{ config, lib, pkgs, ... }:
let
  domain = "audiobooks.home.feal.no";
  host = "127.0.1.2";
  port = 5016;
in {
  fileSystems = {
    "/var/lib/audiobookshelf" = {
      device = "/tank/media/audiobookshelf/config";
      options = [ "bind" ];
    };
  };

  services.audiobookshelf = {
    enable = true;
    dataDir = "audiobookshelf";
    inherit host port;
  };

  systemd.services.audiobookshelf = {
    serviceConfig = {
      # Better safe than sorry :)
      CapabilityBoundingSet = "";
      LockPersonality = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ReadWritePaths = [
        "/var/lib/audiobookshelf"
        "/tank/media/audiobookshelf"
      ];
      RemoveIPC = true;
      RestrictSUIDSGID = true;
      UMask = "0007";
      RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
      SystemCallArchitectures = "native";
    };
  };

  services.nginx.virtualHosts.${domain} = {
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
      proxyWebsockets = true;
    };
  };
}