{
  inputs,
  config,
  pkgs,
  ...
}:

{
  age.secrets."files/services/meilisearch/envfile" = {
    file = "${inputs.secrets}/files/services/meilisearch/envfile.age";
  };

  services.meilisearch = {
    enable = true;
    package = pkgs.meilisearch;
    masterKeyEnvironmentFile = config.age.secrets."files/services/meilisearch/envfile".path;
  };

  users.users.jellysearch = {
    group = "jellysearch";
    isSystemUser = true;
  };

  users.groups.jellysearch = { };

  systemd.services.jellysearch = {
    enable = true;
    description = "JellySearch";
    wantedBy = [ "multi-user.target" ];
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    serviceConfig = {
      Restart = "on-failure";
      ExecStart = "${pkgs.jellysearch}/bin/jellysearch";
      StateDirectory = "jellysearch";
      StateDirectoryMode = "0750";
      WorkingDirectory = "/var/lib/jellysearch";
      EnivronmentFile = config.age.secrets."files/services/meilisearch/envfile".path;

      NoNewPrivileges = true;
      SystemCallArchitectures = "native";
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      ProtectHostname = true;
      LockPersonality = true;
      PrivateDevices = true;
      PrivateUsers = true;
      RemoveIPC = true;
    };
    environment = {
      DOTNET_ENVIRONMENT = "Production";
      INDEX_CRON = "0 0 0/2 ? * * *";
      JELLYFIN_URL = "http://localhost:8096";
      JELLYFIN_CONFIG_DIR = "${toString config.services.jellyfin.configDir}";
      MEILI_URL = "http://localhost:${toString config.services.meilisearch.listenPort}";
    };
  };
}