{ lib, config, ... }:

let
  immichDomain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/immichdomain;
in
{
  services.immich = {
    enable = true;
  port = 2283;
  mediaLocation = "/storage/organized/photos";

  ## Enable hardware acceleration for video
  # `null` will give access to all devices.
# You may want to restrict this by using something like `[ "/dev/dri/renderD128" ]`
  accelerationDevices = null;

  settings.server.externalDomain = "https://${immichDomain}";
};

  hardware.graphics = {
    enable = true;
    # Maybe we need more here, hard to say...
  };

  users.users.immich.extraGroups = [ "video" "render" "multimedia"
  # something strange here about remote file-system groups...
  "jellyfin" ];

  ## Expose immich to "the world"
  networking.firewall = {
    allowedTCPPorts = [
      #nginx
      80
      443
    ];
  };

  services.nginx = {

    recommendedProxySettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;

    virtualHosts."${immichDomain}" = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        client_max_body_size 50000M;
        proxy_read_timeout   600s;
        proxy_send_timeout   600s;
        send_timeout         600s;
      '';

      locations."/" = {
        proxyPass = "http://[::1]:${toString config.services.immich.port}";
        proxyWebsockets = true;
      };
    };
  };
}