{ lib, config, kubenix, ... }: {
  kubernetes.helm.releases.immich = {
    chart = kubenix.lib.helm.fetch {
      repo = "https://immich-app.github.io/immich-charts";
      chart = "immich";
      version = "0.2.0";
      sha256 = "7G7xfJ+Ay4TQUBiOPYr9Zl/hDDhCpZQbuKDQWl3Hmrg=";
    };
    # arbitrary attrset passed as values to the helm release
    values = {
      image.tag = "v1.90.2";
      machine-learning.enabled = false;
      typesense.enabled = true;
      typesense.persistence.tsdata.enabled = true;
      immich.persistence.library.existingClaim = "immich";
      redis.enabled = true;
      env = {
        PGSSLMODE = "no-verify";
        DB_URL.valueFrom.secretKeyRef = {
          name = "hippo-pguser-immich";
          key = "uri";
        };
      };
      server.ingress.main = {
        enabled = true;
        annotations = {
          "cert-manager.io/issuer" = "le-issuer";
        };
        tls = [ { hosts = [ "photos.gmem.ca" ]; secretName = "gmem-ca-wildcard"; } ];
        hosts = [
          {
            host = "photos.gmem.ca";
            paths = [ { path = "/"; } ];
          }
        ];
      };
    };
  };

  kubernetes.resources.persistentVolumeClaims.immich = {
    metadata.name = "immich";
    spec = {
      accessModes = ["ReadWriteOnce"];
      resources.requests.storage = "50Gi";
    };
  };
}