{
  lib,
  config,
  pkgs,
  ...
}: let
  inherit (config.services.secrets) secrets;

  rclonePhotos = pkgs.writeShellScriptBin "rclone-photos" ''
    ${pkgs.rclone}/bin/rclone --config ${secrets.photos_rclone_config.path} "$@"
  '';

  mountPhotos = pkgs.writeShellScriptBin "mount-photos" ''
    umount -flR /Photos || true
    ${rclonePhotos}/bin/rclone-photos mount Photos: /Photos \
      --allow-other \
      --uid=${toString config.users.users.photoprism.uid} \
      --gid=${toString config.users.groups.photoprism.gid} \
      --umask=666 \
      --cache-dir=/PhotosCache \
      --dir-cache-time=1h \
      --vfs-cache-mode=full \
      --vfs-cache-max-size=2g \
      --vfs-cache-max-age=10m \
      --log-level=INFO "$@"
  '';

  inherit (lib.modules) mkForce;
  inherit (builtins) toFile;
in {
  environment.systemPackages = with pkgs; [
    rclone
    rclonePhotos
    fuse
    fuse3
    mountPhotos
    util-linux
    (let
      cfg = config.services.photoprism;

      env =
        {
          PHOTOPRISM_ORIGINALS_PATH = cfg.originalsPath;
          PHOTOPRISM_STORAGE_PATH = cfg.storagePath;
          PHOTOPRISM_IMPORT_PATH = cfg.importPath;
          PHOTOPRISM_HTTP_HOST = cfg.address;
          PHOTOPRISM_HTTP_PORT = toString cfg.port;
        }
        // (lib.mapAttrs (_: toString) cfg.settings);
    in
      pkgs.writeShellScriptBin "photoprism-manage" ''
        set -o allexport
        ${lib.toShellVars env}
        eval "$(${config.systemd.package}/bin/systemctl show -pUID,MainPID photoprism.service | ${pkgs.gnused}/bin/sed "s/UID/ServiceUID/")"
        exec ${pkgs.util-linux}/bin/nsenter \
          -t $MainPID -m -S $ServiceUID -G $ServiceUID --wdns=${cfg.storagePath} \
          ${cfg.package}/bin/photoprism "$@"
      '')
  ];

  systemd.tmpfiles.rules = [
    "d /PhotosCache - photoprism photoprism"
    "d /Photos - photoprism photoprism"
  ];

  users.users.photoprism = {
    isSystemUser = true;
    uid = 1290;
    group = "photoprism";
  };
  users.groups.photoprism.gid = 1290;

  services.photoprism = {
    enable = true;
    originalsPath = "/Photos/originals";
    settings = {
      PHOTOPRISM_SITE_URL = "https://photoprism.owo.monster";
      PHOTOPRISM_SITE_TITLE = "PhotoPrism";

      PHOTOPRISM_SIDECAR_PATH = "/Photos/sidecar";

      PHOTOPRISM_DISABLE_TENSORFLOW = "false";
      PHOTOPRISM_DISABLE_PLACES = "true";
      PHOTOPRISM_DETECT_NSFW = "false";
      PHOTOPRISM_UPLOAD_NSFW = "true";
      PHOTOPRISM_DISABLE_FACES = "true";
      PHOTOPRISM_DISABLE_CLASSIFICATION = "false";
    };
  };

  systemd.services.photoprism.serviceConfig = {
    DynamicUser = mkForce false;
    ReadWritePaths = [ "/Photos" ];
  };

  services.nginx.virtualHosts."photoprism.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.photoprism.port}";
        proxyWebsockets = true;
      };
    };
  };

  programs.fuse.userAllowOther = true;

  systemd.services.photos-mount = {
    wantedBy = ["photoprism.service"];
    partOf = ["photoprism.service"];
    path = with pkgs; [
      fuse
      fuse3
      util-linux
    ];
    serviceConfig.ExecStart = "${mountPhotos}/bin/mount-photos --syslog";
  };
}