diff --git a/.secrets-baseline b/.secrets-baseline
index 36b2c85..75a7579 100644
--- a/.secrets-baseline
+++ b/.secrets-baseline
@@ -211,7 +211,17 @@
         "line_number": 159,
         "is_secret": false
       }
+    ],
+    "services/main.tf": [
+      {
+        "type": "Secret Keyword",
+        "filename": "services/main.tf",
+        "hashed_secret": "f84864c6bffa2e0843a4ab2abdca91df7995c462",
+        "is_verified": false,
+        "line_number": 168,
+        "is_secret": false
+      }
     ]
   },
-  "generated_at": "2022-11-02T21:19:52Z"
+  "generated_at": "2022-11-10T21:36:17Z"
 }
diff --git a/ansible_playbooks/setup-cluster.yml b/ansible_playbooks/setup-cluster.yml
index 7d0497d..70d5b0d 100644
--- a/ansible_playbooks/setup-cluster.yml
+++ b/ansible_playbooks/setup-cluster.yml
@@ -262,6 +262,9 @@
       - name: gitea-data
         path: /srv/volumes/container/gitea
         read_only: false
+      - name: photoprism-media
+        path: /srv/volumes/media-write/Photoprism
+        read_only: false
       - name: all-volumes
         path: /srv/volumes
         owner: "root"
diff --git a/databases/mysql.tf b/databases/mysql.tf
index 591783e..2c63ab0 100644
--- a/databases/mysql.tf
+++ b/databases/mysql.tf
@@ -48,6 +48,12 @@ resource "consul_config_entry" "mysql_intents" {
         Precedence = 9
         Type       = "consul"
       },
+      {
+        Action     = "allow"
+        Name       = "photoprism"
+        Precedence = 9
+        Type       = "consul"
+      },
     ]
   })
 }
diff --git a/services/.terraform.lock.hcl b/services/.terraform.lock.hcl
index 4bcdaad..93b826b 100644
--- a/services/.terraform.lock.hcl
+++ b/services/.terraform.lock.hcl
@@ -20,6 +20,25 @@ provider "registry.terraform.io/hashicorp/consul" {
   ]
 }
 
+provider "registry.terraform.io/hashicorp/external" {
+  version = "2.2.3"
+  hashes = [
+    "h1:uvOYRWcVIqOZSl8YjjaB18yZFz1AWIt2CnK7O45rckg=",
+    "zh:184ecd339d764de845db0e5b8a9c87893dcd0c9d822167f73658f89d80ec31c9",
+    "zh:2661eaca31d17d6bbb18a8f673bbfe3fe1b9b7326e60d0ceb302017003274e3c",
+    "zh:2c0a180f6d1fc2ba6e03f7dfc5f73b617e45408681f75bca75aa82f3796df0e4",
+    "zh:4b92ae44c6baef4c4952c47be00541055cb5280dd3bc8031dba5a1b2ee982387",
+    "zh:5641694d5daf3893d7ea90be03b6fa575211a08814ffe70998d5adb8b59cdc0a",
+    "zh:5bd55a2be8a1c20d732ac9c604b839e1cadc8c49006315dffa4d709b6874df32",
+    "zh:6e0ef5d11e1597202424b7d69b9da7b881494c9b13a3d4026fc47012dc651c79",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:9e19f89fa25004d3b926a8d15ea630b4bde62f1fa4ed5e11a3d27aabddb77353",
+    "zh:b763efdd69fd097616b4a4c89cf333b4cee9699ac6432d73d2756f8335d1213f",
+    "zh:e3b561efdee510b2b445f76a52a902c52bee8e13095e7f4bed7c80f10f8d294a",
+    "zh:fe660bb8781ee043a093b9a20e53069974475dcaa5791a1f45fd03c61a26478a",
+  ]
+}
+
 provider "registry.terraform.io/hashicorp/nomad" {
   version = "1.4.19"
   hashes = [
diff --git a/services/main.tf b/services/main.tf
index 51d80b5..c264926 100644
--- a/services/main.tf
+++ b/services/main.tf
@@ -107,3 +107,84 @@ resource "consul_config_entry" "nzbget_intents" {
 #     ])
 #   }
 # }
+
+module "photoprism" {
+  source  = "IamTheFij/levant/nomad"
+  version = "0.1.0"
+
+  template_path = "service.nomad"
+  variables = {
+    name         = "photoprism"
+    image        = "photoprism/photoprism:latest"
+    ingress      = true
+    service_port = 2342
+    sticky_disk  = true
+    healthcheck  = "/library/login"
+    env = jsonencode({
+      PHOTOPRISM_DETECT_NSFW            = "false" # automatically flags photos as private that MAY be offensive (requires TensorFlow)
