{
  config,
  pkgs,
  tree,
  ...
}: let
  alsaDevice = "sysdefault:CARD=BTR3K";
  pipewireDevice = "alsa_output.usb-FiiO_FiiO_BTR3K_ABCDEF0123456789-00.analog-stereo";
  hardwareVolume = 75;

  startMusicPlayer = pkgs.writeShellScriptBin "startMusicPlayer" ''
    exec ${pkgs.mpv}/bin/mpv \
      "https://music:$(cat /secrets/music_stream_password)@mpd.owo.monster/flac" \
        --cache=yes --cache-pause-initial=yes --cache-pause-wait=5 \
        --vo=gpu --force-window --script-opts-append=osc-visibility=always \
        --ao=pipewire --audio-device="pipewire/${pipewireDevice}"
  '';
  startMusicPlayerSession = pkgs.writeShellScriptBin "startMusicPlayerSession" ''
    set -x
    export XDG_RUNTIME_DIR=/run/user/$UID

    dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY XDG_CURRENT_DESKTOP
    systemctl --user start dbus pipewire

    ${pkgs.alsa-utils}/bin/amixer -D ${alsaDevice} sset PCM "${toString hardwareVolume}%"

    exec systemd-inhibit --what=sleep:idle:handle-lid-switch ${startMusicPlayer}/bin/startMusicPlayer
  '';
in {
  imports = with tree; [
    profiles.connectivity.networkManager
    profiles.wifiHardware
  ];

  environment.systemPackages = [startMusicPlayer startMusicPlayerSession];

  users.users.music-player = {
    isNormalUser = true;
    linger = true;
    extraGroups = [
      "video"
      "input"
      "audio"
      "rtkit"
    ];
  };

  home-manager.users.music-player = {
    programs.mpv.enable = true;
    imports = with tree; [
      home.base
      home.apps.kitty
      home.apps.pavucontrol
    ];
    home.stateVersion = "23.05";
  };

  systemd.services."music-player" = {
    enable = true;
    after = [
      "systemd-user-sessions.service"
      "plymouth-start.service"
      "plymouth-quit.service"
      "systemd-logind.service"
      "getty@tty1.service"
      "network.target"
    ];
    before = ["music-player.target"];
    wants = ["dbus.socket" "network.target" "systemd-logind.service" "plymouth-quit.service"];
    wantedBy = ["music-player.target"];
    conflicts = ["getty@tty1.service"];

    restartIfChanged = true;
    unitConfig.ConditionPathExists = "/dev/tty1";
    serviceConfig = {
      ExecStart = ''
        ${pkgs.cage}/bin/cage -s ${startMusicPlayerSession}/bin/startMusicPlayerSession
      '';
      User = "music-player";
      StandardOutput = "append:/var/log/music-player.log";
      StandardError = "inherit";
      IgnoreSIGPIPE = "no";
      UtmpIdentifier = "%n";
      UtmpMode = "user";
      TTYPath = "/dev/tty1";
      TTYReset = "yes";
      TTYVHangup = "yes";
      TTYVTDisallocate = "yes";
      StandardInput = "tty-fail";
      PAMName = "music-player";
    };
    environment = {
      XDG_RUNTIME_DIR = "/run/user/1001";
      XDG_SESSION_TYPE = "wayland";
    };
  };

  security.polkit.enable = true;

  security.pam.services.music-player.text = ''
    auth    required pam_unix.so nullok
    account required pam_unix.so
    session required pam_unix.so
    session required pam_env.so conffile=/etc/pam/environment readenv=0
    session required ${config.systemd.package}/lib/security/pam_systemd.so
  '';

  hardware.opengl.enable = true;

  systemd.targets.music-player = {
    description = "Music player";
    wants = ["music-player.service" "networkmanager.service"];
  };
}