{ config, pkgs, lib, inputs, mkDomain, ... }:
{
  # Jellyfin

  /**/
  disabledModules = [ "services/misc/jellyfin.nix" ];
  #imports = [<nixos-unstable/nixos/modules/services/misc/jellyfin.nix> ];
  imports = [ "${inputs.unstable}/nixos/modules/services/misc/jellyfin.nix" ];
  services.jellyfin.package = pkgs.unstable.jellyfin;
  /**/

  services.jellyfin = {
    enable = true; # don't enable unless you intend to first-time-setup the admin user
    # from https://jellyfin.org/docs/general/networking/index.html:
    # - 8096/tcp is used by default for HTTP traffic. You can change this in the dashboard.
    # - 8920/tcp is used by default for HTTPS traffic. You can change this in the dashboard.
    # - 1900/udp is used for service auto-discovery. This is not configurable.
    # - 7359/udp is also used for auto-discovery. This is not configurable.
    openFirewall = false; # I do it manually below:
    # TODO: configure initial collections and extensions
  };
  # firewall - not needed?
  /*
  networking.firewall = lib.mkIf config.services.jellyfin.enable {
    # TODO: does this overwrite rules set by other stuff? should i use ++ ?
    #allowedTCPPorts = [ 8096 8920 ];
    allowedUDPPorts = [ 1900 7359 ]; # TODO: Only if behind a NAT?
  };
  */
  services.nginx.virtualHosts.${mkDomain "jellyfin"} = lib.mkIf config.services.jellyfin.enable {
    forceSSL = true; # addSSL = true;
    enableACME = true; #useACMEHost = acmeDomain;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8096";
      proxyWebsockets = true;
    };
  };

  # Allow Jellyfin access to VAAPI
  users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
  systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;
  systemd.services.jellyfin.serviceConfig.DeviceAllow = lib.mkForce [ "/dev/dri/renderD128" ];

}