karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add immich

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-09-30 10:13:59 +01:00
parent 6ce084b652
commit 492b643d8b
18 changed files with 479 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -25,7 +25,6 @@ NixOS dotfiles and configuration for various hosts and users.
- [`remove-host.sh`](./scripts/remove-host.sh): Remove references to a host. - [`remove-host.sh`](./scripts/remove-host.sh): Remove references to a host.
- [`update-keys.sh`](./scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations. - [`update-keys.sh`](./scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations.
- [`update.sh`](./scripts/update.sh): Update flake and all packages. - [`update.sh`](./scripts/update.sh): Update flake and all packages.
- [`cache.sh`](./scripts/cache.sh): Build all `nixosConfiguration`s and push them to `attic`.
Any `options.nix` files create custom option definitions when present. Any `options.nix` files create custom option definitions when present.

8
flake.lock generated
View File

@@ -511,11 +511,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1758576944, "lastModified": 1759165833,
"narHash": "sha256-P6fvi2mjyJEUg19BTZ6eb+fRM8V6s2xY1SWQ8gb49U0=", "narHash": "sha256-EYAVKr7gGY7MDmgPIYsW3yk96q51UT1vtzlupR8paKg=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "a9d956a20fc4534fcc7d3da7f0994c499c4ea405", "rev": "a5c1c552628492281e05e99458f1ca3ec272b448",
"revCount": 47, "revCount": 48,
"type": "git", "type": "git",
"url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git" "url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git"
}, },

5
hosts/jupiter/hardware/default.nix
View File

@@ -92,10 +92,7 @@
]; ];
}; };
nixpkgs.config = { nixpkgs.config.cudaSupport = true;
cudaSupport = true;
rocmSupport = true;
};
services = { services = {
xserver.videoDrivers = [ "nvidia" ]; xserver.videoDrivers = [ "nvidia" ];

1
hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
View File

@@ -136,6 +136,7 @@ in
"outline" "outline"
"shlink" "shlink"
"comentario" "comentario"
"immich"
]; ];
}; };
} }

1
hosts/jupiter/users/storm/configs/console/podman/default.nix
View File

@@ -16,6 +16,7 @@ in
(import ./comentario { inherit user home; }) (import ./comentario { inherit user home; })
(import ./gitea { inherit user home; }) (import ./gitea { inherit user home; })
(import ./grafana { inherit user home; }) (import ./grafana { inherit user home; })
(import ./immich { inherit user home; })
(import ./littlelink { inherit user home; }) (import ./littlelink { inherit user home; })
(import ./lore { inherit user home; }) (import ./lore { inherit user home; })
(import ./media { inherit user home; }) (import ./media { inherit user home; })

215
hosts/jupiter/users/storm/configs/console/podman/immich/default.nix Normal file
View File

