{ config, pkgs, ... }:
let
  payas = "payas";
in
{
  # Open navidrome port, but only for local network
  networking.firewall.extraCommands = ''
    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 4533:4533 -j nixos-fw-accept
    iptables -A nixos-fw -p udp --source 192.168.0.0/24 --dport 4533:4533 -j nixos-fw-accept
  '';

  services.navidrome = {
    enable = true;
    settings = {
      # Address is set by individual host
      Port = 4533;
      MusicFolder = "/home/payas/Music/";
      DataFolder = "/home/payas/.navidrome/";
      EnableCoverAnimation = false;
      DefaultTheme = "Extra Dark";
      CoverJpegQuality = 100;
      LastFM.Enabled = false;
      ListenBrainz.Enabled = true;
      EnableUserEditing = true;
    };
  };

  systemd.services.navidrome =
    let
      cfg = config.services.navidrome.settings;
    in
    {
      serviceConfig = {
        User = payas;
        Group = payas;
        ProtectHome = pkgs.lib.mkForce "tmpfs";
        BindPaths = [ cfg.DataFolder ];
        BindReadOnlyPaths = pkgs.lib.mkForce [
          builtins.storeDir
          cfg.MusicFolder
        ];
      };
    };
}