{
  config,
  lib,
  pkgs,
  ...
}:
{

  healthchecks.http.navidrome = {
    url = "${config.networking.hostName}.wg0:${toString config.services.navidrome.settings.Port}/app/#/login";
    expectedContent = "Navidrome";
  };

  healthchecks.closed.retiolum.ports.navidrome = [ config.services.navidrome.settings.Port ];

  services.navidrome = {
    enable = true;
    openFirewall = true;
    group = "media";
    user = "media";
    settings.Address = "0.0.0.0";
    settings.MusicFolder = "/media/arr/lidarr";
  };

  services.nginx = {
    enable = true;
    virtualHosts."music.${config.networking.hostName}.private" = {
      serverAliases = [
        "music.${config.networking.hostName}.wg0"
        "music.ingolf-wagner.de"
      ];
      locations."/" = {
        recommendedProxySettings = true;
        proxyWebsockets = true;
        proxyPass = "http://localhost:${toString config.services.navidrome.settings.Port}";
        extraConfig = ''
          allow ${config.tinc.private.subnet};
          allow ${config.wireguard.wg0.subnet};
          deny all;
        '';
      };
    };
  };

}