, ... }:
{

  # To set password:
  # nix-shell -p samba --run "smbpasswd -a media"
  custom.samba-share.enable = true;
  custom.samba-share.private.media = {
    folder = "/media";
    users = "media";
  };

  users.groups."media".gid = config.ids.gids.transmission;
  users.users."media" = {
    uid = config.ids.uids.transmission;
    group = "media";
  };

  services.permown."/media" = {
    owner = "media";
    group = "media";
  };

  # https://docs.tdarr.io/docs/installation/docker/run-compose
  virtualisation.oci-containers = {
    #backend = "podman";
    containers.tdarr = {
      volumes = [
        "/srv/tdarr/server:/app/server"
        "/srv/tdarr/configs:/app/configs"
        "/srv/tdarr/logs:/app/logs"
        "/srv/tdarr/transcode_cache:/temp"
        "/media:/media"
      ];
      environment = {
        serverIP = "0.0.0.0";
        serverPort = "8266";
        webUIPort = "8265";
        internalNode = "false";
        inContainer = "true";
        nodeName = "ServerNode";
        TZ = "Europe/London";
        PUID = toString config.ids.uids.transmission;
        PGID = toString config.ids.gids.transmission;
      };
      ports = [
        "8265:8265" # WebUI
        "8266:8266" # server port
      ];
      image = "ghcr.io/haveagitgat/tdarr:latest"; # Warning: if the tag does not change, the image will not be updated
      extraOptions = [ "--network=bridge" ];
    };
  };

  networking.firewall.allowedTCPPorts = [ 8266 ];
  networking.firewall.allowedUDPPorts = [ 8266 ];

  services.nginx.virtualHosts."tdarr.${config.networking.hostName}.private" = {
    serverAliases = [ "tdarr.${config.networking.hostName}" ];
    extraConfig = ''
      allow ${config.tinc.private.subnet};
      deny all;
    '';
    locations."/" = {
      proxyPass = "http://localhost:8265";
      proxyWebsockets = true;
    };
  };

}