{
  config,
  pkgs,
  service_configs,
  lib,
  ...
}:
{
  systemd.services.jellyfin-annotations = {
    description = "Jellyfin stream annotation service for Grafana";
    after = [
      "network.target"
      "grafana.service"
    ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.python3}/bin/python3 ${./jellyfin-annotations.py}";
      Restart = "always";
      RestartSec = "10s";
      LoadCredential = "jellyfin-api-key:${config.age.secrets.jellyfin-api-key.path}";
      DynamicUser = true;
      StateDirectory = "jellyfin-annotations";
      NoNewPrivileges = true;
      ProtectSystem = "strict";
      ProtectHome = true;
      PrivateTmp = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
      ];
      MemoryDenyWriteExecute = true;
    };
    environment = {
      JELLYFIN_URL = "http://127.0.0.1:${toString service_configs.ports.private.jellyfin.port}";
      GRAFANA_URL = "http://127.0.0.1:${toString service_configs.ports.private.grafana.port}";
      STATE_FILE = "/var/lib/jellyfin-annotations/state.json";
      POLL_INTERVAL = "30";
    };
  };
}