{
  lib,
  pkgs,
  ...
}:
with lib; {
  services = {
    nginx = {
      virtualHosts."photos.posixlycorrect.com" = {
        enableACME = true;
        forceSSL = true;
        extraConfig = ''
          proxy_headers_hash_max_size 512;
          proxy_headers_hash_bucket_size 128;
        '';
        locations."/" = {
          proxyPass = "http://localhost:2283";
        };
      };
    };

    immich = {
      enable = true;
      secretsFile = "/var/trust/immich/secrets.txt";
      openFirewall = true;
      mediaLocation = "/mnt/export2178/immich/media";
      machine-learning.enable = false;
      environment = {
        IMMICH_TELEMETRY_EXCLUDE = "host,api,io,repo,job";
      };
    };
  };
}