{
  domain,
  lib,
  isProd,
  config,
  pkgs,
  ...
}:
{
  sops.secrets.immich_db_password = { };
  sops.secrets.immich_jwt_secret = { };

  sops.templates."immich.env".content = ''
    DB_PASSWORD=${config.sops.placeholder.immich_db_password}
    JWT_SECRET=${config.sops.placeholder.immich_jwt_secret}
  '';

  #users.users.immich.extraGroups = [ "users" ];
  users.users.immich.uid = 900;
  users.groups.immich.gid = 900;

  services.immich = {
    enable = true;
    host = "127.0.0.1";
    port = 2283;

    mediaLocation = "/mnt/media/immich";

    secretsFile = config.sops.templates."immich.env".path;

    redis.enable = true;
    database = {
      enable = true;
      createDB = true;
      user = "immich";
      name = "immich";
      host = "/run/postgresql";
    };

    machine-learning.enable = true;
  };

  systemd.services.immich-server = {
    requires = [ "mnt-media.mount" ];
    after = [ "mnt-media.mount" ];

    serviceConfig = {
      DynamicUser = lib.mkForce false;
      ReadWritePaths = [ "/mnt/media/immich" ];
      BindPaths = [ "/mnt/media/immich" ];
    };
  };

  services.postgresql = {
    enable = true;

    dataDir = "/mnt/data/postgresql";

    ensureDatabases = [ "immich" ];
    ensureUsers = [
      {
        name = "immich";
        ensureDBOwnership = true;
      }
    ];
  };

  services.nginx.virtualHosts."photo.${domain}" = {
    forceSSL = isProd;
    enableACME = isProd;

    locations."/" = {
      proxyPass = "http://127.0.0.1:2283";
      proxyWebsockets = true;
      extraConfig = "client_max_body_size 50G;";
    };

  };
}