diff --git a/secrets/default.nix b/secrets/default.nix index b04140e..141308e 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -37,5 +37,9 @@ in { file = ./forgejo-mailpass.age; owner = abstrServiceUser "forgejo"; }; + immich-oidc = mkIf server { + file = ./immich-oidc.age; + owner = abstrServiceUser "immich"; + }; }; } diff --git a/secrets/immich-oidc.age b/secrets/immich-oidc.age new file mode 100644 index 0000000..11c301f --- /dev/null +++ b/secrets/immich-oidc.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA MbczMCSPu7pJru1rmOsFuloCYLKlh7koC5drXcKlwiw +ZghUrcs7YT3ciwqOkrPDEzlZe3qN9ypBw3xRGYWNPaY +-> ssh-ed25519 MfR7VA KB6RE2QZ//Z6xoyQC502dJeg79rYXFJJdOwV+c6tOWo +e1zIz2nsV9JbBaadTnONrPLI5Ztyv9vf4Ewzd9uSHnU +-> ssh-ed25519 +cvRTg GntHLoUwpIrxm3FcVw+Bavaq6kLaZpVdTRLoMMVfpAY +abE1ZkhS39vylBg8bZ5K3vgnXr70Vbk1bLCKsCFlUvU +-> ssh-ed25519 WCPLrA +/GlB5CbM/1FwI5JE63DJVUChADjJfD3jJY3Y2KmXEU +pPqBhV49/wg/hWffFm2XFRGC9p1nQ57tj1YK7pPkQ3U +-> ssh-ed25519 7/ziYw lxlJVNMIqfoMPj6VGTt2V4PxFi+6WRMfOYcv1hpEMkM +kd8CI7RECJA5uPJu33D61OEnqWwZuNQ6VmYLqXew6gc +-> ssh-ed25519 VQy60Q YSgYVPPN7QutKhbv6/1vmoRnh14KXs0g2k9qxKuvQ2U +FL3fImxWoBeHrCLd+jp/a1oRd/Acgi6sV/g40dCRrTA +--- TipdjwDPkRxiV/R1FUYCm/tcD6M+XEaZhQjrzwMxiuA +E%ZDTs,5 jLOzﻸT _Hn*xQ7$Cv`Wqt%N6 5 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 9caab40..df90563 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -21,4 +21,5 @@ in { "mail-admin.age".publicKeys = keys; "zitadel-key.age".publicKeys = keys; "forgejo-mailpass.age".publicKeys = keys; + "immich-oidc.age".publicKeys = keys; } diff --git a/system/server/forgejo.nix b/system/server/forgejo.nix index 9560944..df2c29a 100644 --- a/system/server/forgejo.nix +++ b/system/server/forgejo.nix @@ -46,7 +46,7 @@ in { ENABLED = true; SUBJECT_PREFIX = "JSWGit"; PROTOCOL = "smtps"; - SMTP_ADDR = "mail.jsw.tf"; + SMTP_ADDR = "mail.jsw.tf"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module. SMTP_PORT = 465; FROM = "git@jsw.tf"; USER = "git"; diff --git a/system/server/immich.nix b/system/server/immich.nix index 216b8d2..312f527 100644 --- a/system/server/immich.nix +++ b/system/server/immich.nix @@ -1,61 +1,98 @@ { config, lib, + pkgs, ... }: let + inherit (lib) mkIf mkForce mkDefault; + cfg = config.niksos.server; + oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*"; + config-dir = "/run/immich-conf"; in { - services.immich = { - enable = cfg; + config = + mkIf cfg + { + users.users.${config.services.immich.user}.extraGroups = ["video" "render"]; + services.caddy.virtualHosts."photos.jsw.tf".extraConfig = '' + reverse_proxy localhost:9002 + ''; - port = 9002; - machine-learning.enable = false; + services.immich = mkIf cfg { + enable = true; - settings = { - server.externalDomain = "https://photos.jsw.tf"; - ffmpeg = { - crf = 23; - threads = 0; - preset = "ultrafast"; - targetVideoCodec = "h264"; - acceptedVideoCodecs = [ - "h264" + port = 9002; + machine-learning.enable = false; + + accelerationDevices = mkDefault null; + + #NOTE: immich doesn't support variables in their config file, so we have to subsitute ourselfs.. + environment.IMMICH_CONFIG_FILE = mkForce "${config-dir}/immich.json"; + settings = { + server.externalDomain = "https://photos.jsw.tf"; + oauth = { + enabled = true; + autoLaunch = true; + autoRegister = true; + buttonText = "Login with JSWAuth"; + clientId = "329735769805619570"; + clientSecret = oidcSubstitute; + issuerUrl = "https://${config.services.zitadel.settings.ExternalDomain}/.well-known/openid-configuration"; + }; + passwordLogin.enabled = false; + ffmpeg = { + crf = 23; + threads = 0; + preset = "ultrafast"; + targetVideoCodec = "h264"; + acceptedVideoCodecs = [ + "h264" + ]; + targetAudioCodec = "aac"; + acceptedAudioCodecs = [ + "aac" + "mp3" + "libopus" + "pcm_s16le" + ]; + acceptedContainers = [ + "mov" + "ogg" + "webm" + ]; + targetResolution = "720"; + maxBitrate = "0"; + bframes = -1; + refs = 0; + gopSize = 0; + temporalAQ = false; + cqMode = "auto"; + twoPass = false; + preferredHwDevice = lib.mkDefault "auto"; + transcode = "all"; + tonemap = "hable"; + accel = lib.mkDefault "vaapi"; + accelDecode = true; + }; + }; + }; + + systemd = { + services.immich-server = { + preStart = let + refConfig = (pkgs.formats.json {}).generate "immich.json" config.services.immich.settings; + newConfig = "${config-dir}/immich.json"; + replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; + in '' + umask 077 + cp -f '${refConfig}' '${newConfig}' + chmod u+w '${newConfig}' + ${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.immich-oidc.path}' '${newConfig}' + ''; + }; + tmpfiles.rules = [ + "d ${config-dir} 0700 immich immich" ]; - targetAudioCodec = "aac"; - acceptedAudioCodecs = [ - "aac" - "mp3" - "libopus" - "pcm_s16le" - ]; - acceptedContainers = [ - "mov" - "ogg" - "webm" - ]; - targetResolution = "720"; - maxBitrate = "0"; - bframes = -1; - refs = 0; - gopSize = 0; - temporalAQ = false; - cqMode = "auto"; - twoPass = false; - preferredHwDevice = lib.mkDefault "auto"; - transcode = "all"; - tonemap = "hable"; - accel = lib.mkDefault "vaapi"; - accelDecode = true; }; }; - - accelerationDevices = lib.mkDefault null; - }; - users.users.immich = lib.mkIf cfg {extraGroups = ["video" "render"];}; #NOTE: was first groups = lib.mkIf.. but then users.immich gets set even when server is disabled. - - services.caddy.virtualHosts."photos.jsw.tf" = { - extraConfig = '' - reverse_proxy localhost:9002 - ''; - }; }