{
  config,
  lib,
  pkgs,
  zerotierInterface,
  ...
}:
{

  healthchecks.http.navidrome-tinc = {
    url = "${config.networking.hostName}.private:${toString config.services.navidrome.settings.Port}/app/#/login";
    expectedContent = "Navidrome";
  };

  healthchecks.http.navidrome-via-zerotier = {
    url = "${config.networking.hostName}.${config.clan.static-hosts.topLevelDomain}:${toString config.services.navidrome.settings.Port}/app/#/login";
    expectedContent = "Navidrome";
  };

  networking.firewall.interfaces.${zerotierInterface}.allowedTCPPorts = [
    config.services.navidrome.settings.Port
  ];

  services.navidrome = {
    enable = true;
    openFirewall = true;
    group = "media";
    user = "media";
    settings.Address = "[::]";
    settings.Port = 4533;
    settings.MusicFolder = "/media/arr/lidarr";
  };

  services.nginx = {
    enable = true;
    virtualHosts."music.${config.networking.hostName}.private" = {
      serverAliases = [
        "music.${config.networking.hostName}.wg0"
        "music.ingolf-wagner.de"
      ];
      locations."/" = {
        recommendedProxySettings = true;
        proxyWebsockets = true;
        proxyPass = "http://localhost:${toString config.services.navidrome.settings.Port}";
        extraConfig = ''
          allow ${config.tinc.private.subnet};
          allow ${config.wireguard.wg0.subnet};
          deny all;
        '';
      };
    };
  };

}