{ inputs, config, pkgs, lib, ... }:
let
  homelabDomain = inputs.nixos-secrets.homelabDomain;
  svcDomain = "photos.${homelabDomain}";
  photoStorageDir = "/tank/shares/photos";
  svcPort = config.services.immich.port;
  # https://docs.immich.app/install/config-file/
  jsonSettings = {
    server.externalDomain = "https://${svcDomain}";
    oauth = {
      enabled = true;
      issuerUrl = "https://";  # TODO: the kanidm url?
      clientId = "immich";
      clientSecret = config.sops.placeholder."immich/oauth2_client_secret";
      scope = "openid email profile";
      signingAlgorithm = "ES256";
      storageLabelClaim = "email";
      buttonText = "Login with Kanidm";
      autoLaunch = true;
      mobileOverrideEnabled = true;
      mobileRedirectUri = "https://${svcDomain}/api/oauth/mobile-redirect/";
    };
  };
in
{

  # NOTE: The following repo contains a highly mature immich setup on nixos.
  # https://github.com/xinyangli/nixos-config/blob/a8b5bea68caea573801ccfdb8ceacb7a8f2b0190/machines/agate/services/immich.nix
  services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
    reverse_proxy :${toString svcPort}
  '';

  # NOTE: Primarily to contain DB_PASSWORD to make it possible to backup and restore the DB.
  # sops.secrets.immich_env = {
  #   sopsFile = ../../secrets/immich.env;
  #   format = "dotenv";
  #   mode = "0440";
  #   owner = "immich";
  #   group = "immich";
  #   restartUnits = [ "immich.service" ];
  # };
  sops.secrets."immich/oauth2_client_secret" = { };
  sops.templates."immich.json" = {
    mode = "0440";
    owner = config.services.immich.user;
    group = config.services.immich.group;
    content = builtins.toJSON jsonSettings;
  };

  users.users.immich = {
    isSystemUser = true;
  };
  users.groups.immich = {};
  systemd.tmpfiles.rules = [
    "d ${photoStorageDir} 0770 immich immich -"
  ];

  # TODO: Setup mTLS for external / non-tailscale VPN immich access.
  # https://github.com/alangrainger/immich-public-proxy/blob/main/docs/securing-immich-with-mtls.md
  # TODO: Consider immich-public-proxy for generating "share" links
  # https://github.com/alangrainger/immich-public-proxy
  services.immich = {
    enable = true;
    openFirewall = true;
    port = 2283; # default
    #secretsFile = config.sops.secrets.immich_env.path;

    # TODO: Build this directory with permissions for the immich user.
    mediaLocation = "/tank/shares/photos";
    environment = {
      IMMICH_CONFIG_FILE = config.sops.templates."immich.json".path;
    };
  };

  services.kanidm.provision.systems.oauth2.immich = {
    displayName = "immich";
    originUrl = "https://${svcDomain}/oauth2/oidc/callback";
    originLanding = "https://${svcDomain}/";
    basicSecretFile = config.sops.secrets."immich/oauth2_client_secret".path;
    scopeMaps."immich.users" = [
      "openid"
      "email"
      "profile"
    ];
    preferShortUsername = true;
  };
}