diff --git a/container-config/nginx-home/matrix b/container-config/nginx-home/matrix
index 30c1352..1b0cffa 100644
--- a/container-config/nginx-home/matrix
+++ b/container-config/nginx-home/matrix
@@ -2,10 +2,10 @@ server {
   server_name matrix.strypsteen.com;
   listen 443 ssl;
   listen [::]:443 ssl;
+  include snippets/headers.conf;
   location / {
     set $upstream home.server.home.arpa;
     proxy_pass http://$upstream:8005;
     include snippets/proxy.conf;
-    proxy_hide_header Content-Security-Policy;
   }
 }
diff --git a/container-config/nginx-home/photos b/container-config/nginx-home/photos
new file mode 100644
index 0000000..8be0e24
--- /dev/null
+++ b/container-config/nginx-home/photos
@@ -0,0 +1,14 @@
+server {
+  server_name photos.strypsteen.com;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include snippets/headers.conf;
+  location / {
+    set $upstream home.server.home.arpa;
+    proxy_pass http://$upstream:8006;
+    include snippets/proxy.conf;
+    proxy_http_version 1.1;
+    proxy_set_header Connection upgrade;
+    proxy_set_header Upgrade $http_upgrade;
+  }
+}
diff --git a/home/etc/containers/systemd/borgmatic.container.d/override.conf b/home/etc/containers/systemd/borgmatic.container.d/override.conf
index 74e8ad4..8f92d1e 100644
--- a/home/etc/containers/systemd/borgmatic.container.d/override.conf
+++ b/home/etc/containers/systemd/borgmatic.container.d/override.conf
@@ -1,3 +1,4 @@
 [Container]
+Network=immich.network
 Network=postgresql.network
 Secret=POSTGRES_PASSWORD,type=env
diff --git a/home/etc/containers/systemd/immich-ml.container b/home/etc/containers/systemd/immich-ml.container
new file mode 100644
index 0000000..b363579
--- /dev/null
+++ b/home/etc/containers/systemd/immich-ml.container
@@ -0,0 +1,7 @@
+[Container]
+Image=ghcr.io/immich-app/immich-machine-learning:release
+Network=immich.network
+Volume=immich-ml.volume:/cache:U,Z
+AutoUpdate=registry
+[Install]
+WantedBy=multi-user.target
diff --git a/home/etc/containers/systemd/immich-ml.volume b/home/etc/containers/systemd/immich-ml.volume
new file mode 100644
index 0000000..e69de29
diff --git a/home/etc/containers/systemd/immich-postgresql.container b/home/etc/containers/systemd/immich-postgresql.container
new file mode 100644
index 0000000..1e6a8a9
--- /dev/null
+++ b/home/etc/containers/systemd/immich-postgresql.container
@@ -0,0 +1,8 @@
+[Container]
+Image=docker.io/tensorchord/pgvecto-rs:pg16-v0.3.0
+Network=immich.network
+Volume=immich-postgresql.volume:/var/lib/postgresql/data:U,Z
+Secret=POSTGRES_PASSWORD,type=env
+AutoUpdate=registry
+[Install]
+WantedBy=multi-user.target
diff --git a/home/etc/containers/systemd/immich-postgresql.volume b/home/etc/containers/systemd/immich-postgresql.volume
new file mode 100644
index 0000000..e69de29
diff --git a/home/etc/containers/systemd/immich-valkey.container b/home/etc/containers/systemd/immich-valkey.container
new file mode 100644
index 0000000..c9fed46
--- /dev/null
+++ b/home/etc/containers/systemd/immich-valkey.container
@@ -0,0 +1,7 @@
+[Container]
+Image=cgr.dev/chainguard/valkey
+Network=immich.network
+Volume=immich-valkey.volume:/data:U,Z
+AutoUpdate=registry
+[Install]
+WantedBy=multi-user.target
diff --git a/home/etc/containers/systemd/immich-valkey.volume b/home/etc/containers/systemd/immich-valkey.volume
new file mode 100644
index 0000000..e69de29
diff --git a/home/etc/containers/systemd/immich.container b/home/etc/containers/systemd/immich.container
