{
  config,
  ...
}:
let
  host = "music.xyno.systems";
  internalIp = "127.0.0.5";
in
{
  services.kanidm.provision = {
    groups = {
      navidrome_users.members = [ "application_admins" ];
    };
  };
  xyno.services.oauth2Proxy.hosts."${host}" = {
    allowedGroups = [ "navidrome_users" ];
  };
  xyno.services.traefik.simpleProxy = {
    navidrome = {
      inherit host;
      inherit (config.xyno.services.oauth2Proxy.hosts.${host}) middlewares;
      internal = "http://${internalIp}:4533";
    };
    navidrome-subsonic = {
      inherit host;
      rule = "Host(`${host}`)  && PathPrefix(`/rest/`) && !Query(`c`, `NavidromeUI`)";
      internal = "http://${internalIp}:4533";
    };
  };

  services.navidrome = {
    enable = true;
    settings = {
      Address = internalIp;
      MusicFolder = "/data/media/beets/music";
      ReverseProxyWhitelist = "127.0.0.1/32";
      BaseUrl = "https://${host}";
      Prometheus = {
        Enabled = false; # TODO
      };
      ReverseProxyUserHeader = "X-Auth-Request-Preferred-Username";
      Scanner = {
        Schedule = "45 0 * * *"; # daily at 0:45
      };
    };
  };
  xyno.impermanence.directories = [ "/var/lib/navidrome" ];
}