diff --git a/flake.nix b/flake.nix
index 89b48a0..109b785 100644
--- a/flake.nix
+++ b/flake.nix
@@ -209,6 +209,7 @@
                 sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
                 headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
                 borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age;
+                photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age;
                 syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
                 syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;
               };
diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix
index 42a46a3..5206ae9 100644
--- a/hosts/fwminex/configuration.nix
+++ b/hosts/fwminex/configuration.nix
@@ -116,6 +116,16 @@ in
         subnetCIDR = myData.subnets.tailscale.cidr;
       };
 
+      photoprism = {
+        enable = true;
+        uidgid = myData.uidgid.photoprism;
+        paths = {
+          "M-Camera" = "/home/motiejus/annex2/M-Active";
+          "Pictures" = "/home/motiejus/annex2/Pictures";
+        };
+        passwordFile = config.age.secrets.photoprism-admin-passwd.path;
+      };
+
       btrfsborg = {
         enable = true;
         passwordPath = config.age.secrets.borgbackup-password.path;
diff --git a/modules/services/default.nix b/modules/services/default.nix
index fa78476..4d35b5f 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -13,6 +13,7 @@
     ./matrix-synapse
     ./node_exporter
     ./nsd-acme
+    ./photoprism
     ./postfix
     ./remote-builder
     ./sshguard
diff --git a/modules/services/photoprism/default.nix b/modules/services/photoprism/default.nix
new file mode 100644
index 0000000..48faa65
--- /dev/null
+++ b/modules/services/photoprism/default.nix
@@ -0,0 +1,34 @@
+{ config, lib, ... }:
+let
+  cfg = config.mj.services.photoprism;
+in
+{
+  options.mj.services.photoprism = with lib.types; {
+    enable = lib.mkEnableOption "enable photoprism";
+    uidgid = lib.mkOption { type = int; };
+    paths = lib.mkOption { type = attrsOf str; };
+    passwordFile = lib.mkOption { type = str; };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.photoprism = {
+      enable = true;
+      originalsPath = "/data";
+      passwordFile = cfg.passwordFile;
+    };
+
+    systemd.services.photoprism.serviceConfig = {
+      ProtectHome = lib.mkForce "tmpfs";
+      BindPaths = lib.mapAttrsToList (name: srcpath: "${srcpath}:/data/${name}") cfg.paths;
+    };
+
+    users = {
+      groups.photoprism.gid = cfg.uidgid;
+      users.photoprism = {
+        group = "photoprism";
+        uid = cfg.uidgid;
+      };
+    };
+  };
+
+}
diff --git a/secrets.nix b/secrets.nix
index a933728..e72b995 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -35,7 +35,6 @@ in
   "secrets/grafana.jakstys.lt/oidc.age"
   "secrets/letsencrypt/account.key.age"
   "secrets/vaultwarden/secrets.env.age"
-  "secrets/photoprism/admin_password.age"
 
   "secrets/synapse/jakstys_lt_signing_key.age"
   "secrets/synapse/registration_shared_secret.age"
@@ -52,13 +51,19 @@ in
   "secrets/mtworx/syncthing/key.pem.age"
   "secrets/mtworx/syncthing/cert.pem.age"
 ]
-// mk (
-  [
-    fwminex
-    vno1-oh2
-  ]
-  ++ motiejus
-) [ "secrets/headscale/oidc_client_secret2.age" ]
+//
+  mk
+    (
+      [
+        fwminex
+        vno1-oh2
+      ]
+      ++ motiejus
+    )
+    [
+      "secrets/headscale/oidc_client_secret2.age"
+      "secrets/photoprism/admin_password.age"
+    ]
 // mk ([ fwminex ] ++ motiejus) [
   "secrets/motiejus_server_passwd_hash.age"
   "secrets/root_server_passwd_hash.age"
diff --git a/secrets/photoprism/admin_password.age b/secrets/photoprism/admin_password.age
index e4ac079..05e1edd 100644
--- a/secrets/photoprism/admin_password.age
+++ b/secrets/photoprism/admin_password.age
@@ -1,13 +1,15 @@
 age-encryption.org/v1
--> ssh-ed25519 gJrHQg J4jt86oFW6/8u/gNy+h5kOjF4pZXkbkXoimTHxH58E4
-P8UA4DwfPL/MbCSmQkbrThnREius58hAZviwmpHRKOs
--> X25519 D+CpN17IlppGLn2W2SIc88p2Wmwx2jgsPI3Z3SKR5lA
-4U4xal+3615teXDDM4QJSTTnvJdswvXkiLacHIykPyE
--> X25519 nI451keJ6bNMwKI7EcptuTx0nprixcK08e5CTN3VyWQ
-VPnDvaB+9l1kVbsVS6i8vc9qBD58FAmoTR632pdwAvQ
--> piv-p256 +y2G/w AvvF24onxbHGbZBUqOjmqqUb7RULMVtDpi8xgRZExElJ
-SIoPHQZO52yN+AB5a7OzmYdxp9Wyd974gjQDR0REtcE
--> piv-p256 jNqd3A An1S6Ckmap7jCI2x4u9qi7TPKodv0U1P2CUOj+Ea3vWB
-iNeGD/XbubkzYuBrNmI725O4CFa6vLD8nTahQivT8xU
---- svZOvg6nshQpjaikx4U+6Y+fyCEp/twchG3q0Zy1QZc
-e_ñehTíåZ˜$ZïzÍt‚È€ÅæöÕîbqÈ¨Ø$(2%ÑŒµ7h!fÙW
\ No newline at end of file
+-> ssh-ed25519 fqSa6A Dxw4Yb/C9PzMgO49smrCkVaP+YESYBfS64Ii1IfXgg8
+uuQOMSaVjc/K5qAZ1+5TxCwjseOjAxbEqUUCRCvPYwU
+-> ssh-ed25519 gJrHQg bBclusEL1MmrdLac7r2LPjcaCHIYINijeYplX06R5Rw
++GJmZL97TKRRjuo3pnTNWNdrCESes6yhcVRdsppWbf4
+-> X25519 P2aYdVsDhHO6ccVnZltF5tDp4tjrEYcH0JRZVvYD8VE
+KGKzzAAOSVGLBSSEXwuPpdCdOSmLOmdssBpSqDKnu6Q
+-> X25519 1fk/pqQ7ATDWcL7xQAwJUmpqvVKdMkxoCj0v7UUsHhM
+BLl3AeOiReWRJsREfsyVHzC5I1khh7UtzpMVV2+R8yg
+-> piv-p256 +y2G/w Aow8xYmpm6//miZjz+Ds9BdDoYJSu+AXGGeTNR+y2bbu
+p3mBLi7ALbi77RpdbhwktlfdVmZl3mtMMiWcZKU8ioM
+-> piv-p256 jNqd3A AkGJxdX+jt55MDeKs6SAwxEjzRSGTTResWirSv6MnBxb
+GRTr75vpAWtd5zePgJ1tLdW/g43oZte0ywj4qJcjqvY
+--- bYkldM1/bQCq4iDpgxIr1ueqfFXhKlLh27l0ZCq/KYw
+6PGnÂ¿Šö@3€™ß?Ó(·âÝøÛ¼¯5p¬~çfB†ô÷ÏpõB¶¸d­=Æ
\ No newline at end of file