server-config/services/jellyfin/jellyfin-set-defaults.nix

{
  pkgs,
  config,
  service_configs,
  lib,
  ...
}:
lib.mkIf config.services.jellyfin.enable {
  systemd.services."jellyfin-set-defaults" = {
    description = "Enforce default Jellyfin user preferences (fMP4-HLS)";
    after = [ "jellyfin.service" ];
    requires = [ "jellyfin.service" ];

    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${pkgs.python3}/bin/python ${./jellyfin-set-defaults.py}";

      # Security hardening
      DynamicUser = true;
      NoNewPrivileges = true;
      ProtectSystem = "strict";
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      MemoryDenyWriteExecute = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RemoveIPC = true;

      LoadCredential = "jellyfin-api-key:${config.age.secrets.jellyfin-api-key.path}";
    };

    environment = {
      JELLYFIN_URL = "http://127.0.0.1:${toString service_configs.ports.private.jellyfin.port}";
    };
  };

  # Run at boot and daily to catch newly created users
  systemd.timers."jellyfin-set-defaults" = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnBootSec = "2min";
      OnUnitActiveSec = "1d";
    };
  };
}