Added the rest of the configuration. Still some things to add.

modules/services/immich.nix

@@ -15,6 +15,14 @@ helper.mkPodmanService {
   name = "immich";
   pod = "immich";
   defaultPort = "2283";
+  useSopsSecrets = true;
+
+  extraConfig = {
+    numbus.services.immich.secretMapping = {
+      DB_PASSWORD = "db_password";
+      DB_USERNAME = "db_username"; # Assuming you add this to schema
+    };
+  };
 
 # Compose file good
   composeText = ''

modules/services/lib.nix

@@ -31,6 +31,7 @@ with lib;
     extraOptions ? {},
     extraConfig ? {},
     delaySec ? 180,
+    useSopsSecrets ? false, # New argument to enable sops integration
     middlewares ? [ "secureHeaders" ],
     dependencies ? [ "traefik.service" "${config.numbus.services.dns}.service" ],
   }:
@@ -135,7 +136,7 @@ ${concatStringsSep "\n" (map (m: "        - ${m}") middlewares)}
             Type = "exec";
             ExecStartPre = [
               "bash -c 'sleep $((RANDOM % ${toString delaySec}))'"
-              "-sudo -u numbus-admin podman-compose -f /etc/podman/${name}/compose.yaml pull"
+              "- sudo -u numbus-admin podman-compose -f /etc/podman/${name}/compose.yaml pull"
             ];
             ExecStart = "sudo -u numbus-admin podman-compose --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml up --remove-orphans";
             ExecStop = "sudo -u numbus-admin podman-compose --in-pod ${toString pod} -f /etc/podman/${name}/compose.yaml down";