diff options
| -rw-r--r-- | nix/hosts/corrino/www/md.emile.space.nix | 1 | ||||
| -rw-r--r-- | nix/hosts/corrino/www/photo/default.nix | 2 | ||||
| -rw-r--r-- | nix/hosts/corrino/www/photo/immich.nix | 75 |
3 files changed, 57 insertions, 21 deletions
diff --git a/nix/hosts/corrino/www/md.emile.space.nix b/nix/hosts/corrino/www/md.emile.space.nix index 029c54f..fc5df26 100644 --- a/nix/hosts/corrino/www/md.emile.space.nix +++ b/nix/hosts/corrino/www/md.emile.space.nix @@ -36,6 +36,7 @@ "query" "fragment" ]; + token_endpoint_auth_method = "client_secret_post"; } ]; diff --git a/nix/hosts/corrino/www/photo/default.nix b/nix/hosts/corrino/www/photo/default.nix index a5bb496..9d7d4f5 100644 --- a/nix/hosts/corrino/www/photo/default.nix +++ b/nix/hosts/corrino/www/photo/default.nix @@ -3,6 +3,6 @@ { imports = [ # ./photoprism.nix - # ./immich.nix + ./immich.nix ]; } diff --git a/nix/hosts/corrino/www/photo/immich.nix b/nix/hosts/corrino/www/photo/immich.nix index 37eadad..92a3a64 100644 --- a/nix/hosts/corrino/www/photo/immich.nix +++ b/nix/hosts/corrino/www/photo/immich.nix @@ -1,36 +1,71 @@ -{ config, pkgs, ... } @ args: +{ config, pkgs, ... }: { - imports = [ - "${args.inputs.nixpkgs-master}/nixos/modules/services/web-apps/immich.nix" - ]; - - disabledModules = [ "services/web-apps/immich.nix" ]; - + services.nginx.clientMaxBodySize = "100m"; services.nginx.virtualHosts."photo.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { proxyPass = "http://${config.services.immich.host}:${toString config.services.immich.port}"; + proxyWebsockets = true; }; }; }; - services.immich = { - enable = true; - package = pkgs.unstable.immich; - mediaLocation = "/var/lib/immich"; + # auth via authelia + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "Immich"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$iCgyAKjoYH9UKADProvbgw$LjrYkX1MjjtSXWDkxDjyp3NkLLuLVvKVwy3o8/Rw.8Z8b6yCkPWdBCothuCMlaGcgfG/zLWM6lRV4BrXVZpkig"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ + "https://photo.emile.space/auth/login" + "https://photo.emile.space/user-settings" + "app.immich:///oauth-callback" + ]; + scopes = [ + "openid" + "email" + "profile" + ]; + #grant_types = [ + # "refresh_token" + # "authorization_code" + #]; + #response_types = [ "code" ]; + #response_modes = [ + # "form_post" + # "query" + # "fragment" + #]; + + token_endpoint_auth_method = "client_secret_basic"; + + # might be needed since the upgrade to nixos-24.11 and the resulting + # 4.37.5 -> 4.38.17 upgrade + # token_endpoint_auth_method = "client_secret_post"; + } + ]; + + + services.immich = { + enable = true; + package = pkgs.immich; + mediaLocation = "/var/lib/immich"; secretsFile = config.age.secrets.immich_secrets_file.path; - host = "127.0.0.1"; - port = config.emile.ports.immich; + host = "127.0.0.1"; + port = config.emile.ports.immich; - # machine-learning = { - # enable = true; - # environment = { - # MACHINE_LEARNING_MODEL_TTL = "600"; - # }; - # }; - }; + machine-learning = { + enable = false; + environment = { + MACHINE_LEARNING_MODEL_TTL = "600"; + }; + }; + }; } |
