{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.services.piped;
in {
  config = mkIf (cfg.enable && !cfg.disableProxy) {
    systemd.services.piped-proxy = {
      wantedBy = ["multi-user.target"];
      environment.BIND = "0.0.0.0:${toString cfg.internalProxyPort}";
      environment.IPV4_ONLY = mkIf cfg.proxyIPv4Only "1";
      serviceConfig = {
        ExecStart = "${pkgs.piped-proxy}/bin/piped-proxy";

        RestartSec = "5s";
        User = "piped";

        CapabilityBoundingSet = "";
        PrivateDevices = true;
        PrivateUsers = true;
        ProtectHome = true;
        ProtectKernelLogs = true;
        ProtectProc = "invisible";
        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
        RestrictNamespaces = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = ["@system-service" "~@privileged" "~@resources"];
      };
    };

    services.nginx.virtualHosts."${cfg.proxyDomain}" = lib.mkIf (!cfg.disableNginx) {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString cfg.internalProxyPort}";
        extraConfig =
          cfg.proxyNginxExtraConfig
          + ''
            add_header Cache-Control "public, max-age=604800";
          '';
      };
      locations."~ (/videoplayback|/api/v4/|/api/manifest/)" = {
        proxyPass = "http://localhost:${toString cfg.internalProxyPort}";
        extraConfig =
          cfg.proxyNginxExtraConfig
          + ''
            add_header Cache-Control private always;
          '';
      };
    };
  };
}