new file mode 100644
index 0000000..dad2dc0
--- /dev/null
+++ b/home/etc/containers/systemd/immich.container
@@ -0,0 +1,15 @@
+[Unit]
+Requires=immich-ml.service immich-postgresql.service immich-valkey.service
+After=immich-ml.service immich-postgresql.service immich-valkey.service
+[Container]
+Image=ghcr.io/immich-app/immich-server:release
+Network=immich.network
+Volume=immich.volume:/usr/src/app/upload:U,Z
+Environment=DB_HOSTNAME=systemd-immich-postgresql
+Environment=DB_USERNAME=immich
+Environment=REDIS_HOSTNAME=systemd-immich-valkey
+Secret=DB_PASSWORD,type=env
+PublishPort=10.0.1.2:8006:2283
+AutoUpdate=registry
+[Install]
+WantedBy=multi-user.target
diff --git a/home/etc/containers/systemd/immich.network b/home/etc/containers/systemd/immich.network
new file mode 100644
index 0000000..75d15e6
--- /dev/null
+++ b/home/etc/containers/systemd/immich.network
@@ -0,0 +1,3 @@
+[Network]
+IPv6=true
+Options=isolate=true
diff --git a/home/etc/containers/systemd/immich.volume b/home/etc/containers/systemd/immich.volume
new file mode 100644
index 0000000..e69de29
diff --git a/setup-qubes-fedora.sh b/setup-qubes-fedora.sh
index 2058681..022d718 100644
--- a/setup-qubes-fedora.sh
+++ b/setup-qubes-fedora.sh
@@ -3,7 +3,9 @@ set -euo pipefail
 cp -R desktop/* qubes-fedora/* /
 dnf config-manager setopt qubes-vm-r4.2-security-testing.enabled=true
 dnf config-manager setopt qubes-vm-r4.2-current-testing.enabled=true
-dnf install --allowerasing bash-color-prompt bash-completion borgbackup bind-utils butane default-fonts fcitx5-anthy fcitx5-autostart fedora-flathub-remote ffmpeg-free file-roller fuse-sshfs gcc gcc-gdb-plugin glibc-all-langpacks helm htop kubernetes-client nautilus netcat nodejs-npm pipx qubes-ctap ShellCheck toolbox wireguard-tools whois xdg-desktop-portal-gtk yt-dlp
+dnf config-manager setopt rpmfusion-free.enabled=true
+dnf config-manager setopt rpmfusion-free-updates.enabled=true
+dnf install --allowerasing bash-color-prompt bash-completion borgbackup bind-utils butane default-fonts fcitx5-anthy fcitx5-autostart fedora-flathub-remote ffmpeg file-roller fuse-sshfs gcc gcc-gdb-plugin glibc-all-langpacks helm htop kubernetes-client nautilus netcat nodejs-npm pipx qubes-ctap ShellCheck toolbox wireguard-tools whois xdg-desktop-portal-gtk yt-dlp
 dnf remove cheese evolution-data-server firefox gnome-software gnome-weather PackageKit-command-not-found rpmfusion-nonfree-release thunderbird totem
 sh setup-desktop.sh
 all_proxy=127.0.0.1:8082 flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo
diff --git a/setup-vyos.sh b/setup-vyos.sh
index f60c238..1e7c10f 100644
--- a/setup-vyos.sh
+++ b/setup-vyos.sh
@@ -13,6 +13,7 @@ set system static-host-mapping host-name home.strypsteen.com alias metrics.stryp
 set system static-host-mapping host-name home.strypsteen.com alias monitoring.strypsteen.com
 set system static-host-mapping host-name home.strypsteen.com alias network.strypsteen.com
 set system static-host-mapping host-name home.strypsteen.com alias office.strypsteen.com
+set system static-host-mapping host-name home.strypsteen.com alias photos.strypsteen.com
 set system static-host-mapping host-name home.strypsteen.com alias remote-desktop.strypsteen.com
 set system static-host-mapping host-name home.strypsteen.com alias vault.strypsteen.com
 set system static-host-mapping host-name home.strypsteen.com alias xmr.strypsteen.com