diff options
Diffstat (limited to 'nix/hosts/corrino/www/photo/immich.nix')
| -rw-r--r-- | nix/hosts/corrino/www/photo/immich.nix | 39 |
1 files changed, 33 insertions, 6 deletions
diff --git a/nix/hosts/corrino/www/photo/immich.nix b/nix/hosts/corrino/www/photo/immich.nix index 92a3a64..3e1bf48 100644 --- a/nix/hosts/corrino/www/photo/immich.nix +++ b/nix/hosts/corrino/www/photo/immich.nix @@ -6,6 +6,15 @@ forceSSL = true; enableACME = true; locations = { + # # immich private proxy + # "/share" = { + # proxyPass = "http://${config.services.immich.host}:${toString config.services.immich-public-proxy.port}"; + # }; + # "/share/*" = { + # proxyPass = "http://${config.services.immich.host}:${toString config.services.immich-public-proxy.port}"; + # }; + + # immich "/" = { proxyPass = "http://${config.services.immich.host}:${toString config.services.immich.port}"; proxyWebsockets = true; @@ -13,13 +22,17 @@ }; }; + age.secrets.immich_oidc_client_secret.owner = "authelia-main"; + age.secrets.immich_oidc_client_secret.group = "authelia-main"; + # auth via authelia services.authelia.instances.main.settings.identity_providers.oidc.clients = [ { - id = "Immich"; + client_id = "Immich"; # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$iCgyAKjoYH9UKADProvbgw$LjrYkX1MjjtSXWDkxDjyp3NkLLuLVvKVwy3o8/Rw.8Z8b6yCkPWdBCothuCMlaGcgfG/zLWM6lRV4BrXVZpkig"; + client_secret = "{{ secret \"${config.age.secrets.immich_oidc_client_secret.path}\" }}"; + public = false; authorization_policy = "two_factor"; redirect_uris = [ @@ -43,15 +56,14 @@ # "fragment" #]; - token_endpoint_auth_method = "client_secret_basic"; + # token_endpoint_auth_method = "client_secret_basic"; # might be needed since the upgrade to nixos-24.11 and the resulting # 4.37.5 -> 4.38.17 upgrade - # token_endpoint_auth_method = "client_secret_post"; + token_endpoint_auth_method = "client_secret_post"; } ]; - services.immich = { enable = true; package = pkgs.immich; @@ -59,7 +71,7 @@ secretsFile = config.age.secrets.immich_secrets_file.path; host = "127.0.0.1"; - port = config.emile.ports.immich; + port = config.emile.ports.photo.immich; machine-learning = { enable = false; @@ -68,4 +80,19 @@ }; }; }; + + # services.immich-public-proxy = { + # enable = true; + # package = pkgs.immich-public-proxy; + # settings = { + # downloadOriginalPhoto = true; + # showGalleryTitle = true; + # allowDownloadAll = 1; + # showHomePage = true; + # showMetadata = true; + # }; + # port = config.emile.ports.photo.immich-public-proxy; + # openFirewall = false; + # immichUrl = "photo.emile.space"; + # }; } |
