You have to set services.immich.host as it’s set to "localhost" by default".
I set it to "0.0.0.0" and locked it down via systemd hardening, but you could take another approach if you’re always going to connect to it via the tailnet. Possibly even use the immich-public-proxy options.
Also, remove tailscale from your systemPackages, the tailscale module already adds that and you really don’t want to define the same package twice in a package list.