{ config, ... }:
let
  secretFilePath = ../secrets.yaml;
in
{
  sops.secrets."immich/database-password".sopsFile = secretFilePath;

  # Placeholders are expanded only inside template `content` (not in arbitrary Nix strings).
  sops.templates."immich-db.env" = {
    content = ''
      POSTGRES_PASSWORD=${config.sops.placeholder."immich/database-password"}
      DB_PASSWORD=${config.sops.placeholder."immich/database-password"}
    '';
  };

  chiasson.system.services.immich = {
    enable = true;
    host = "0.0.0.0";
    port = 2283;
    timezone = "America/Moncton";
    uploadLocation = "/var/lib/immich/library";
    environmentFiles = [ config.sops.templates."immich-db.env".path ];
    postgres = {
      user = "postgres";
      #password = ""; # Defined in sops.templates."immich-db.env"
      database = "immich";
    };
  };
}