{
  config,
  lib,
  pkgs,
  ...
}:
{
  services.jellyfin = {
    enable = true;
    openFirewall = true; # todo: will open for retiolum as well
    group = "media";
    user = "media";
  };

  healthchecks.http.jellyfin = {
    url = "flix.${config.networking.hostName}.private";
  };
  healthchecks.closed.retiolum.ports.jellyfin = [ 8096 ];

  services.nginx = {
    enable = true;
    virtualHosts."flix.${config.networking.hostName}.private" = {
      serverAliases = [ "flix.${config.networking.hostName}" ];
      extraConfig = ''
        # Security / XSS Mitigation Headers
        # NOTE: X-Frame-Options may cause issues with the webOS app
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
      '';
      locations."/" = {
        recommendedProxySettings = true;
        proxyWebsockets = true;
        proxyPass = "http://localhost:8096";
      };
    };
  };

}