{
  config,
  pkgs,
  ...
}: let
  ports = import ../ports.nix {};
  secrets = config.services.secrets.secrets;
in {
  environment.systemPackages = with pkgs; [mpc_cli];

  services.mpd = {
    enable = true;
    network.listenAddress = "0.0.0.0";
    musicDirectory = "https://storage-webdav.owo.monster/music_ro/";
    credentials = [
      {
        passwordFile = "${secrets.mpd_control_password.path}";
        permissions = ["read" "add" "control" "admin"];
      }
    ];
    extraConfig = ''
      host_permissions "127.0.0.1 read,add,control,admin"
      samplerate_converter "0"
      metadata_to_use "title,artist"
      auto_update "yes"
      audio_buffer_size "4096"
      replaygain "track"
      audio_output_format "44100:16:2"
      audio_output {
        type		"httpd"
        name		"HTTP Opus"
        encoder		"opus"
        port		"${toString ports.mpd-opus}"
        bitrate		"96000"
        format		"44100:16:2"
        always_on       "yes"
        tags            "yes"
        signal "music"
        packet_loss "5"
      }
      audio_output {
        type		"httpd"
        name		"HTTP FLAC"
        encoder		"flac"
        port		"${toString ports.mpd-flac}"
        format		"44100:16:2"
        always_on       "yes"
        tags            "yes"
      }
    '';
  };

  services.nginx.virtualHosts."stream.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString ports.mpd-opus}";
        extraConfig = ''
          auth_basic "Music Password";
          auth_basic_user_file ${secrets.music_stream_passwd.path};
        '';
      };
      "/flac" = {
        proxyPass = "http://127.0.0.1:${toString ports.mpd-flac}";
        extraConfig = ''
          auth_basic "Music Password";
          auth_basic_user_file ${secrets.music_stream_passwd.path};
        '';
      };
    };
  };

  networking.firewall.allowedTCPPorts = [6600];
}