@@ -0,0 +1,215 @@
{ user, home }:
{
config,
inputs,
pkgs,
lib,
...
}:
let
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) volumes containers networks;
autheliaClientId = "kwrm5k1Bgwqd4BCXiWp0feL6adpthOn0GGgQ9iIVW7IH1UIj7bA2HVj9Jv42hUheoYoE8wWJpQi8woPomrSJIauTmsBMMFTTrI6r";
in
{
home-manager.users.${user} = {
sops = {
secrets = {
"immich/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"immich/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"immich/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"immich/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
"immich/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
};
templates = {
immich-postgresql-env.content = ''
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."immich/postgresql"}
'';
immich-env.content = ''
DB_PASSWORD=${hmConfig.sops.placeholder."immich/postgresql"}
IMMICH_ADMIN_PASSWORD=${hmConfig.sops.placeholder."immich/admin"}
'';
immich.content = builtins.readFile (
(pkgs.formats.json { }).generate "config.json" {
ffmpeg = {
accel = "nvenc";
accelDecode = true;
};
oauth = {
enabled = true;
buttonText = "Login with Authelia";
clientId = autheliaClientId;
clientSecret = hmConfig.sops.placeholder."immich/authelia/password";
issuerUrl = "https://id.karaolidis.com/.well-known/openid-configuration";
scope = lib.strings.concatStringsSep " " [
"openid"
"profile"
"email"
];
};
passwordLogin.enabled = true;
newVersionCheck.enabled = false;
library.watch.enabled = true;
server.externalDomain = "https://photos.karaolidis.com";
notifications.smtp = {
enabled = true;
from = "jupiter@karaolidis.com";
transport = {
host = "smtp.protonmail.ch";
port = 587;
username = "jupiter@karaolidis.com";
password = hmConfig.sops.placeholder."immich/smtp";
};
};
}
);
authelia-immich.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "immich.yaml" {
identity_providers.oidc = {
authorization_policies.immich = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:immich";
}
];
};
clients = [
{
client_id = autheliaClientId;
client_name = "immich";
client_secret = hmConfig.sops.placeholder."immich/authelia/digest";
redirect_uris = [
"https://photos.karaolidis.com/auth/login"
"https://photos.karaolidis.com/user-settings"
"app.immich:///oauth-callback"
];
authorization_policy = "immich";
scopes = [
"openid"
"profile"
"email"
];
token_endpoint_auth_method = "client_secret_post";
pre_configured_consent_duration = "1 year";
}
];
};
}
);
};
};
systemd.user.tmpfiles.rules = [
"d /mnt/storage/private/storm/containers/storage/volumes/immich/_data 700 storm storm"
];
virtualisation.quadlet = {
networks.immich = { };
volumes = {
immich-redis = { };
immich-postgresql = { };
immich-machine-learning-cache = { };
};
containers = {
immich = {
containerConfig = {
image = "docker-archive:${pkgs.dockerImages.immich}";
volumes =
let
postStart = pkgs.writeTextFile {
name = "post-start.sh";
executable = true;
text = builtins.readFile ./post-start.sh;
};
in
[
"${hmConfig.sops.templates.immich.path}:/etc/immich/config.json:ro"
"${postStart}:/etc/immich/post-start.sh:ro"
"/mnt/storage/private/storm/containers/storage/volumes/immich/_data:/var/lib/immich"
];
networks = [
networks.immich.ref
networks.traefik.ref
];
labels = [
"traefik.enable=true"
"traefik.http.routers.immich.rule=Host(`photos.karaolidis.com`)"
];
environments = {
DB_HOSTNAME = "immich-postgresql";
DB_USERNAME = "immich";
DB_DATABASE_NAME = "immich";
REDIS_HOSTNAME = "immich-redis";
IMMICH_ADMIN_EMAIL = "jupiter@karaolidis.com";
IMMICH_ADMIN_NAME = "Admin";
};
environmentFiles = [ hmConfig.sops.templates.immich-env.path ];
podmanArgs = [ "--cdi-spec-dir=/run/cdi" ];
devices = [ "nvidia.com/gpu=all" ];
};
unitConfig = {
After = [
"${containers.immich-postgresql._serviceName}.service"
"${containers.immich-redis._serviceName}.service"
"sops-nix.service"
];
Requires = [
"${containers.immich-postgresql._serviceName}.service"
"${containers.immich-redis._serviceName}.service"
];
};
};
immich-machine-learning.containerConfig = {
image = "docker-archive:${pkgs.dockerImages.immich-machine-learning}";
volumes = [ "${volumes.immich-machine-learning-cache.ref}:/tmp/immich-machine-learning" ];
networks = [ networks.immich.ref ];
podmanArgs = [ "--cdi-spec-dir=/run/cdi" ];
devices = [ "nvidia.com/gpu=all" ];
};
immich-postgresql = {
containerConfig = {
image = "docker-archive:${pkgs.dockerImages.postgresql-vectorchord}";
networks = [ networks.immich.ref ];
volumes = [ "${volumes.immich-postgresql.ref}:/var/lib/postgresql/data" ];
environments = {
POSTGRES_DB = "immich";
POSTGRES_USER = "immich";
};
environmentFiles = [ hmConfig.sops.templates.immich-postgresql-env.path ];
};
unitConfig.After = [ "sops-nix.service" ];
};
immich-redis.containerConfig = {
image = "docker-archive:${pkgs.dockerImages.redis}";
networks = [ networks.immich.ref ];
volumes = [ "${volumes.immich-redis.ref}:/var/lib/redis" ];
exec = [ "--save 60 1" ];
};
authelia.containerConfig.volumes = [
"${hmConfig.sops.templates.authelia-immich.path}:/etc/authelia/conf.d/immich.yaml:ro"
];
};
};
};
}

22
hosts/jupiter/users/storm/configs/console/podman/immich/post-start.sh Normal file
View File