+      PHOTOPRISM_DISABLE_CHOWN          = "false" # disables updating storage permissions via chmod and chown on startup
+      PHOTOPRISM_DISABLE_CLASSIFICATION = "false" # disables image classification (requires TensorFlow)
+      PHOTOPRISM_DISABLE_FACES          = "false" # disables face detection and recognition (requires TensorFlow)
+      PHOTOPRISM_DISABLE_RAW            = "false" # disables indexing and conversion of RAW files
+      PHOTOPRISM_DISABLE_SETTINGS       = "false" # disables settings UI and API
+      PHOTOPRISM_DISABLE_TENSORFLOW     = "false" # disables all features depending on TensorFlow
+      PHOTOPRISM_DISABLE_WEBDAV         = "false" # disables built-in WebDAV server
+      PHOTOPRISM_EXPERIMENTAL           = "false" # enables experimental features
+      PHOTOPRISM_HTTP_COMPRESSION       = "gzip"  # improves transfer speed and bandwidth utilization (none or gzip)
+      PHOTOPRISM_JPEG_QUALITY           = 85      # a higher value increases the quality and file size of JPEG images and thumbnails (25-100)
+      PHOTOPRISM_LOG_LEVEL              = "info"  # log level: trace, debug, info, warning, error, fatal, or panic
+      PHOTOPRISM_ORIGINALS_LIMIT        = 5000    # file size limit for originals in MB (increase for high-res video)
+      PHOTOPRISM_RAW_PRESETS            = "false" # enables applying user presets when converting RAW files (reduces performance)
+      PHOTOPRISM_READONLY               = "false" # do not modify originals directory (reduced functionality)
+      PHOTOPRISM_SITE_AUTHOR            = ""      # meta site author
+      PHOTOPRISM_SITE_CAPTION           = "AI-Powered Photos App"
+      PHOTOPRISM_SITE_DESCRIPTION       = "" # meta site description
+      PHOTOPRISM_SITE_TITLE             = "PhotoPrism"
+      PHOTOPRISM_SITE_URL               = "http://localhost:2342/" # server URL in the format "http(s)://domain.name(:port)/(path)"
+      PHOTOPRISM_UPLOAD_NSFW            = "true"                   # allows uploads that MAY be offensive (no effect without TensorFlow)
+      PHOTOPRISM_SPONSOR                = "true"
+      # Paths
+      PHOTOPRISM_ORIGINALS_PATH = "/photoprism-media/Library"
+      PHOTOPRISM_IMPORT_PATH    = "/photoprism-media/Import"
+      PHOTOPRISM_STORAGE_PATH   = "$${NOMAD_TASK_DIR}/storage" # Storage PATH for generated files like cache and index
+      # Unix permissions
+      PHOTOPRISM_UID   = 500
+      PHOTOPRISM_GID   = 100
+      PHOTOPRISM_UMASK = 0000
+    })
+    mysql = true
+    vault = true
+    host_volumes = jsonencode([
+      {
+        name      = "photoprism-media"
+        dest      = "/photoprism-media"
+        read_only = false
+      },
+    ])
+    mysql_bootstrap = jsonencode({
+      vault_key   = "kv/data/photoprism"
+      db_name_key = "db_name"
+      db_user_key = "db_user"
+      db_pass_key = "db_pass"
+    })
+    templates = jsonencode([
+      {
+        data        = <<EOF
+{{ with secret "kv/data/photoprism" -}}
+PHOTOPRISM_ADMIN_USER={{ .Data.data.admin_user }}
+PHOTOPRISM_ADMIN_PASSWORD={{ .Data.data.admin_password }}
+PHOTOPRISM_DATABASE_DRIVER=mysql
+PHOTOPRISM_DATABASE_NAME={{ .Data.data.db_name }}
+PHOTOPRISM_DATABASE_USER={{ .Data.data.db_user }}
+PHOTOPRISM_DATABASE_PASSWORD={{ .Data.data.db_pass }}
+PHOTOPRISM_DATABASE_SERVER="{{ env "NOMAD_UPSTREAM_ADDR_mysql_server" }}"
+{{ end -}}
+        EOF
+        dest_prefix = "$${NOMAD_SECRETS_DIR}/"
+        dest        = "env"
+        env         = true
+        mount       = false
+      },
+    ])
+  }
+}