immich

2026-01-24 11:59:38 +01:00 · 2026-01-24 11:59:38 +01:00 · e3f3e75285
commit e3f3e75285
parent 74a6785eb0
5 changed files with 117 additions and 7 deletions
--- a/hosts/fili/services/databases.nix
+++ b/hosts/fili/services/databases.nix
@ -54,6 +54,10 @@
        name = "pocketid";
        ensureDBOwnership = true;
      }
+      {
+        name = "immich";
+        ensureDBOwnership = true;
+      }
    ];
    ensureDatabases = map (i: i.name) ensureUsers;
  };
--- a/hosts/fili/services/default.nix
+++ b/hosts/fili/services/default.nix
@ -6,6 +6,7 @@ _: {
    ./forgejo.nix
    ./obsidian-sync.nix
    ./metrics.nix
+    ./immich.nix

    ./factorio
    ./media
--- a/hosts/fili/services/immich.nix
+++ b/hosts/fili/services/immich.nix
@ -0,0 +1,96 @@
+{
+  config,
+  pkgs,
+  secrets,
+  ...
+}:
+{
+
+  users.groups.jellyfin = { };
+  users.users.immich = {
+    isSystemUser = true;
+    group = "immich";
+
+    extraGroups = [
+      "video"
+      "render"
+    ];
+  };
+
+  hardware.graphics = {
+    enable = true;
+
+    extraPackages = with pkgs; [
+      intel-ocl
+      intel-media-driver
+    ];
+  };
+
+  sops.secrets.immich-session-secret = {
+    sopsFile = "${secrets}/immich.yaml";
+    key = "client_secret";
+    format = "yaml";
+  };
+
+  services.nginx.virtualHosts."photos.donsz.nl" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://[::1]:${toString config.services.immich.port}";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+      extraConfig = ''
+        client_max_body_size 50000M;
+        proxy_read_timeout   600s;
+        proxy_send_timeout   600s;
+        send_timeout         600s;
+      '';
+    };
+  };
+
+  services.immich = {
+    enable = true;
+    port = 2283;
+
+    database = {
+      name = "immich";
+      createDB = false;
+      user = "postgres";
+      host = "localhost";
+      port = 5432;
+    };
+
+    secretsFile = toString (
+      pkgs.writeText "db-password" ''
+        DB_PASSWORD=immich
+      ''
+    );
+
+    settings = {
+      server.externalDomain = "https://photos.donsz.nl";
+      logging.level = "verbose";
+
+      oauth = {
+        enabled = true;
+
+        clientSecret._secret = config.sops.secrets.immich-session-secret.path;
+        autoLaunch = true;
+        autoRegister = true;
+        buttonText = "Log in";
+        clientId = "8fd9c066-2298-4991-ba24-7c41bd73192b";
+        issuerUrl = "https://auth.donsz.nl";
+        roleClaim = "immich_role";
+        scope = "openid email profile groups";
+        tokenEndpointAuthMethod = "client_secret_post";
+        # storageLabelClaim: "",
+        # "mobileOverrideEnabled": false,
+        # "mobileRedirectUri": "",
+
+      };
+    };
+    mediaLocation = "/storage/storage/media-server/photos";
+    accelerationDevices = [
+      "/dev/dri/renderD128"
+    ];
+  };
+}