diff --git a/modules/default.nix b/modules/default.nix
index 2e923eb..8c7a92d 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -22,5 +22,6 @@
     ./dokuwiki.nix
     ./postgresql.nix
     ./foundryvtt.nix
+    ./immich.nix
   ];
 }
diff --git a/modules/immich.nix b/modules/immich.nix
new file mode 100644
index 0000000..d93eedf
--- /dev/null
+++ b/modules/immich.nix
@@ -0,0 +1,43 @@
+{ config, lib, ... }:
+let
+  cfg = config.custom.services.immich;
+  externalDomain = "photos.${config.networking.domain}";
+in
+{
+  options.custom.services.immich = {
+    enable = lib.mkEnableOption "immich";
+  };
+
+  config = lib.mkIf cfg.enable {
+    sops.secrets.immichSecretsFile = {
+      owner = config.systemd.services.immich-server.serviceConfig.User;
+      key = "immich/secrets_file";
+      restartUnits = [ "immich-server.service" ];
+    };
+
+    services = {
+      immich = {
+        enable = true;
+        host = "127.0.0.1";
+        group = "nextcloud";
+        secretsFile = config.sops.secrets.immichSecretsFile.path;
+        database.host = "127.0.0.1";
+        settings = {
+          server.externalDomain = "https://${externalDomain}";
+        };
+      };
+      nginx = {
+        virtualHosts = {
+          ${externalDomain} = {
+            enableACME = true;
+            forceSSL = true;
+            locations."/" = {
+              proxyPass = "http://127.0.0.1:${toString config.services.immich.port}";
+              proxyWebsockets = true;
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/modules/postgresql.nix b/modules/postgresql.nix
index 991d28f..9d0d302 100644
--- a/modules/postgresql.nix
+++ b/modules/postgresql.nix
@@ -22,6 +22,7 @@ in
         root_as_others         root                  synapse
         root_as_others         root                  nextcloud
         root_as_others         root                  roundcube
+        root_as_others         root                  immich
       '';
       authentication = ''
         local  all     postgres               peer
@@ -46,6 +47,11 @@ in
         key = "roundcube/db_password";
         restartUnits = [ "postgresql-setup.service" ];
       };
+      immichDbPasswordPg = {
+        owner = config.services.postgresql.superUser;
+        key = "immich/db_password";
+        restartUnits = [ "postgresql-setup.service" ];
+      };
     };
 
     systemd.services.postgresql-setup =
@@ -69,14 +75,17 @@ in
           PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"'
           PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"'
           PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"'
+          PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'immich'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "immich"'
 
           PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
           PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
           PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"'
+          PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'immich'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "immich" OWNER "immich"'
 
           PSQL -tAc  "ALTER ROLE synapse LOGIN"
           PSQL -tAc  "ALTER ROLE nextcloud LOGIN"
           PSQL -tAc  "ALTER ROLE roundcube LOGIN"
+          PSQL -tAc  "ALTER ROLE immich LOGIN"
 
           synapse_password="$(<'${config.sops.secrets.synapseDbPasswordPg.path}')"
           PSQL -tAc  "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
@@ -84,6 +93,8 @@ in
           PSQL -tAc  "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'"
           roundcube_password="$(<'${config.sops.secrets.roundcubeDbPasswordPg.path}')"
           PSQL -tAc  "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'"
+          immich_password="$(<'${config.sops.secrets.immichDbPasswordPg.path}')"
+          PSQL -tAc  "ALTER ROLE immich WITH PASSWORD '$immich_password'"
         '';
 
         serviceConfig = {
diff --git a/profiles/hel.nix b/profiles/hel.nix
index a50f21a..755af7f 100644
--- a/profiles/hel.nix
+++ b/profiles/hel.nix
@@ -204,6 +204,7 @@
     monero.enable = true;
     grafana.enable = true;
     monitoring-exporters.enable = true;
+    immich.enable = true;
 
