{ lib, pkgs, ... }: {
  # Intel graphics support for hardware transcoding
  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      intel-media-driver
      vpl-gpu-rt
      intel-compute-runtime
    ];
  };

  # Set VA-API driver to iHD (modern Intel driver for N100)
  environment.sessionVariables = {
    LIBVA_DRIVER_NAME = "iHD";
  };

  services.jellyfin = {
    enable = true;
    openFirewall = true;
  };

  # Override systemd hardening for GPU access
  systemd.services.jellyfin = {
    serviceConfig = {
      PrivateUsers = lib.mkForce false;  # Disable user namespacing - breaks GPU device access
      DeviceAllow = [
        "/dev/dri/card0 rw"
        "/dev/dri/renderD128 rw"
      ];
      SupplementaryGroups = [ "render" "video" ];  # Critical: Explicit group membership for GPU access
    };
    environment = {
      LIBVA_DRIVER_NAME = "iHD";  # Ensure service sees this variable
    };
  };
}