@@ -0,0 +1,22 @@
# shellcheck shell=sh
IMMICH_HOST="${IMMICH_HOST:-http://localhost:2283}"
IMMICH_ADMIN_NAME="${IMMICH_ADMIN_NAME:-Admin}"
until response="$(curl -sf "$IMMICH_HOST/api/server/config")"; do
echo "Waiting for Immich to be ready..."
sleep 1
done
is_initialized="$(echo "$response" | jq -r '.isInitialized')"
if [ "$is_initialized" = "false" ]; then
curl -sf "$IMMICH_HOST/api/auth/admin-sign-up" \
-X POST \
-H 'Content-Type: application/json' \
--data-raw '{
"email":"'"$IMMICH_ADMIN_EMAIL"'",
"password":"'"$IMMICH_ADMIN_PASSWORD"'",
"name":"'"$IMMICH_ADMIN_NAME"'"
}'
fi

3
overlays/default.nix
View File

@@ -24,6 +24,8 @@ final: prev:
grafana-image-renderer = final.docker-image-grafana-image-renderer; grafana-image-renderer = final.docker-image-grafana-image-renderer;
grafana-to-ntfy = final.docker-image-grafana-to-ntfy; grafana-to-ntfy = final.docker-image-grafana-to-ntfy;
grafana = final.docker-image-grafana; grafana = final.docker-image-grafana;
immich = final.docker-image-immich;
immich-machine-learning = final.docker-image-immich-machine-learning;
jellyseerr = final.docker-image-jellyseerr; jellyseerr = final.docker-image-jellyseerr;
littlelink-server = final.docker-image-littlelink-server; littlelink-server = final.docker-image-littlelink-server;
mariadb = final.docker-image-mariadb; mariadb = final.docker-image-mariadb;
@@ -36,6 +38,7 @@ final: prev:
outline = final.docker-image-outline; outline = final.docker-image-outline;
plex = final.docker-image-plex; plex = final.docker-image-plex;
postgresql = final.docker-image-postgresql; postgresql = final.docker-image-postgresql;
postgresql-vectorchord = final.docker-image-postgresql-vectorchord;
prometheus = final.docker-image-prometheus; prometheus = final.docker-image-prometheus;
prometheus-fail2ban-exporter = final.docker-image-prometheus-fail2ban-exporter; prometheus-fail2ban-exporter = final.docker-image-prometheus-fail2ban-exporter;
prometheus-node-exporter = final.docker-image-prometheus-node-exporter; prometheus-node-exporter = final.docker-image-prometheus-node-exporter;

3
packages/default.nix
View File

@@ -17,6 +17,8 @@
docker-image-grafana-image-renderer = import ./docker/grafana-image-renderer { inherit pkgs; }; docker-image-grafana-image-renderer = import ./docker/grafana-image-renderer { inherit pkgs; };
docker-image-grafana-to-ntfy = import ./docker/grafana-to-ntfy { inherit pkgs; }; docker-image-grafana-to-ntfy = import ./docker/grafana-to-ntfy { inherit pkgs; };
docker-image-grafana = import ./docker/grafana { inherit pkgs; }; docker-image-grafana = import ./docker/grafana { inherit pkgs; };
docker-image-immich = import ./docker/immich { inherit pkgs; };
docker-image-immich-machine-learning = import ./docker/immich-machine-learning { inherit pkgs; };
docker-image-jellyseerr = import ./docker/jellyseerr { inherit pkgs; }; docker-image-jellyseerr = import ./docker/jellyseerr { inherit pkgs; };
docker-image-littlelink-server = import ./docker/littlelink-server { inherit pkgs; }; docker-image-littlelink-server = import ./docker/littlelink-server { inherit pkgs; };
docker-image-mariadb = import ./docker/mariadb { inherit pkgs; }; docker-image-mariadb = import ./docker/mariadb { inherit pkgs; };
@@ -29,6 +31,7 @@
docker-image-outline = import ./docker/outline { inherit pkgs; }; docker-image-outline = import ./docker/outline { inherit pkgs; };
docker-image-plex = import ./docker/plex { inherit pkgs; }; docker-image-plex = import ./docker/plex { inherit pkgs; };
docker-image-postgresql = import ./docker/postgresql { inherit pkgs; }; docker-image-postgresql = import ./docker/postgresql { inherit pkgs; };
docker-image-postgresql-vectorchord = import ./docker/postgresql-vectorchord { inherit pkgs; };
docker-image-prometheus = import ./docker/prometheus { inherit pkgs; }; docker-image-prometheus = import ./docker/prometheus { inherit pkgs; };
docker-image-prometheus-fail2ban-exporter = import ./docker/prometheus-fail2ban-exporter { docker-image-prometheus-fail2ban-exporter = import ./docker/prometheus-fail2ban-exporter {
inherit pkgs; inherit pkgs;

