{
  config,
  pkgs,
  secrets,
  ...
}:
{

  users.groups.jellyfin = { };
  users.users.immich = {
    isSystemUser = true;
    group = "immich";

    extraGroups = [
      "video"
      "render"
    ];
  };

  hardware.graphics = {
    enable = true;

    extraPackages = with pkgs; [
      intel-ocl
      intel-media-driver
    ];
  };

  sops.secrets.immich-session-secret = {
    sopsFile = "${secrets}/immich.yaml";
    key = "client_secret";
    format = "yaml";
  };

  services.nginx.virtualHosts."photos.donsz.nl" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://[::1]:${toString config.services.immich.port}";
      proxyWebsockets = true;
      recommendedProxySettings = true;
      extraConfig = ''
        client_max_body_size 50000M;
        proxy_read_timeout   600s;
        proxy_send_timeout   600s;
        send_timeout         600s;
      '';
    };
  };

  services.immich = {
    enable = true;
    port = 2283;

    database = {
      name = "immich";
      createDB = false;
      user = "postgres";
      host = "localhost";
      port = 5432;
    };

    secretsFile = toString (
      pkgs.writeText "db-password" ''
        DB_PASSWORD=immich
      ''
    );

    settings = {
      server.externalDomain = "https://photos.donsz.nl";
      logging.level = "verbose";

      oauth = {
        enabled = true;

        clientSecret._secret = config.sops.secrets.immich-session-secret.path;
        autoLaunch = true;
        autoRegister = true;
        buttonText = "Log in";
        clientId = "8fd9c066-2298-4991-ba24-7c41bd73192b";
        issuerUrl = "https://auth.donsz.nl";
        roleClaim = "immich_role";
        scope = "openid email profile groups";
        tokenEndpointAuthMethod = "client_secret_post";
        # storageLabelClaim: "",
        # "mobileOverrideEnabled": false,
        # "mobileRedirectUri": "",

      };
    };
    mediaLocation = "/storage/storage/media-server/photos";
    accelerationDevices = [
      "/dev/dri/renderD128"
    ];
  };
}