{
  lib,
  config,
  kubenix,
  ...
}: {
  kubernetes.helm.releases.immich = {
    chart = kubenix.lib.helm.fetch {
      repo = "https://immich-app.github.io/immich-charts";
      chart = "immich";
      version = "0.4.0";
      sha256 = "qekwsAke6NBwhlbt7nIkuwTSIydcWOq/kETooYb64oY=";
    };
    # arbitrary attrset passed as values to the helm release
    values = {
      image.tag = "v1.98.2";
      machine-learning.enabled = false;
      immich.persistence.library.existingClaim = "immich";
      redis.enabled = true;
      env = {
        PGSSLMODE = "no-verify";
        DB_URL.valueFrom.secretKeyRef = {
          name = "hippo-pguser-immich";
          key = "uri";
        };
      };
      server.ingress.main = {
        enabled = true;
        annotations = {
          "cert-manager.io/issuer" = "le-issuer";
        };
        tls = [
          {
            hosts = ["photos.gmem.ca"];
            secretName = "gmem-ca-wildcard";
          }
        ];
        hosts = [
          {
            host = "photos.gmem.ca";
            paths = [{path = "/";}];
          }
        ];
      };
    };
  };

  kubernetes.resources.persistentVolumeClaims.immich = {
    metadata.name = "immich";
    spec = {
      accessModes = ["ReadWriteOnce"];
      resources.requests.storage = "50Gi";
    };
  };
}