{
  service_configs,
  pkgs,
  config,
  lib,
  ...
}:
{
  imports = [
    (lib.serviceMountWithZpool "immich-server" service_configs.zpool_ssds [
      config.services.immich.mediaLocation
    ])
    (lib.serviceMountWithZpool "immich-machine-learning" service_configs.zpool_ssds [
      config.services.immich.mediaLocation
    ])
    (lib.serviceFilePerms "immich-server" [
      "Z ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}"
    ])
    (lib.mkCaddyReverseProxy {
      subdomain = "immich";
      port = service_configs.ports.private.immich.port;
    })
    (lib.mkFail2banJail {
      name = "immich";
      unitName = "immich-server.service";
      failregex = "^.*Failed login attempt for user .* from ip address <HOST>.*$";
    })
  ];

  services.immich = {
    enable = true;
    mediaLocation = service_configs.immich.dir;
    port = service_configs.ports.private.immich.port;
    # openFirewall = true;
    host = "0.0.0.0";
    database = {
      createDB = false;
    };
  };

  environment.systemPackages = with pkgs; [
    immich-go
  ];

  users.users.${config.services.immich.user}.extraGroups = [
    "video"
    "render"
  ];

}