{ config, lib, pkgs, ... }:
let
  cfg = config.services.immich;
  domain = "photos.t5.st";
  go-avahi-cname = lib.getExe pkgs.unstable.go-avahi-cname;
in
{
  services.immich = {
    enable = true;
    host = "0.0.0.0";
    openFirewall = true;
    mediaLocation = "/mnt/storage/immich";
    group = "storage";
    accelerationDevices = [ "/dev/dri/renderD128" ];
    # environment = {
    #   INFO: Not needed but left for reference
    #   ENCODED_VIDEO_LOCATION = "/var/cache/immich/encoded-video";
    #   MPLCONFIGDIR = "/var/cache/immich/mpl";
    #   PROFILE_LOCATION = "/var/cache/immich/profile";
    #   THUMB_LOCATION = "/var/cache/immich/thumbs";
    # };
    settings = {
      metadata.faces.import = true;
      newVersionCheck.enabled = false;
      server.externalDomain = "https://${domain}";
      storageTemplate = {
        enabled = true;
        hashVerificationEnabled = true;
        template = "{{y}}/{{MM}}/{{dd}}/{{filename}}";
      };
      # TODO: add smtp authentication to environment
      # notifications.smtp.enabled = true;
      # notifications.smtp.from = "Odin Photos <noreply@t5.st>";
    };
  };

  services.cloudflared.tunnels."71c89a7f-2467-444c-9fda-4864860dc8c4" = {
    credentialsFile =
      config.age.secrets."odin/services/cloudflared-tunnel".path;
    default = "http_status:404";
    ingress."${domain}".service =
      "http://${cfg.host}:${toString cfg.port}";
  };

  services.caddy.virtualHosts.immich = {
    hostName = "http://photos.odin.local";
    serverAliases = [ "photos.odin.t5.st" ];
    extraConfig = ''
      encode gzip zstd
      reverse_proxy ${cfg.host}:${toString cfg.port}
    '';
  };

  systemd.services.photos-local = {
    description = "Avahi photos.odin.local domain";
    wantedBy = [ "multi-user.target" ];
    after = [
      "network.target"
      "avahi-daemon.service"
    ];
    requires = [ "avahi-daemon.service" ];

    serviceConfig = {
      Type = "simple";
      User = "root";
      ExecStart = "${go-avahi-cname} cname photos";
      Restart = "always";
      RestartSec = "10";
    };
  };

  systemd.tmpfiles.rules = [
    "d /mnt/storage/immich 0770 immich storage - -"
    "d /var/cache/immich 0770 immich storage - -"
    "d /var/cache/immich/mpl 0700 immich storage - -"
    "d /var/cache/immich/encoded-video 0700 immich storage - -"
    "d /var/cache/immich/profile 0700 immich storage - -"
    "d /var/cache/immich/thumbs 0700 immich storage - -"
  ];

  system.activationScripts.createSymlink = ''
    ln -sf /var/cache/immich/encoded-video /mnt/storage/immich/encoded-video
    ln -sf /var/cache/immich/profile /mnt/storage/immich/profile
    ln -sf /var/cache/immich/thumbs /mnt/storage/immich/thumbs
  '';

  services.samba.settings = {
    christine-photos = {
      "path" = "/mnt/storage/immich/library/3aaaf0a1-011e-450d-a47c-4a320deb93e5";
      "browseable" = "yes";
      "read only" = "yes";
      "valid users" = "christine";
      "force user" = "immich";
    };
  };
}