jsw/NiksOS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Immich: added openid login

Browse source
This commit is contained in:
Jurn Wubben 2025-07-20 20:44:08 +02:00
parent 713ea0cf68
commit 488cb7fad8
5 changed files with 106 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

2
system/server/forgejo.nix
View file

@ -46,7 +46,7 @@ in {
ENABLED = true;
SUBJECT_PREFIX = "JSWGit";
PROTOCOL = "smtps";
SMTP_ADDR = "mail.jsw.tf";
SMTP_ADDR = "mail.jsw.tf"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module.
SMTP_PORT = 465;
FROM = "git@jsw.tf";
USER = "git";

133
system/server/immich.nix
View file

@ -1,61 +1,98 @@
{
config,
lib,
pkgs,
...
}: let
inherit (lib) mkIf mkForce mkDefault;
cfg = config.niksos.server;
oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
config-dir = "/run/immich-conf";
in {
services.immich = {
enable = cfg;
config =
mkIf cfg
{
users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
services.caddy.virtualHosts."photos.jsw.tf".extraConfig = ''
reverse_proxy localhost:9002
'';
port = 9002;
machine-learning.enable = false;
services.immich = mkIf cfg {
enable = true;
settings = {
server.externalDomain = "https://photos.jsw.tf";
ffmpeg = {
crf = 23;
threads = 0;
preset = "ultrafast";
targetVideoCodec = "h264";
acceptedVideoCodecs = [
"h264"
port = 9002;
machine-learning.enable = false;
accelerationDevices = mkDefault null;
#NOTE: immich doesn't support variables in their config file, so we have to subsitute ourselfs..
environment.IMMICH_CONFIG_FILE = mkForce "${config-dir}/immich.json";
settings = {
server.externalDomain = "https://photos.jsw.tf";
oauth = {
enabled = true;
autoLaunch = true;
autoRegister = true;
buttonText = "Login with JSWAuth";
clientId = "329735769805619570";
clientSecret = oidcSubstitute;
issuerUrl = "https://${config.services.zitadel.settings.ExternalDomain}/.well-known/openid-configuration";
};
passwordLogin.enabled = false;
ffmpeg = {
crf = 23;
threads = 0;
preset = "ultrafast";
targetVideoCodec = "h264";
acceptedVideoCodecs = [
"h264"
];
targetAudioCodec = "aac";
acceptedAudioCodecs = [
"aac"
"mp3"
"libopus"
"pcm_s16le"
];
acceptedContainers = [
"mov"
"ogg"
"webm"
];
targetResolution = "720";
maxBitrate = "0";
bframes = -1;
refs = 0;
gopSize = 0;
temporalAQ = false;
cqMode = "auto";
twoPass = false;
preferredHwDevice = lib.mkDefault "auto";
transcode = "all";
tonemap = "hable";
accel = lib.mkDefault "vaapi";
accelDecode = true;
};
};
};
systemd = {
services.immich-server = {
preStart = let
refConfig = (pkgs.formats.json {}).generate "immich.json" config.services.immich.settings;
newConfig = "${config-dir}/immich.json";
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
in ''
umask 077
cp -f '${refConfig}' '${newConfig}'
chmod u+w '${newConfig}'
${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.immich-oidc.path}' '${newConfig}'
'';
};
tmpfiles.rules = [
"d ${config-dir} 0700 immich immich"
];
targetAudioCodec = "aac";
acceptedAudioCodecs = [
"aac"
"mp3"
"libopus"
"pcm_s16le"
];
acceptedContainers = [
"mov"
"ogg"
"webm"
];
targetResolution = "720";
maxBitrate = "0";
bframes = -1;
refs = 0;
gopSize = 0;
temporalAQ = false;
cqMode = "auto";
twoPass = false;
preferredHwDevice = lib.mkDefault "auto";
transcode = "all";
tonemap = "hable";
accel = lib.mkDefault "vaapi";
accelDecode = true;
};
};
accelerationDevices = lib.mkDefault null;
};
users.users.immich = lib.mkIf cfg {extraGroups = ["video" "render"];}; #NOTE: was first groups = lib.mkIf.. but then users.immich gets set even when server is disabled.
services.caddy.virtualHosts."photos.jsw.tf" = {
extraConfig = ''
reverse_proxy localhost:9002
'';
};
}