{ config, ... }:
let
  cfg = config.services.immich;
  domain = "photos.t5.st";
in
{
  services.immich = {
    enable = true;
    host = "127.0.0.1";
    mediaLocation = "/mnt/storage/immich";
    group = "storage";
    accelerationDevices = [ "/dev/dri/renderD128" ];
    settings = {
      metadata.faces.import = true;
      server.externalDomain = "https://${domain}";
      notifications.smtp.enabled = true;
      notifications.smtp.from = "Odin Photos <noreply@t5.st>";
    };
  };

  services.cloudflared.tunnels."71c89a7f-2467-444c-9fda-4864860dc8c4" = {
    credentialsFile =
      config.age.secrets."odin/services/cloudflared-tunnel".path;
    default = "http_status:404";
    ingress."${domain}".service =
      "http://${cfg.host}:${toString cfg.port}";
  };

  systemd.tmpfiles.rules = [
    "d /mnt/storage/immich 0770 immich storage - -"
  ];
}