{ config, ... }:
let 
  domain = "immich.sprechtl.me";
in
{
  age.secrets.immich-oauth-secret = {
    file = ../../secrets/immich.age;
    owner = "immich";
    group = "immich";
    mode = "0400";
  };
  services.immich = {
    enable = true;
    database.host = "/run/postgresql";
    port = 2283; # default
    settings = {
      externalDomain = domain;
      oauth = {
        enabled = true;
        issuerUrl = "https://auth.sprechtl.me/application/o/immich/.well-known/openid-configuration";
        clientId = "EXMPaB2SoZYSSWu56ebB6CYV8W1hQS2eTwLdFBDw";
        clientSecret._secret = config.age.secrets.immich-oauth-secret.path;
        scope = "openid email profile";
        buttonText = "Login with Authentik";
        autoRegister = true;
        autoLaunch = false; # set true to skip local login page entirely
      };
    };
    mediaLocation = "/data/immich/";
  };

# nginx reverse proxy
  services.nginx.virtualHosts.${domain}= {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:2283";
      proxyWebsockets = true;
      # https://docs.immich.app/administration/reverse-proxy/
      extraConfig = ''
          # allow large file uploads
          client_max_body_size 50000M;

          # disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause)
          proxy_request_buffering off;

          # increase body buffer to avoid limiting upload speed
          client_body_buffer_size 1024k;

          # Set headers
          proxy_set_header Host              $host;
          proxy_set_header X-Real-IP         $remote_addr;
          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
    '';
    };
  };
}