backing up the working dir

2025-10-28 16:10:19 -05:00 · 2025-10-28 16:10:19 -05:00 · b8d125d448
commit b8d125d448
parent 82f1d9d5c9
19 changed files with 622 additions and 4 deletions
--- a/hosts/lithium/services/immich.nix
+++ b/hosts/lithium/services/immich.nix
@ -0,0 +1,84 @@
+{ inputs, config, pkgs, lib, ... }:
+let
+  homelabDomain = inputs.nixos-secrets.homelabDomain;
+  svcDomain = "photos.${homelabDomain}";
+  photoStorageDir = "/tank/shares/photos";
+  svcPort = config.services.immich.port;
+in
+{
+
+  # NOTE: The following repo contains a highly mature immich setup on nixos.
+  # https://github.com/xinyangli/nixos-config/blob/a8b5bea68caea573801ccfdb8ceacb7a8f2b0190/machines/agate/services/immich.nix
+  services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
+    reverse_proxy :${svcPort}
+  '';
+
+  # NOTE: Primarily to contain DB_PASSWORD to make it possible to backup and restore the DB.
+  sops.secrets.immich_env = {
+    sopsFile = ../../secrets/immich.env;
+    format = "dotenv";
+    mode = "0440";
+    owner = "immich";
+    group = "immich";
+    restartUnits = [ "immich.service" ];
+  };
+  sops.secrets."immich/oauth2_client_secret" = {
+    owner = "immich";
+    group = "kanidm";
+    mode = "0440";
+    restartUnits = [ "immich.service" "kanidm.service" ];
+  };
+
+  users.users.immich = {
+    isSystemUser = true;
+  };
+  users.groups.immich = {};
+  systemd.tmpfiles.rules = [
+    "d ${photoStorageDir} 0770 immich immich -"
+  ];
+
+  # TODO: Setup mTLS for external / non-tailscale VPN immich access.
+  # https://github.com/alangrainger/immich-public-proxy/blob/main/docs/securing-immich-with-mtls.md
+  # TODO: Consider immich-public-proxy for generating "share" links
+  # https://github.com/alangrainger/immich-public-proxy
+  services.immich = {
+    enable = true;
+    openFirewall = true;
+    port = 2283; # default
+    secretsFile = config.sops.secrets."immich_secrets.env".path;
+
+    # TODO: Build this directory with permissions for the immich user.
+    mediaLocation = "/tank/shares/photos";
+
+    # https://docs.immich.app/install/config-file/
+    settings = {
+      # TODO: Setup OAuth with Kanidm
+      oauth = {
+        enabled = true;
+        issuerUrl = "https://";  # TODO: the kanidm url?
+        clientId = "immich";
+        clientSecret = config.sops.placeholder."immich/oauth2_client_secret";
+        scope = "openid email profile";
+        signingAlgorithm = "ES256";
+        storageLabelClaim = "email";
+        buttonText = "Login with Kanidm";
+        autoLaunch = true;
+        mobileOverrideEnabled = true;
+        mobileRedirectUri = "https://${svcDomain}/api/oauth/mobile-redirect/";
+      };
+    };
+  };
+
+  services.kanidm.provision.systems.oauth2.immich = {
+    displayName = "immich";
+    originUrl = "https://${svcDomain}/oauth2/oidc/callback";
+    originLanding = "https://${svcDomain}/";
+    basicSecretFile = config.sops.secrets."immich/oauth2_client_secret".path;
+    scopeMaps."immich.users" = [
+      "openid"
+      "email"
+      "profile"
+    ];
+    preferShortUsername = true;
+  };
+}