{ lib, pkgs, ... }: {
  # Intel graphics support for hardware transcoding
  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      intel-media-driver
      vpl-gpu-rt
      intel-compute-runtime
    ];
  };

  # Set VA-API driver to iHD (modern Intel driver)
  environment.sessionVariables = {
    LIBVA_DRIVER_NAME = "iHD";
  };

  # Jellyfin user with render/video groups for GPU access
  users.users.jellyfin = {
    isSystemUser = true;
    group = "jellyfin";
    home = "/var/lib/jellyfin";
    createHome = true;
    extraGroups = [ "render" "video" ];
  };
  users.groups.jellyfin = {};

  # Create jellyfin directory
  systemd.tmpfiles.rules = [
    "d /var/lib/jellyfin 0755 jellyfin jellyfin - -"
  ];

  services.jellyfin = {
    enable = true;
    openFirewall = true;
  };

  # Override systemd hardening for GPU access
  systemd.services.jellyfin = {
    serviceConfig = {
      PrivateUsers = lib.mkForce false;  # Disable user namespacing - breaks GPU device access
      DeviceAllow = [
        "/dev/dri/card0 rw"
        "/dev/dri/renderD128 rw"
      ];
      SupplementaryGroups = [ "render" "video" ];  # Critical: Explicit group membership for GPU access
    };
    environment = {
      LIBVA_DRIVER_NAME = "iHD";  # Ensure service sees this variable
    };
  };
}