{ config, pkgs, secrets, ... }: { users.groups.immich = { }; users.users.immich = { isSystemUser = true; group = "immich"; extraGroups = [ "video" "render" ]; }; hardware.graphics = { enable = true; extraPackages = with pkgs; [ intel-ocl intel-media-driver ]; }; sops.secrets.immich-session-secret = { sopsFile = "${secrets}/immich.yaml"; key = "client_secret"; format = "yaml"; }; services.nginx.virtualHosts."photos.donsz.nl" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://[::1]:${toString config.services.immich.port}"; proxyWebsockets = true; recommendedProxySettings = true; extraConfig = '' client_max_body_size 50000M; proxy_read_timeout 600s; proxy_send_timeout 600s; send_timeout 600s; ''; }; }; services.immich = { enable = true; port = 2283; database = { name = "immich"; createDB = false; user = "postgres"; host = "localhost"; port = 5432; }; secretsFile = toString ( pkgs.writeText "db-password" '' DB_PASSWORD=immich '' ); settings = { server.externalDomain = "https://photos.donsz.nl"; logging.level = "log"; passwordLogin.enabled = false; storageTemplate = { enabled = true; # year / album name or "Other" / y m d / filename template = "{{y}}/{{#if album}}{{album}}{{else}}Other{{/if}}/{{y}}-{{MM}}-{{dd}}/{{filename}}"; hashVerificationEnabled = true; }; reverseGeocoding = { enabled = true; }; oauth = { enabled = true; clientSecret._secret = config.sops.secrets.immich-session-secret.path; autoLaunch = true; autoRegister = true; buttonText = "Log in"; clientId = "8fd9c066-2298-4991-ba24-7c41bd73192b"; issuerUrl = "https://auth.donsz.nl"; roleClaim = "immich_role"; scope = "openid email profile groups"; tokenEndpointAuthMethod = "client_secret_post"; storageLabelClaim = "preferred_username"; }; }; mediaLocation = "/storage/storage/media-server/photos"; accelerationDevices = [ "/dev/dri/renderD128" ]; }; }