41
packages/docker/immich-machine-learning/default.nix Normal file
View File

@@ -0,0 +1,41 @@
{ pkgs, ... }:
let
entrypoint = pkgs.writeTextFile {
name = "entrypoint";
executable = true;
destination = "/bin/entrypoint";
text = builtins.readFile ./entrypoint.sh;
};
in
pkgs.dockerTools.buildImage {
name = "immich-machine-learning";
fromImage = pkgs.docker-image-base;
copyToRoot = pkgs.buildEnv {
name = "root";
paths = with pkgs; [
entrypoint
immich-machine-learning
];
pathsToLink = [
"/bin"
"/lib"
"/share"
"/nix-support"
];
};
config = {
Entrypoint = [ "entrypoint" ];
Volumes = {
"/tmp/immich-machine-learning" = { };
};
Env = [
"IMMICH_LOG_LEVEL=warn"
"MACHINE_LEARNING_CACHE_FOLDER=/tmp/immich-machine-learning"
];
ExposedPorts = {
"3003/tcp" = { };
};
};
}

19
packages/docker/immich-machine-learning/entrypoint.sh Normal file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/env sh
set -o errexit
set -o nounset
LOG_PIPE="$(mktemp -u)"
mkfifo "$LOG_PIPE"
(
while IFS= read -r line; do
if echo "$line" | grep -qEi "\[(WARN|ERROR)\]"; then
echo "$line" >&2
else
echo "$line"
fi
done < "$LOG_PIPE"
) &
exec machine-learning "$@" > "$LOG_PIPE" 2>&1

42
packages/docker/immich/default.nix Normal file
View File

@@ -0,0 +1,42 @@
{ pkgs, ... }:
let
entrypoint = pkgs.writeTextFile {
name = "entrypoint";
executable = true;
destination = "/bin/entrypoint";
text = builtins.readFile ./entrypoint.sh;
};
in
pkgs.dockerTools.buildImage {
name = "immich";
fromImage = pkgs.docker-image-base;
copyToRoot = pkgs.buildEnv {
name = "root";
paths = with pkgs; [
entrypoint
immich
curl
jq
];
pathsToLink = [
"/bin"
"/lib"
];
};
config = {
Entrypoint = [ "entrypoint" ];
Volumes = {
"/var/lib/immich" = { };
};
WorkingDir = "/var/lib/immich";
Env = [
"IMMICH_CONFIG_FILE=/etc/immich/config.json"
"IMMICH_MEDIA_LOCATION=/var/lib/immich"
];
ExposedPorts = {
"2283/tcp" = { };
};
};
}

16
packages/docker/immich/entrypoint.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/usr/bin/env sh
set -o errexit
set -o nounset
server "$@" &
PID="$!"
if [ -f /etc/immich/post-start.sh ]; then
# shellcheck disable=SC1091
. /etc/immich/post-start.sh
fi
trap 'kill -KILL "$PID"' INT TERM
wait "$PID"
exit $?

