{
  pkgs,
  config,
  lib,
  ...
}:
let
  hostName = "immich.${config.services.nginx.domain}";
in
{
  services.immich = {
    enable = true;
    settings.server.externalDomain = "https://${hostName}";

    environment.IMMICH_TELEMETRY_INCLUDE = "all";
  };

  services.nginx.virtualHosts.${hostName} =
    let
      local = "http://${config.services.immich.host}:${toString config.services.immich.port}";
    in
    {
      forceSSL = true;
      useACMEHost = "tlater.net";
      enableHSTS = true;

      locations."/" = {
        proxyPass = local;
        proxyWebsockets = true;
      };
      locations."/metrics" = {
        extraConfig = ''
          access_log off;
          allow 127.0.0.1;
          ${lib.optionalString config.networking.enableIPv6 "allow ::1;"}
          deny all;
        '';
      };
    };

  backups.immich =
    let
      db-dump = "${config.services.immich.mediaLocation}/immich-db.sql";
    in
    {
      user = "immich";
      paths = [ config.services.immich.mediaLocation ];

      preparation = {
        packages = [ config.services.postgresql.package ];
        text = ''
          pg_dump ${config.services.immich.database.name} --clean --if-exists --file=${db-dump}
        '';
      };

      cleanup = {
        packages = [ pkgs.coreutils ];
        text = "rm ${db-dump}";
      };
      pauseServices = [
        "immich-server.service"
        "immich-machine-learning.service"
      ];
    };
}