{ config, ... }:
let 
  domain = "immich.sprechtl.me";
in
{
  age.secrets.immich-oauth-secret = {
    file = ../../secrets/immich.age;
    owner = "immich";
    group = "immich";
    mode = "0400";
  };
  services.immich = {
    enable = true;
    database.host = "/run/postgresql";
    port = 2283; # default
    settings = {
      externalDomain = domain;
      oauth = {
        enabled = true;
        issuerUrl = "https://auth.sprechtl.me/application/o/immich/.well-known/openid-configuration";
        clientId = "EXMPaB2SoZYSSWu56ebB6CYV8W1hQS2eTwLdFBDw";
        clientSecret._secret = config.age.secrets.immich-oauth-secret.path;
        scope = "openid email profile";
        buttonText = "Login with Authentik";
        autoRegister = true;
        autoLaunch = false; # set true to skip local login page entirely
      };
    };
    secretsFile = config.age.secrets.immich.path;
    mediaLocation = "/data/immich/";
  };

# nginx reverse proxy
  services.nginx.virtualHosts.${domain}= {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:2283";
      proxyWebsockets = true;
      extraConfig = "client_max_body_size 50000M;";  # for large video uploads
    };
  };
}