{ pkgs, lib, ... }: 
{
  name = "media";
  config = {
    services.openssh = {
      enable = true;
      ports = [ 22 ];
      settings = {
        AllowUsers = [ "media" "guest" ];
      };
      extraConfig = ''
      Match Group media
        ChrootDirectory /media
        ForceCommand internal-sftp
        AllowTcpForwarding no
        X11Forwarding no
      '';
    };
    users.users.media = {
      isSystemUser = true;
      group = "media";
      openssh.authorizedKeys.keyFiles = [ ../secrets/id_ed25519.pub ];
    };
    users.users.guest = {
      isSystemUser = true;
      group = "media";
      hashedPassword = pkgs.lib.removeSuffix "\n" 
        (builtins.readFile ../secrets/guest_password);
    };
    users.groups.media = {};
    systemd.tmpfiles.settings.media-dir = 
      let mode = {
        group = "media";
        mode = "0750";
        user = "media";
      }; in {
      "/media/series".d = mode;
      "/media/movies".d = mode;
      "/media/music".d = mode;
    };
  };
  ports = {
    tcp = [ ];
    udp = [ ];
    http = null;
    forward = [
      { container = 22;  host = 2222;  proto = "tcp"; }
    ];
  };
  hosts = [];
  volumes = [{
    name = "media";
    mountPoint = "/media/";
    readOnly = false;
    backup = false;
  }];
}