about summary refs log tree commit diff
path: root/nix/hosts/corrino/www/photo/immich.nix
diff options
context:
space:
mode:
authorEmile <git@emile.space>2024-12-03 22:03:41 +0100
committerEmile <git@emile.space>2024-12-03 22:03:41 +0100
commit0c9d47cbd6e9424f4b7e2cf62100e16145516f95 (patch)
tree3dcb7c43a07d1adf383825212b60e0c0dcd57ffe /nix/hosts/corrino/www/photo/immich.nix
parentc878c4981bf1e02b3b428d59933914d8d0a76dde (diff)
(corrino) add immich service
Diffstat (limited to 'nix/hosts/corrino/www/photo/immich.nix')
-rw-r--r--nix/hosts/corrino/www/photo/immich.nix75
1 files changed, 55 insertions, 20 deletions
diff --git a/nix/hosts/corrino/www/photo/immich.nix b/nix/hosts/corrino/www/photo/immich.nix
index 37eadad..92a3a64 100644
--- a/nix/hosts/corrino/www/photo/immich.nix
+++ b/nix/hosts/corrino/www/photo/immich.nix
@@ -1,36 +1,71 @@
-{ config, pkgs, ... } @ args:
+{ config, pkgs, ... }:
 
 {
-  imports = [
-    "${args.inputs.nixpkgs-master}/nixos/modules/services/web-apps/immich.nix"
-  ];
-
-  disabledModules = [ "services/web-apps/immich.nix" ];
-
+  services.nginx.clientMaxBodySize = "100m";
   services.nginx.virtualHosts."photo.emile.space" = {
     forceSSL = true;
     enableACME = true;
     locations = {
       "/" = {
         proxyPass = "http://${config.services.immich.host}:${toString config.services.immich.port}";
+        proxyWebsockets = true;
       };
     };
   };
 
-	services.immich = {
-		enable = true;
-    package = pkgs.unstable.immich;
-		mediaLocation = "/var/lib/immich";
+  # auth via authelia
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [
+    {
+      id = "Immich";
+
+      # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+      secret = "$pbkdf2-sha512$310000$iCgyAKjoYH9UKADProvbgw$LjrYkX1MjjtSXWDkxDjyp3NkLLuLVvKVwy3o8/Rw.8Z8b6yCkPWdBCothuCMlaGcgfG/zLWM6lRV4BrXVZpkig";
+      public = false;
+      authorization_policy = "two_factor";
+      redirect_uris = [
+        "https://photo.emile.space/auth/login"
+        "https://photo.emile.space/user-settings"
+        "app.immich:///oauth-callback"
+      ];
+      scopes = [
+        "openid"
+        "email"
+        "profile"
+      ];
+      #grant_types = [
+      #  "refresh_token"
+      #  "authorization_code"
+      #];
+      #response_types = [ "code" ];
+      #response_modes = [
+      #  "form_post"
+      #  "query"
+      #  "fragment"
+      #];
+
+      token_endpoint_auth_method = "client_secret_basic";
+
+      # might be needed since the upgrade to nixos-24.11 and the resulting
+      # 4.37.5 -> 4.38.17 upgrade
+      # token_endpoint_auth_method = "client_secret_post";
+    }
+  ];
+
+
+  services.immich = {
+    enable = true;
+    package = pkgs.immich;
+    mediaLocation = "/var/lib/immich";
     secretsFile = config.age.secrets.immich_secrets_file.path;
 
-		host = "127.0.0.1";
-		port = config.emile.ports.immich;
+    host = "127.0.0.1";
+    port = config.emile.ports.immich;
 
-		# machine-learning = {
-		# 	enable = true;
-		# 	environment = {
-		# 		MACHINE_LEARNING_MODEL_TTL = "600";
-		# 	};
-		# };
-	};
+    machine-learning = {
+      enable = false;
+      environment = {
+        MACHINE_LEARNING_MODEL_TTL = "600";
+      };
+    };
+  };
 }