immich

flake.lock

@@ -1231,11 +1231,11 @@
     },
     "nixpkgs_18": {
       "locked": {
-        "lastModified": 1768843991,
-        "narHash": "sha256-PVeXWVDWOuBB7ZmcxZxaXztvqV33ChfojMR3sczLnFg=",
+        "lastModified": 1769248673,
+        "narHash": "sha256-oyxrDiV2yFToXpzwiJUYkxCjFHvL21tMQ2BpQMyMDTw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7f0857c5a1bffd38d5694d0979f708fec368577a",
+        "rev": "c0301d62ba146fee37e79fbc4b6323af52a2834e",
         "type": "github"
       },
       "original": {
@@ -1821,11 +1821,11 @@
         "nixpkgs": "nixpkgs_18"
       },
       "locked": {
-        "lastModified": 1767655057,
-        "narHash": "sha256-gvDWxuDucrGsBxDF0iZeFcTqVbADMcWwK2nne6LKlLs=",
+        "lastModified": 1769256063,
+        "narHash": "sha256-fVFJ10YXPF8RfUuyL3OHOP6v0pzU78mTeKvlOCRCuuA=",
         "ref": "refs/heads/main",
-        "rev": "ea9c28258665f76042781a2b7b84ddf6d99a6e62",
-        "revCount": 6,
+        "rev": "179e0bf0028c929978a3fbe7f77a27b2254eeb18",
+        "revCount": 7,
         "type": "git",
         "url": "ssh://forgejo@git.donsz.nl/jana/server-secrets.git"
       },

hosts/fili/services/databases.nix

@@ -54,6 +54,10 @@
         name = "pocketid";
         ensureDBOwnership = true;
       }
+      {
+        name = "immich";
+        ensureDBOwnership = true;
+      }
     ];
     ensureDatabases = map (i: i.name) ensureUsers;
   };

hosts/fili/services/default.nix

@@ -6,6 +6,7 @@ _: {
     ./forgejo.nix
     ./obsidian-sync.nix
     ./metrics.nix
+    ./immich.nix
 
     ./factorio
     ./media

hosts/fili/services/immich.nix

@@ -0,0 +1,96 @@
+{
+  config,
+  pkgs,
+  secrets,
+  ...
+}:
+{
+
+  users.groups.jellyfin = { };
+  users.users.immich = {
+    isSystemUser = true;
+    group = "immich";
+
+    extraGroups = [
+      "video"
+      "render"
+    ];
+  };
+
+  hardware.graphics = {
+    enable = true;
+
+    extraPackages = with pkgs; [
+      intel-ocl
+      intel-media-driver
+    ];
+  };
+
+  sops.secrets.immich-session-secret = {
+    sopsFile = "${secrets}/immich.yaml";
+    key = "client_secret";
+    format = "yaml";
+  };
+
+  services.nginx.virtualHosts."photos.donsz.nl" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://[::1]:${toString config.services.immich.port}";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+      extraConfig = ''
+        client_max_body_size 50000M;
+        proxy_read_timeout   600s;
+        proxy_send_timeout   600s;
+        send_timeout         600s;
+      '';
+    };
+  };
+
+  services.immich = {
+    enable = true;
+    port = 2283;
+
+    database = {
+      name = "immich";
+      createDB = false;
+      user = "postgres";
+      host = "localhost";
+      port = 5432;
+    };
+
+    secretsFile = toString (
+      pkgs.writeText "db-password" ''
+        DB_PASSWORD=immich
+      ''
+    );
+
+    settings = {
+      server.externalDomain = "https://photos.donsz.nl";
+      logging.level = "verbose";
+
+      oauth = {
+        enabled = true;
+
+        clientSecret._secret = config.sops.secrets.immich-session-secret.path;
+        autoLaunch = true;
+        autoRegister = true;
+        buttonText = "Log in";
+        clientId = "8fd9c066-2298-4991-ba24-7c41bd73192b";
+        issuerUrl = "https://auth.donsz.nl";
+        roleClaim = "immich_role";
+        scope = "openid email profile groups";
+        tokenEndpointAuthMethod = "client_secret_post";
+        # storageLabelClaim: "",
+        # "mobileOverrideEnabled": false,
+        # "mobileRedirectUri": "",
+
+      };
+    };
+    mediaLocation = "/storage/storage/media-server/photos";
+    accelerationDevices = [
+      "/dev/dri/renderD128"
+    ];
+  };
+}

programs/default.nix

@@ -35,6 +35,15 @@
     };
   };
 
+  custom.program.cli-packages = {
+    requirements = [ "cli" ];
+    home-config = _: {
+      home.packages = with pkgs; [
+        sops
+      ];
+    };
+  };
+
   custom.program.homedirs = {
     home-config =
       { config, ... }: