{ lib, pkgs, ... }:

let
  rar2fs = pkgs.rar2fs.override { unrar = pkgs.unrar_6; };
  rar2fs_mounts = pkgs.writeScriptBin "rar2fs_mounts" (lib.strings.concatLines [
    "#!${pkgs.python3}/bin/python"
    (builtins.readFile ./rar2fs_mounts.py)
  ]);
  rar_path = "/var/lib/qBittorrent/downloads";
  mount_path = "/run/jellyfin/rar2fs";
in
{
  programs.fuse = {
    userAllowOther = true;
    mountMax = 1000;
  };

  environment.systemPackages = [
    rar2fs
  ];

  systemd.services.jellyfin-rar2fs = {
    after = [ "jellyfin.service" ];
    wantedBy = [ "multi-user.target" ];
    path = [ rar2fs "/run/wrappers/bin" ];
    environment.USER = "jellyfin";
    serviceConfig = {
      AmbientCapabilities = "CAP_SYS_ADMIN CAP_SETUID CAP_SETGID";
      CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_SETUID CAP_SETGID";
      DeviceAllow = "/dev/fuse rw";
      ExecStart = "${rar2fs_mounts}/bin/rar2fs_mounts ${rar_path} ${mount_path}";
      Group = "jellyfin";
      IPAddressDeny = "any";
      LockPersonality = true;
      NoNewPrivileges = "no";
      PrivateDevices = false;
      PrivateMounts = false;
      PrivateTmp = false;
      PrivateUsers = false;
      ProtectClock = true;
      ProtectControlGroups = false; # implies MountAPIVFS
      ProtectHome = false;
      ProtectHostname = true;
      ProtectKernelLogs = false;
      ProtectKernelModules = false;
      ProtectKernelTunables = false; # implies MountAPIVFS
      #ProtectProc = "noaccess"; # implies MountAPIVFS
      ProtectSystem = false;
      RestrictAddressFamilies = "none";
      RestrictNamespaces = true;
      RestrictRealtime = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "@mount"
        "@setuid"
        "umount2"
      ];
      User = "jellyfin";
    };
  };
}