     backup-job = {
       enable = true;
diff --git a/secrets.enc.yml b/secrets.enc.yml
index b184c7e..dc756f6 100644
--- a/secrets.enc.yml
+++ b/secrets.enc.yml
@@ -20,6 +20,9 @@ nextcloud:
 roundcube:
     db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str]
     pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str]
+immich:
+    db_password: ENC[AES256_GCM,data:hIsMf271x+0jRgTJB4hP1ijEkly55pb5EPmQ2tQ7gsadMv+DiACK84bcIJR+erMcCTdsK5dLe/97+KqM,iv:ls5yQp3pwckCGY5IRuoSF2I/vlf9Fm5w4I26Go8UIjw=,tag:3+Unwrq3VSaEsrEZL0nZ9A==,type:str]
+    secrets_file: ENC[AES256_GCM,data:+dP8FSS1i0ZYc1vi2yuGup5ekI5OiswB19dl9BBEErWu4/Oc0lQqBzG8kg+7S78DhnUhW8zJONJm5vhriBVklNZpa0wr2oHs,iv:KYxZ5KtitI1QIRunrFQExj0chRddlSx39rJ5epa50oI=,tag:JJXbPHBQhHH2+yLvoQ5AHg==,type:str]
 murmur.env: ENC[AES256_GCM,data:bErJrzpPRrBhUeW113qt9xbJWsrxiI8YIibZ3l0=,iv:2dIlmdLKB+nktQ4/O1W3xtfcCRowW9MkxncDiDpZyck=,tag:3UkSGVKV00385iZ66rHOpw==,type:str]
 transmission:
     rpc_config.json: ENC[AES256_GCM,data:2dXn4De3RilQpOOtqjZQILJ7+/t8ipQHLiNuYdbQQRZC4fya0l9MLyGRuqfqeBu1B07VYSDMImV/5BZ+5ygCLk2JjhLn8NzbM3IRWg==,iv:SWqUCobb1+MzISjOTF9BySeAGXHMEbX/27MxIl5tPIE=,tag:4tat0yvkE/4njWYyr/IRfA==,type:str]
@@ -68,8 +71,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-12-10T00:50:13Z"
-    mac: ENC[AES256_GCM,data:yM21T3BYoC9/jH9n7tdSK6Bgkw7n32SA17tKUoxZ7AgHuKDQRHdwGW1ujfGEBxo337uHdOaTW9mjjvMAy8KnrOQReipuM6yPKf8Fi8ptX+JXtxfg9QmcdjxMHX8vxpWHIFIkz4ScOQ2MSCwa3UXakhhpNJUssp31MMKlkpABOkA=,iv:2PwpgEGidQW2yiUg0qszf5FRw3f5wWM7vgydQL9dzGU=,tag:tRLFzeLNyrpDFVlBTjq2uQ==,type:str]
+    lastmodified: "2024-12-14T02:34:20Z"
+    mac: ENC[AES256_GCM,data:H1CKyLrN3RpzotFbPHS8rY8hEpySJ858d19B9veE3jrgJFeG2qsVmGsFwRiOyHqXGntvak6hP4lMsZFHl3XK21kduwgq0N10i9hpPvfa+L2Zifjtt7+7mVWsFJrCEZ1Ku963DAZL3nujeZKm4BNgbijD2N6bx1Oz1lW1AFO9VQo=,iv:j2cMWQ7L1dXG8BzYG0bHCtpXYJDb33oDMUXaFzsOvrg=,tag:+hny9nFCAcoa2zgmK+BYcw==,type:str]
     pgp:
         - created_at: "2024-12-05T00:56:17Z"
           enc: |-
@@ -172,4 +175,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 0f0c4c2f9877cb8a53efadacb90613a2af502673
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.2
diff --git a/terraform/dns.tf b/terraform/dns.tf
index cd037bf..86f3e94 100644
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@@ -165,6 +165,14 @@ resource "hetznerdns_record" "vtt_a" {
   ttl     = 600
 }
 
+resource "hetznerdns_record" "photos_a" {
+  zone_id = data.hetznerdns_zone.banditlair_zone.id
+  name    = "photos"
+  value   = local.hel1_ip
+  type    = "A"
+  ttl     = 600
+}
+
 resource "hetznerdns_record" "monero_a" {
   zone_id = data.hetznerdns_zone.banditlair_zone.id
   name    = "monero"