{ inputs, config, pkgs, lib, ... }:
let
  homelabDomain = inputs.nixos-secrets.homelabDomain;
  svcDomain = "photos.${homelabDomain}";
  photoStorageDir = "/tank/shares/photos";
  svcPort = config.services.immich.port;
in
{

  # NOTE: The following repo contains a highly mature immich setup on nixos.
  # https://github.com/xinyangli/nixos-config/blob/a8b5bea68caea573801ccfdb8ceacb7a8f2b0190/machines/agate/services/immich.nix
  services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
    reverse_proxy :${svcPort}
  '';

  # NOTE: Primarily to contain DB_PASSWORD to make it possible to backup and restore the DB.
  sops.secrets.immich_env = {
    sopsFile = ../../secrets/immich.env;
    format = "dotenv";
    mode = "0440";
    owner = "immich";
    group = "immich";
    restartUnits = [ "immich.service" ];
  };
  sops.secrets."immich/oauth2_client_secret" = {
    owner = "immich";
    group = "kanidm";
    mode = "0440";
    restartUnits = [ "immich.service" "kanidm.service" ];
  };

  users.users.immich = {
    isSystemUser = true;
  };
  users.groups.immich = {};
  systemd.tmpfiles.rules = [
    "d ${photoStorageDir} 0770 immich immich -"
  ];

  # TODO: Setup mTLS for external / non-tailscale VPN immich access.
  # https://github.com/alangrainger/immich-public-proxy/blob/main/docs/securing-immich-with-mtls.md
  # TODO: Consider immich-public-proxy for generating "share" links
  # https://github.com/alangrainger/immich-public-proxy
  services.immich = {
    enable = true;
    openFirewall = true;
    port = 2283; # default
    secretsFile = config.sops.secrets."immich_secrets.env".path;

    # TODO: Build this directory with permissions for the immich user.
    mediaLocation = "/tank/shares/photos";

    # https://docs.immich.app/install/config-file/
    settings = {
      # TODO: Setup OAuth with Kanidm
      oauth = {
        enabled = true;
        issuerUrl = "https://";  # TODO: the kanidm url?
        clientId = "immich";
        clientSecret = config.sops.placeholder."immich/oauth2_client_secret";
        scope = "openid email profile";
        signingAlgorithm = "ES256";
        storageLabelClaim = "email";
        buttonText = "Login with Kanidm";
        autoLaunch = true;
        mobileOverrideEnabled = true;
        mobileRedirectUri = "https://${svcDomain}/api/oauth/mobile-redirect/";
      };
    };
  };

  services.kanidm.provision.systems.oauth2.immich = {
    displayName = "immich";
    originUrl = "https://${svcDomain}/oauth2/oidc/callback";
    originLanding = "https://${svcDomain}/";
    basicSecretFile = config.sops.secrets."immich/oauth2_client_secret".path;
    scopeMaps."immich.users" = [
      "openid"
      "email"
      "profile"
    ];
    preferShortUsername = true;
  };
}