{flake, ...}: let
  inherit (flake.config.people) user0;
  inherit (flake.config.people.user.${user0}) domain;
  inherit (flake.config.system.device) server wildcard;
  inherit (flake.config.service.instance.jellyfin) paths ports name subdomain ssl;
  localhost = wildcard.ip.address0;
  host = "${subdomain}.${domain.url0}";
in {
  services = {
    jellyfin = {
      enable = true;
      openFirewall = true;
      user = user0;
    };
    jellyseerr = {
      openFirewall = true;
      enable = true;
    };
    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            redir /.well-known/carddav /remote.php/dav/ 301
            redir /.well-known/caldav /remote.php/dav/ 301

            reverse_proxy ${localhost}:${toString ports.port1}

            tls ${ssl.cert} ${ssl.key}
          '';
        };
      };
    };
  };

  fileSystems = let
    settings = {
      fsType = "none";
      options = ["bind"];
      depends = [server.storage0.mount];
    };
  in {
    "/var/lib/${name}" =
      {
        device = paths.path0;
      }
      // settings;
    "/var/cache/${name}" =
      {
        device = "${paths.path0}/cache";
      }
      // settings;
  };

  systemd.tmpfiles.rules = [
    "Z ${paths.path0} 0755 ${user0} ${name} -"
    "Z ${paths.path0}/cache 0755 ${user0} ${name} -"
  ];

  networking = {
    firewall = {
      allowedTCPPorts = [
        ports.port0
        ports.port1
        ports.port2
      ];
    };
  };
}