diff --git a/flake.lock b/flake.lock index adbf8b7..99101de 100644 --- a/flake.lock +++ b/flake.lock @@ -1231,11 +1231,11 @@ }, "nixpkgs_18": { "locked": { - "lastModified": 1768843991, - "narHash": "sha256-PVeXWVDWOuBB7ZmcxZxaXztvqV33ChfojMR3sczLnFg=", + "lastModified": 1769248673, + "narHash": "sha256-oyxrDiV2yFToXpzwiJUYkxCjFHvL21tMQ2BpQMyMDTw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7f0857c5a1bffd38d5694d0979f708fec368577a", + "rev": "c0301d62ba146fee37e79fbc4b6323af52a2834e", "type": "github" }, "original": { @@ -1821,11 +1821,11 @@ "nixpkgs": "nixpkgs_18" }, "locked": { - "lastModified": 1767655057, - "narHash": "sha256-gvDWxuDucrGsBxDF0iZeFcTqVbADMcWwK2nne6LKlLs=", + "lastModified": 1769256063, + "narHash": "sha256-fVFJ10YXPF8RfUuyL3OHOP6v0pzU78mTeKvlOCRCuuA=", "ref": "refs/heads/main", - "rev": "ea9c28258665f76042781a2b7b84ddf6d99a6e62", - "revCount": 6, + "rev": "179e0bf0028c929978a3fbe7f77a27b2254eeb18", + "revCount": 7, "type": "git", "url": "ssh://forgejo@git.donsz.nl/jana/server-secrets.git" }, diff --git a/hosts/fili/services/databases.nix b/hosts/fili/services/databases.nix index 1487022..2e75d8e 100644 --- a/hosts/fili/services/databases.nix +++ b/hosts/fili/services/databases.nix @@ -54,6 +54,10 @@ name = "pocketid"; ensureDBOwnership = true; } + { + name = "immich"; + ensureDBOwnership = true; + } ]; ensureDatabases = map (i: i.name) ensureUsers; }; diff --git a/hosts/fili/services/default.nix b/hosts/fili/services/default.nix index e6c99be..39f6075 100644 --- a/hosts/fili/services/default.nix +++ b/hosts/fili/services/default.nix @@ -6,6 +6,7 @@ _: { ./forgejo.nix ./obsidian-sync.nix ./metrics.nix + ./immich.nix ./factorio ./media diff --git a/hosts/fili/services/immich.nix b/hosts/fili/services/immich.nix new file mode 100644 index 0000000..a75bf07 --- /dev/null +++ b/hosts/fili/services/immich.nix @@ -0,0 +1,96 @@ +{ + config, + pkgs, + secrets, + ... +}: +{ + + users.groups.jellyfin = { }; + users.users.immich = { + isSystemUser = true; + group = "immich"; + + extraGroups = [ + "video" + "render" + ]; + }; + + hardware.graphics = { + enable = true; + + extraPackages = with pkgs; [ + intel-ocl + intel-media-driver + ]; + }; + + sops.secrets.immich-session-secret = { + sopsFile = "${secrets}/immich.yaml"; + key = "client_secret"; + format = "yaml"; + }; + + services.nginx.virtualHosts."photos.donsz.nl" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.immich.port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + extraConfig = '' + client_max_body_size 50000M; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + }; + + services.immich = { + enable = true; + port = 2283; + + database = { + name = "immich"; + createDB = false; + user = "postgres"; + host = "localhost"; + port = 5432; + }; + + secretsFile = toString ( + pkgs.writeText "db-password" '' + DB_PASSWORD=immich + '' + ); + + settings = { + server.externalDomain = "https://photos.donsz.nl"; + logging.level = "verbose"; + + oauth = { + enabled = true; + + clientSecret._secret = config.sops.secrets.immich-session-secret.path; + autoLaunch = true; + autoRegister = true; + buttonText = "Log in"; + clientId = "8fd9c066-2298-4991-ba24-7c41bd73192b"; + issuerUrl = "https://auth.donsz.nl"; + roleClaim = "immich_role"; + scope = "openid email profile groups"; + tokenEndpointAuthMethod = "client_secret_post"; + # storageLabelClaim: "", + # "mobileOverrideEnabled": false, + # "mobileRedirectUri": "", + + }; + }; + mediaLocation = "/storage/storage/media-server/photos"; + accelerationDevices = [ + "/dev/dri/renderD128" + ]; + }; +} diff --git a/programs/default.nix b/programs/default.nix index 49fd488..51b6de8 100644 --- a/programs/default.nix +++ b/programs/default.nix @@ -35,6 +35,15 @@ }; }; + custom.program.cli-packages = { + requirements = [ "cli" ]; + home-config = _: { + home.packages = with pkgs; [ + sops + ]; + }; + }; + custom.program.homedirs = { home-config = { config, ... }: