{
  pkgs,
  config,
  lib,
  inputs,
  unstable_pkgs,
  ...
}: let
  service = "immich";
  cfg = config.homelab.${service};
  sec = config.sops.secrets;
  homelab = config.homelab;
in {
  options.homelab.${service} = {
    enable = lib.mkEnableOption "enables ${service}";

    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 7702;
      description = "set port for ${service} (default: ${toString cfg.port}";
    };
    url = lib.mkOption {
      type = lib.types.str;
      default = "photos.${homelab.base_domain}";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/${service}";
      description = "set data directory for ${service}";
    };
    ids = lib.mkOption {
      type = lib.types.int;
      default = cfg.port;
      description = "set uid and pid of ${service} user (matches port by default)";
    };
    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for ${service}";
    };
    motd = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = "immich-server";
    };
  };

  config = lib.mkIf cfg.enable {
    # declare ${service} group
    users.groups.${service} = {gid = lib.mkForce cfg.ids;};

    # declare ${service} user
    users.users.${service} = {
      description = "${service} server user";
      uid = lib.mkForce cfg.ids;
      isSystemUser = true;
      home = cfg.data_dir;
      createHome = true;
      group = service;
      extraGroups = ["video" "render" "blake"];
    };

    # enable the ${service} service
    services.${service} = {
      enable = true;
      #package = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.immich;
      package = unstable_pkgs.x86_64.immich;
      openFirewall = true;
      user = service;
      group = service;
      mediaLocation = cfg.data_dir;
      host = "0.0.0.0";
      port = cfg.port;
      settings = null;
      #settings.server.externalDomain = "https://photos.blakedheld.xyz";
    };

    # override umask to make permissions work out
    #    systemd.services."${toString service}-server".serviceConfig = {
    #      UMask = lib.mkForce "0007";
    #    };
    #    systemd.services."${toString service}-machine-learning".serviceConfig = {
    #      UMask = lib.mkForce "0007";
    #    };

    #    # open firewall
    #    networking.firewall.allowedTCPPorts = [ cfg.port ];

    # add to caddy for reverse proxy
    services.caddy.virtualHosts."${cfg.url}" = {
      serverAliases = ["photos.${homelab.public_domain}"];
      extraConfig = ''
        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
        reverse_proxy 127.0.0.1:${toString cfg.port}
      '';
    };

    # add to glance
    homelab.glance.links.services = [
      {
        title = service;
        url = "https://photos.${homelab.public_domain}";
        error-url = "http://${homelab.host_ip}:${toString cfg.port}";
        check-url = "http://${homelab.host_ip}:${toString cfg.port}";
        icon = "di:${service}";
      }
    ];

    # add postgresql database that is automatically created to the backup list
    #services.postgresqlBackup.databases = ["immich"]; # set to all databases defined in esure databases

    services.postgresql.ensureDatabases = [service]; # set to all databases defined in esure databases

    # add to backups
    homelab.backups.baks = {
      ${service} = {paths = [cfg.data_dir "/var/lib/redis-immich" "/var/backup/postgresql/immich.sql.zstd"];};
    };
  };
}