87 lines
2.8 KiB
Nix
87 lines
2.8 KiB
Nix
{ inputs, config, pkgs, lib, ... }:
|
|
let
|
|
homelabDomain = inputs.nixos-secrets.homelabDomain;
|
|
svcDomain = "photos.${homelabDomain}";
|
|
photoStorageDir = "/tank/shares/photos";
|
|
svcPort = config.services.immich.port;
|
|
# https://docs.immich.app/install/config-file/
|
|
jsonSettings = {
|
|
server.externalDomain = "https://${svcDomain}";
|
|
oauth = {
|
|
enabled = true;
|
|
issuerUrl = "https://"; # TODO: the kanidm url?
|
|
clientId = "immich";
|
|
clientSecret = config.sops.placeholder."immich/oauth2_client_secret";
|
|
scope = "openid email profile";
|
|
signingAlgorithm = "ES256";
|
|
storageLabelClaim = "email";
|
|
buttonText = "Login with Kanidm";
|
|
autoLaunch = true;
|
|
mobileOverrideEnabled = true;
|
|
mobileRedirectUri = "https://${svcDomain}/api/oauth/mobile-redirect/";
|
|
};
|
|
};
|
|
in
|
|
{
|
|
|
|
# NOTE: The following repo contains a highly mature immich setup on nixos.
|
|
# https://github.com/xinyangli/nixos-config/blob/a8b5bea68caea573801ccfdb8ceacb7a8f2b0190/machines/agate/services/immich.nix
|
|
services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
|
|
reverse_proxy :${toString svcPort}
|
|
'';
|
|
|
|
# NOTE: Primarily to contain DB_PASSWORD to make it possible to backup and restore the DB.
|
|
# sops.secrets.immich_env = {
|
|
# sopsFile = ../../secrets/immich.env;
|
|
# format = "dotenv";
|
|
# mode = "0440";
|
|
# owner = "immich";
|
|
# group = "immich";
|
|
# restartUnits = [ "immich.service" ];
|
|
# };
|
|
sops.secrets."immich/oauth2_client_secret" = { };
|
|
sops.templates."immich.json" = {
|
|
mode = "0440";
|
|
owner = config.services.immich.user;
|
|
group = config.services.immich.group;
|
|
content = builtins.toJSON jsonSettings;
|
|
};
|
|
|
|
users.users.immich = {
|
|
isSystemUser = true;
|
|
};
|
|
users.groups.immich = {};
|
|
systemd.tmpfiles.rules = [
|
|
"d ${photoStorageDir} 0770 immich immich -"
|
|
];
|
|
|
|
# TODO: Setup mTLS for external / non-tailscale VPN immich access.
|
|
# https://github.com/alangrainger/immich-public-proxy/blob/main/docs/securing-immich-with-mtls.md
|
|
# TODO: Consider immich-public-proxy for generating "share" links
|
|
# https://github.com/alangrainger/immich-public-proxy
|
|
services.immich = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
port = 2283; # default
|
|
#secretsFile = config.sops.secrets.immich_env.path;
|
|
|
|
# TODO: Build this directory with permissions for the immich user.
|
|
mediaLocation = "/tank/shares/photos";
|
|
environment = {
|
|
IMMICH_CONFIG_FILE = config.sops.templates."immich.json".path;
|
|
};
|
|
};
|
|
|
|
services.kanidm.provision.systems.oauth2.immich = {
|
|
displayName = "immich";
|
|
originUrl = "https://${svcDomain}/oauth2/oidc/callback";
|
|
originLanding = "https://${svcDomain}/";
|
|
basicSecretFile = config.sops.secrets."immich/oauth2_client_secret".path;
|
|
scopeMaps."immich.users" = [
|
|
"openid"
|
|
"email"
|
|
"profile"
|
|
];
|
|
preferShortUsername = true;
|
|
};
|
|
}
|