diff --git a/configuration.nix b/configuration.nix
index e4e985d..e45365a 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -62,14 +62,17 @@ in
     };
   };
 
-  # NOTE: for now, we use internal ports
   # TODO: switch to unixsockets if supported
   services.nginx = {
     enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
     recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    clientMaxBodySize = "500m";
   };
 
-    nix = {
+  nix = {
     settings = {
       trusted-users = [ "@wheel" "root" "nix-ssh" ];
       auto-optimise-store = true;
diff --git a/flake.lock b/flake.lock
index a439624..8c00a04 100644
--- a/flake.lock
+++ b/flake.lock
@@ -34,11 +34,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1728334376,
-        "narHash": "sha256-CTKEKPzD/j8FK6H4DO3EjyixZd3HHvgAgfnCwpGFP5c=",
+        "lastModified": 1730190761,
+        "narHash": "sha256-o5m5WzvY6cGIDupuOvjgNSS8AN6yP2iI9MtUC6q/uos=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "d39ee334984fcdae6244f5a8e6ab857479cbaefe",
+        "rev": "3979285062d6781525cded0f6c4ff92e71376b55",
         "type": "github"
       },
       "original": {
@@ -83,11 +83,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1728241625,
-        "narHash": "sha256-yumd4fBc/hi8a9QgA9IT8vlQuLZ2oqhkJXHPKxH/tRw=",
+        "lastModified": 1730531603,
+        "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c31898adf5a8ed202ce5bea9f347b1c6871f32d1",
+        "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
         "type": "github"
       },
       "original": {
diff --git a/photoprism.nix b/photoprism.nix
index 662bae9..088925b 100644
--- a/photoprism.nix
+++ b/photoprism.nix
@@ -1,28 +1,52 @@
-{ lib, modulesPath, ... }:
+{ lib, modulesPath, pkgs, ... }:
 
+let port = 2342;
+in
 {
   services.photoprism = {
     enable = true;
-    port = 2342;
+    port = port;
     settings = {
       PHOTOPRISM_DEFAULT_LOCALE = "fr";
       PHOTOPRISM_ADMIN_USERNAME = "admin";
       PHOHOPRISM_SITE_URL = "https://photoprism.cgiga.fr";
       PHOTOPRISM_SITE_CAPTION = "PhotoPrism";
+
+      # DB access config
+      PHOTOPRISM_DATABASE_DRIVER = "mysql";
+      PHOTOPRISM_DATABASE_NAME = "photoprism";
+      PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
+      PHOTOPRISM_DATABASE_USER = "photoprism";
     };
 
     originalsPath = "/data/photos";
-    #importPath = "/photoprism/imports";
 
     address = "localhost";
 
-    #passwordFile = "/passwords/photoprism";
+    #importPath = "/photoprism/imports";
+    passwordFile = "/passwords/photoprism";
+  };
+
+  services.mysql = {
+    enable = true;
+    dataDir = "/data/mysql";
+    package = pkgs.mariadb;
+    ensureDatabases = [ "photoprism" ];
+    ensureUsers = [{
+      name = "photoprism";
+      ensurePermissions = {
+        "photoprism.*" = "ALL PRIVILEGES";
+      };
+    }];
   };
 
   services.nginx.virtualHosts."photoprism.cgiga.fr" = {
     enableACME = true;
     forceSSL = true;
     serverAliases = [];
-    locations."/".proxyPass = "http://localhost:2342/";
+    locations."/" = {
+      proxyPass = "http://localhost:${toString port}/";
+      proxyWebsockets = true;
+    };
   };
 }