{ config, pkgs, lib, ... }:

with lib;

let
  helper = import ./lib.nix { inherit config pkgs lib; };
  cfg = config.numbus.services.immich;
in

helper.mkPodmanService {
  name = "immich";
  description = "Immich, Google Photos but better";
  defaultPort = "2283";
  pod = "immich";
  dependencies = [ "traefik.service" "${config.numbus.services.dns}.service" ];

  composeText = ''
    services:
      immich-server:
        image: ghcr.io/immich-app/immich-server:latest
        container_name: immich-server
        hostname: immich-server
        user: '1000:1000'
        networks:
          immich_frontend:
          immich_backend:
        ports:
          - "${cfg.port}:2283/tcp" #http
        volumes:
          - ${cfg.dataDir}:/data
          - /etc/localtime:/etc/localtime:ro
        env_file:
          - .env
        depends_on:
          - immich-redis
          - immich-database
        healthcheck:
          disable: false
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

      immich-machine-learning:
        image: ghcr.io/immich-app/immich-machine-learning:latest
        container_name: immich-machine-learning
        hostname: immich-machine-learning
        user: '1000:1000'
        networks:
          immich_backend:
        volumes:
          - ${cfg.configDir}/machine-learning:/cache
        env_file:
          - .env
        healthcheck:
          disable: false
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

      immich-redis:
        image: docker.io/valkey/valkey:8-bookworm
        container_name: immich-redis
        hostname: immich-redis
        user: '1000:1000'
        networks:
          immich_backend:
        healthcheck:
          test: redis-cli ping || exit 1
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

      immich-database:
        image: ghcr.io/immich-app/postgres:14
        container_name: immich-database
        hostname: immich-database
        user: '1000:1000'
        networks:
          immich_backend:
        shm_size: 128mb
        volumes:
          - ${cfg.configDir}/database:/var/lib/postgresql/data
        environment:
          POSTGRES_PASSWORD: $DB_PASSWORD
          POSTGRES_USER: $DB_USERNAME
          POSTGRES_DB: $DB_DATABASE_NAME
          POSTGRES_INITDB_ARGS: '--data-checksums'
        healthcheck:
          disable: false
        security_opt:
          - no-new-privileges:true
        cap_drop:
          - NET_RAW
        restart: unless-stopped

    networks:
      immich_frontend:
        name: immich_frontend
        driver: bridge
        ipam:
          config:
            - subnet: "10.89.7.0/24"
              gateway: "10.89.7.254"
      immich_backend:
        name: immich_backend
        driver: bridge
        ipam:
          config:
            - subnet: "10.89.8.0/24"
              gateway: "10.89.8.254"
  '';
}