diff --git a/lib/constants.nix b/lib/constants.nix
index 47e1726..a555009 100644
--- a/lib/constants.nix
+++ b/lib/constants.nix
@@ -12,6 +12,7 @@ rec {
       atticd = 403;
       kea = 404;
       keepalived_script = 405;
+      photoprism = 406;
     };
     gids = {
       matrix-syncv3 = 400;
@@ -20,6 +21,7 @@ rec {
       atticd = 403;
       kea = 404;
       keepalived_script = 405;
+      photoprism = 406;
     };
   };
 
diff --git a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
index 90ed3ca..fa2385e 100644
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
@@ -1,6 +1,8 @@
 { lib, ... }:
 let
+  inherit (lib) concatStringsSep;
   inherit (lib.my) net;
+  inherit (lib.my.c) pubDomain;
   inherit (lib.my.c.colony) domain prefixes;
 in
 {
@@ -35,6 +37,9 @@ in
 
           secrets = {
             key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUv1ntVrZv5ripsKpcOAnyDQX2PHjowzyhqWK10Ml53";
+            files = {
+              "jackflix/photoprism-pass.txt" = {};
+            };
           };
         };
 
@@ -50,10 +55,16 @@ in
               uid = uids.jellyseerr;
               group = "jellyseerr";
             };
+            photoprism = {
+              isSystemUser = true;
+              uid = uids.photoprism;
+              group = "photoprism";
+            };
           };
           groups = {
             media.gid = 2000;
             jellyseerr.gid = gids.jellyseerr;
+            photoprism.gid = gids.photoprism;
           };
         };
 
@@ -76,6 +87,10 @@ in
               RootDirectoryStartOnly = lib.mkForce false;
               RootDirectory = lib.mkForce "";
             };
+            photoprism.serviceConfig = {
+              # Needs to be able to access its data
+              DynamicUser = mkForce false;
+            };
           };
         };
 
@@ -117,6 +132,24 @@ in
           };
 
           jellyfin.enable = true;
+
+          photoprism = {
+            enable = true;
+            address = "[::]";
+            port = 2342;
+            originalsPath = "/mnt/media/photoprism/originals";
+            importPath = "/mnt/media/photoprism/import";
+            passwordFile = config.age.secrets."jackflix/photoprism-pass.txt".path;
+            settings = {
+              PHOTOPRISM_AUTH_MODE = "password";
+              PHOTOPRISM_ADMIN_USER = "dev";
+              PHOTOPRISM_APP_NAME = "/dev/player0 Photos";
+              PHOTOPRISM_SITE_URL = "https://photos.${pubDomain}/";
+              PHOTOPRISM_SITE_TITLE = "/dev/player0 Photos";
+              PHOTOPRISM_TRUSTED_PROXY = concatStringsSep "," (with prefixes.ctrs; [ v4 v6 ]);
+              PHOTOPRISM_DATABASE_DRIVER = "sqlite";
+            };
+          };
         };
       };
     };
diff --git a/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
index a6c7771..dbd7029 100644
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
@@ -37,7 +37,7 @@ in
                 tcp dport ${toString transmissionPeerPort} accept
                 iifname vpn return
 
-                tcp dport { 19999, 9091, 9117, 7878, 8989, 8096 } accept
+                tcp dport { 19999, 9091, 9117, 7878, 8989, 8096, 2342 } accept
                 return
               }
               chain input {
diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
index 2d3a2c0..3e251ed 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -388,6 +388,14 @@ in
         locations."/".proxyPass = "http://object-ctr.${domain}:8088";
         useACMEHost = pubDomain;
       };
+      "photos.${pubDomain}" = {
+        locations."/" = {
+          proxyPass = "http://jackflix-ctr.${domain}:2342";
+          proxyWebsockets = true;
+          extraConfig = proxyHeaders;
+        };
+        useACMEHost = pubDomain;
+      };
     };
 
     minio =
diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix
index cd1f2d2..367ac40 100644
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -496,6 +496,16 @@ in
       (mkIf (config.services ? "wastebin" && config.services.wastebin.enable) {
         my.tmproot.persistence.config.directories = [ "/var/lib/private/wastebin" ];
       })
+      (mkIf config.services.photoprism.enable {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = config.services.photoprism.storagePath;
+            mode = "0750";
+            user = "photoprism";
+            group = "photoprism";
+          }
+        ];
+      })
     ]))
   ]);
 
diff --git a/secrets/jackflix/photoprism-pass.txt.age b/secrets/jackflix/photoprism-pass.txt.age
new file mode 100644
index 0000000..ba00df7
--- /dev/null
+++ b/secrets/jackflix/photoprism-pass.txt.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGhNYTRudyBGWFZS
+Umg0Zm44TlY2djBaSUNuRGdRSTFob290aHJ2a0xnL2ZXSE9qUndNCnBJUVNUcEpF
+M3F6UUYzanlENmM1Wm11WHllRzVyc1hEemtpT010ZjdKcFUKLT4gWDI1NTE5IHJV
+KzdZUm5HUldPdlBHcFd1L2lEMy84ZVBqL1BoRUdlTjVMMjQ0U0dmMUUKeXFDejl5
+TW5sVkJoQzFZb0R5MStoOFJKbUluN3gvTXBmd2E0MmR1ZHgxTQotPiB9SC1ncmVh
+c2UgbyBKbWN2WE1kCjdESDIwMkN4NXpxU3A1cnJLamRoUUpSN2x6U2VPaEhNODdn
+c05uSHBOQ0Q0a2FpY2RQc1hvUFVMZlJqdm53WjAKRGlvN1JjUnd2RWp2ZzN0Z3pv
+RVozT1lueWZhck40T1VMMkd5TjZOclFhamU5NjgKLS0tIFcvemlDZ1B5d1h4cHJI
+ejNuRFRERk5vU1BKbzZkUEtKSlk3K2NxTzFUQ1EK8tR8pcagaUMue5Rjz2BLNbU4
+8SL2h7FsScBnIHka3122jwjgxviwH7T0YfgHpZCf+yLwVg==
+-----END AGE ENCRYPTED FILE-----