diff --git a/.sops.yaml b/.sops.yaml
index f689d0b..443c711 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -25,3 +25,7 @@ creation_rules:
     key_groups:
       - age:
         - *primary
+  - path_regex: secrets/blarm-immich.env
+    key_groups:
+      - age:
+        - *primary
diff --git a/modules/nixos/services/immich/default.nix b/modules/nixos/services/immich/default.nix
new file mode 100644
index 0000000..3e47702
--- /dev/null
+++ b/modules/nixos/services/immich/default.nix
@@ -0,0 +1,80 @@
+{
+  lib,
+  config,
+  namespace,
+  ...
+}:
+with lib;
+with lib.${namespace};
+let
+  cfg = config.${namespace}.services.immich;
+in
+{
+  options.${namespace}.services.immich = {
+    enable = mkBoolOpt false "Immich";
+
+    nginx = {
+      enable = mkEnableOption "Enable nginx for this service." // {
+        default = true;
+      };
+    };
+
+    domain = mkOption {
+      description = "The domain to serve Immich on.";
+      type = types.nullOr types.str;
+      default = "immich.stahl.sh";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 2283;
+      description = "The port that Immich will listen on.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    services.immich = {
+      enable = true;
+      mediaLocation = "/data/immich";
+      host = "0.0.0.0";
+      port = cfg.port;
+      secretsFile = "/run/secrets/immich";
+      redis.enable = true;
+      machine-learning.enable = true;
+      database = {
+        enable = true;
+        createDB = false;
+      };
+    };
+
+    services.postgresql.extensions = ps: with ps; [ pgvector ]; # Ensure pgvector is available
+
+    networking.firewall.allowedTCPPorts = mkIf cfg.nginx.enable [
+      cfg.port
+      80
+      443
+    ];
+
+    awesome-flake.services.acme.enable = mkIf cfg.nginx.enable true;
+
+    services.nginx = mkIf cfg.nginx.enable {
+      enable = true;
+
+      virtualHosts."${cfg.domain}" = {
+        forceSSL = true;
+        useACMEHost = "stahl.sh";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
+    sops.secrets.immich = {
+      format = "dotenv";
+      sopsFile = ../../../../secrets/blarm-immich.env;
+    };
+  };
+
+}
diff --git a/secrets/blarm-immich.env b/secrets/blarm-immich.env
new file mode 100644
index 0000000..f4c33ea
--- /dev/null
+++ b/secrets/blarm-immich.env
@@ -0,0 +1,6 @@
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOS9jWCt6QlFLZ1dQQ1ZO\ncGxzckdaK3VHSXBjaDZWeS9hd1dudU5YNm5NCk05ZEsyUEJoTi83c3J1OE91ODZs\nUDNRRG5VZm1LaUhRLy9UZSs3SDNwQlEKLS0tIFpyZXJIbFZWaUlDckdFRFdySEls\nSlg1dGN5VmEwcTZBWGZVQkt1b2V4ZDQKFYi1xQUv25PkuO9PU1HQ4Y3EahhDoFVj\n7rsuVpfxe6Ci3ezlOqbzbA5EFEZBXhnAqGzABwSAdp7k2UsDbhw3Tg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl
+sops_lastmodified=2025-05-25T11:14:04Z
+sops_mac=ENC[AES256_GCM,data:aQwqX1QC4EKkRhl3wTvxW2fCn6r5EN4a4rqsBpIIlMO4ZnIanqyhpL4xigIA5el2hw1SCQnj1v07FBt1g1qEPx6yGy7XPTufwXpMTwkm/gTYvRV7wyYs48QAU9c3h6+6ffQzpxvR8gijRzdsvYqKfYXc7dPq1hXrDFMy7e1hDkI=,iv:gDEuGnpJ9PQh3NFFqQzSoV8OAMgZhyXD364UbQkPWv4=,tag:vYyuDR7MYy1OFYDEBwm1hA==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2
diff --git a/systems/x86_64-linux/blarm/default.nix b/systems/x86_64-linux/blarm/default.nix
index 3c35668..7bca4a4 100644
--- a/systems/x86_64-linux/blarm/default.nix
+++ b/systems/x86_64-linux/blarm/default.nix
@@ -59,6 +59,7 @@ with lib.${namespace};
       linkwarden = enabled;
       forgejo = enabled;
       searxng = enabled;
+      immich = enabled;
     };
 
     #container.invidious = enabled;