{
  pkgs,
  config,
  lib,
  ...
}:
let
  hostName = "immich.${config.services.nginx.domain}";
in
{
  services = {
    immich = {
      enable = true;
      settings.server.externalDomain = "https://${hostName}";

      environment.IMMICH_TELEMETRY_INCLUDE = "all";
    };

    nginx.virtualHosts.${hostName} =
      let
        local = "http://${config.services.immich.host}:${toString config.services.immich.port}";
      in
      {
        forceSSL = true;
        useACMEHost = "tlater.net";
        enableHSTS = true;

        locations."/" = {
          proxyPass = local;
          proxyWebsockets = true;
        };
        locations."/metrics" = {
          extraConfig = ''
            access_log off;
            allow 127.0.0.1;
            ${lib.optionalString config.networking.enableIPv6 "allow ::1;"}
            deny all;
          '';
        };
      };

    backups.immich =
      let
        db-dump = "${config.services.immich.mediaLocation}/immich-db.sql";
      in
      {
        user = "immich";
        paths = [ config.services.immich.mediaLocation ];

        preparation = {
          packages = [ config.services.postgresql.package ];
          text = ''
            pg_dump ${config.services.immich.database.name} --clean --if-exists --file=${db-dump}
          '';
        };

        cleanup = {
          packages = [ pkgs.coreutils ];
          text = "rm ${db-dump}";
        };
        pauseServices = [
          "immich-server.service"
          "immich-machine-learning.service"
        ];
      };
  };
}