# Export large Jellyfin media trees to nix-server. Local path must already exist
# (e.g. /mnt/test/jellyfin/{movies,tv}). On nix-server this is mounted at /mnt/nixdesk-jellyfin.
#
# After deploy: ensure Jellyfin can read files over NFS — typical fix:
#   chmod -R a+rX /mnt/test/jellyfin
{ ... }:
{
  # Avoid UID/GID mismatches across machines: map all NFS writes from nix-server to a single
  # local system user/group on this server.
  users.groups.nfsmedia = { gid = 990; };
  users.users.nfsmedia = {
    isSystemUser = true;
    uid = 990;
    group = "nfsmedia";
  };

  systemd.tmpfiles.settings."14900k-jellyfin-media-dirs" = {
    "/mnt/test/jellyfin"."d" = { mode = "2775"; user = "nfsmedia"; group = "nfsmedia"; };
    "/mnt/test/jellyfin/movies"."d" = { mode = "2775"; user = "nfsmedia"; group = "nfsmedia"; };
    "/mnt/test/jellyfin/tv"."d" = { mode = "2775"; user = "nfsmedia"; group = "nfsmedia"; };
  };

  # Fixed ports so the firewall can allow NFS v3 helpers (see networking.firewall below).
  services.nfs.server = {
    enable = true;
    mountdPort = 4000;
    lockdPort = 4001;
    statdPort = 4002;
    # fsid= stabilizes file handles across server reboots/remounts of this tree (avoids client ESTALE).
    exports = ''
      /mnt/test/jellyfin 192.168.2.238(rw,sync,no_subtree_check,crossmnt,root_squash,all_squash,anonuid=990,anongid=990,fsid=1)
    '';
  };

  networking.firewall.allowedTCPPorts = [
    111 # portmapper
    2049
    4000
    4001
    4002
  ];
  networking.firewall.allowedUDPPorts = [
    111
    2049
    4000
    4001
    4002
  ];
}