100
packages/docker/postgresql-vectorchord/default.nix Normal file
View File

@@ -0,0 +1,100 @@
{ pkgs, ... }:
let
postgresql = pkgs.postgresql.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches or [ ] ++ [ ../postgresql/allow-root.patch ];
});
# https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/sql/postgresql/generic.nix
postgresqlVectorchord =
let
installedExtensions = with postgresql.pkgs; [
pgvector
vectorchord
];
finalPackage = pkgs.buildEnv {
name = "${postgresql.pname}-vectorchord";
paths = installedExtensions ++ [
postgresql
postgresql.man
];
pathsToLink = [
"/"
"/bin"
"/share/postgresql/extension"
"/share/postgresql/timezonesets"
"/share/postgresql/tsearch_data"
];
nativeBuildInputs = with pkgs; [ makeBinaryWrapper ];
postBuild =
let
args = pkgs.lib.concatMap (ext: ext.wrapperArgs or [ ]) installedExtensions;
in
''
wrapProgram "$out/bin/postgres" ${pkgs.lib.concatStringsSep " " args}
'';
passthru = {
inherit installedExtensions;
inherit (postgresql) pkgs psqlSchema version;
pg_config = postgresql.pg_config.override {
outputs = {
out = finalPackage;
man = finalPackage;
};
};
};
};
in
finalPackage;
entrypoint = pkgs.writeTextFile {
name = "entrypoint";
executable = true;
destination = "/bin/entrypoint";
text = builtins.readFile ../postgresql/entrypoint.sh;
};
init = pkgs.writeTextDir "/etc/postgresql/init.sh" (builtins.readFile ./init.sh);
in
pkgs.dockerTools.buildImage {
name = "postgresql-vectorchord";
fromImage = pkgs.docker-image-base;
copyToRoot = pkgs.buildEnv {
name = "root";
paths = [
entrypoint
postgresqlVectorchord
init
];
pathsToLink = [
"/bin"
"/lib"
"/share"
];
};
runAsRoot = ''
mkdir -p /etc/postgresql /run/postgresql
cp ${postgresql}/share/postgresql/postgresql.conf.sample /etc/postgresql/postgresql.conf
${pkgs.gnused}/bin/sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /etc/postgresql/postgresql.conf
${pkgs.gnused}/bin/sed -ri "s/^#shared_preload_libraries = '''/shared_preload_libraries = 'vchord'/" /etc/postgresql/postgresql.conf
'';
config = {
Entrypoint = [ "entrypoint" ];
ExposedPorts = {
"5432/tcp" = { };
};
WorkingDir = "/var/lib/postgresql";
Volumes = {
"/var/lib/postgresql/data" = { };
};
};
}

3
packages/docker/postgresql-vectorchord/init.sh Normal file
View File

@@ -0,0 +1,3 @@
# shellcheck shell=sh
psql --username="$POSTGRES_USER" -d postgres -c "CREATE EXTENSION IF NOT EXISTS vchord CASCADE;"

9
packages/docker/postgresql/entrypoint.sh
View File

@@ -31,13 +31,18 @@ if [ ! -s "$PGDATA/PG_VERSION" ]; then
POSTGRES_HOST_AUTH_METHOD="${POSTGRES_HOST_AUTH_METHOD:=$auth_method}" POSTGRES_HOST_AUTH_METHOD="${POSTGRES_HOST_AUTH_METHOD:=$auth_method}"
printf "\nhost all all all %s\n" "$POSTGRES_HOST_AUTH_METHOD" >> "$PGDATA/pg_hba.conf" printf "\nhost all all all %s\n" "$POSTGRES_HOST_AUTH_METHOD" >> "$PGDATA/pg_hba.conf"
pg_ctl -w start pg_ctl -w start -o "-c config_file=/etc/postgresql/postgresql.conf"
if ! psql --username="$POSTGRES_USER" -d postgres -tc "SELECT 1 FROM pg_database WHERE datname = '$POSTGRES_DB'" | grep -q 1; then if ! psql --username="$POSTGRES_USER" -d postgres -tc "SELECT 1 FROM pg_database WHERE datname = '$POSTGRES_DB'" | grep -q 1; then
psql --username="$POSTGRES_USER" -d postgres -c "CREATE DATABASE \"$POSTGRES_DB\";" psql --username="$POSTGRES_USER" -d postgres -c "CREATE DATABASE \"$POSTGRES_DB\";"
fi fi
pg_ctl -m fast -w stop if [ -f /etc/postgresql/init.sh ]; then
# shellcheck disable=SC1091
. /etc/postgresql/init.sh
fi
pg_ctl -m fast -w stop -o "-c config_file=/etc/postgresql/postgresql.conf"
fi fi
exec postgres -c config_file="/etc/postgresql/postgresql.conf" "$@" > "$LOG_PIPE" 2>&1 exec postgres -c config_file="/etc/postgresql/postgresql.conf" "$@" > "$LOG_PIPE" 2>&1

19
scripts/cache.sh
View File

@@ -1,19 +0,0 @@
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
flake_json=$(nix flake show --json)
build_and_push() {
local expr="$1"
nix build "$expr" --no-link --print-out-paths | while IFS= read -r path; do
attic push main "$path"
done
}
jq -r '.nixosConfigurations | keys[]' <<<"$flake_json" | while IFS= read -r cfg; do
expr=".#nixosConfigurations.\"$cfg\".config.system.build.toplevel"
build_and_push "$expr"
done

2
submodules/secrets

Submodule submodules/secrets updated: a9d956a20f...a5c1c55262