{ lib
, ... }: with lib; {
  services.photoprism = {
    enable = true;
    originalsPath = "/run/storage/aerial/raw";
    settings = {
      PHOTOPRISM_ADMIN_USER = "koishi";
      PHOTOPRISM_FFMPEG_ENCODER = "vaapi";
      PHOTOPRISM_ORIGINALS_LIMIT = "-1";
      PHOTOPRISM_RESOLUTION_LIMIT = "-1";
    };
    passwordFile = "/var/lib/photoprism/password";
  };

  services.nginx.virtualHosts."raw.514fpv.io" = {
    useACMEHost = ".514fpv.io";
    addSSL = true;
    extraConfig = ''
      proxy_buffering off;
    '';
    locations."/" = {
      proxyPass = "http://127.0.0.1:2342";
      proxyWebsockets = true;
    };
  };

  systemd.services.photoprism.serviceConfig = {
    PrivateDevices = mkForce false;
    DevicePolicy = "closed";
    DeviceAllow = [ "/dev/dri/renderD128 rw" ];
  };

  environment.persistence."/nix/persist/fhs".directories = [
    "/var/lib/private/photoprism"
  ];
}