jsw/NiksOS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Immich: added openid login

Browse source
This commit is contained in:
Jurn Wubben 2025-07-20 20:44:08 +02:00
parent 713ea0cf68
commit 488cb7fad8
5 changed files with 106 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

4
secrets/default.nix
View file

@ -37,5 +37,9 @@ in {
file = ./forgejo-mailpass.age; file = ./forgejo-mailpass.age;
owner = abstrServiceUser "forgejo"; owner = abstrServiceUser "forgejo";
}; };
immich-oidc = mkIf server {
file = ./immich-oidc.age;
owner = abstrServiceUser "immich";
};
}; };
} }

15
secrets/immich-oidc.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 GQzYWA MbczMCSPu7pJru1rmOsFuloCYLKlh7koC5drXcKlwiw
ZghUrcs7YT3ciwqOkrPDEzlZe3qN9ypBw3xRGYWNPaY
-> ssh-ed25519 MfR7VA KB6RE2QZ//Z6xoyQC502dJeg79rYXFJJdOwV+c6tOWo
e1zIz2nsV9JbBaadTnONrPLI5Ztyv9vf4Ewzd9uSHnU
-> ssh-ed25519 +cvRTg GntHLoUwpIrxm3FcVw+Bavaq6kLaZpVdTRLoMMVfpAY
abE1ZkhS39vylBg8bZ5K3vgnXr70Vbk1bLCKsCFlUvU
-> ssh-ed25519 WCPLrA +/GlB5CbM/1FwI5JE63DJVUChADjJfD3jJY3Y2KmXEU
pPqBhV49/wg/hWffFm2XFRGC9p1nQ57tj1YK7pPkQ3U
-> ssh-ed25519 7/ziYw lxlJVNMIqfoMPj6VGTt2V4PxFi+6WRMfOYcv1hpEMkM
kd8CI7RECJA5uPJu33D61OEnqWwZuNQ6VmYLqXew6gc
-> ssh-ed25519 VQy60Q YSgYVPPN7QutKhbv6/1vmoRnh14KXs0g2k9qxKuvQ2U
FL3fImxWoBeHrCLd+jp/a1oRd/Acgi6sV/g40dCRrTA
--- TipdjwDPkRxiV/R1FUYCm/tcD6M+XEaZhQjrzwMxiuA
証E%キZDケ<44>Ts<54>,リ5ノ<>LタO<EFBE80>ソzエァア<>クT<>Θ <0B>煖_蕘熙H演始ロナ*ヤxQ7$釉淸v`W<04>瀲t%<25>6 <0C>5

1
secrets/secrets.nix
View file

@ -21,4 +21,5 @@ in {
"mail-admin.age".publicKeys = keys; "mail-admin.age".publicKeys = keys;
"zitadel-key.age".publicKeys = keys; "zitadel-key.age".publicKeys = keys;
"forgejo-mailpass.age".publicKeys = keys; "forgejo-mailpass.age".publicKeys = keys;
"immich-oidc.age".publicKeys = keys;
} }

2
system/server/forgejo.nix
View file

@ -46,7 +46,7 @@ in {
ENABLED = true; ENABLED = true;
SUBJECT_PREFIX = "JSWGit"; SUBJECT_PREFIX = "JSWGit";
PROTOCOL = "smtps"; PROTOCOL = "smtps";
SMTP_ADDR = "mail.jsw.tf"; SMTP_ADDR = "mail.jsw.tf"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module.
SMTP_PORT = 465; SMTP_PORT = 465;
FROM = "git@jsw.tf"; FROM = "git@jsw.tf";
USER = "git"; USER = "git";

53
system/server/immich.nix
View file

@ -1,18 +1,45 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: let }: let
inherit (lib) mkIf mkForce mkDefault;
cfg = config.niksos.server; cfg = config.niksos.server;
oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
config-dir = "/run/immich-conf";
in { in {
services.immich = { config =
enable = cfg; mkIf cfg
{
users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
services.caddy.virtualHosts."photos.jsw.tf".extraConfig = ''
reverse_proxy localhost:9002
'';
services.immich = mkIf cfg {
enable = true;
port = 9002; port = 9002;
machine-learning.enable = false; machine-learning.enable = false;
accelerationDevices = mkDefault null;
#NOTE: immich doesn't support variables in their config file, so we have to subsitute ourselfs..
environment.IMMICH_CONFIG_FILE = mkForce "${config-dir}/immich.json";
settings = { settings = {
server.externalDomain = "https://photos.jsw.tf"; server.externalDomain = "https://photos.jsw.tf";
oauth = {
enabled = true;
autoLaunch = true;
autoRegister = true;
buttonText = "Login with JSWAuth";
clientId = "329735769805619570";
clientSecret = oidcSubstitute;
issuerUrl = "https://${config.services.zitadel.settings.ExternalDomain}/.well-known/openid-configuration";
};
passwordLogin.enabled = false;
ffmpeg = { ffmpeg = {
crf = 23; crf = 23;
threads = 0; threads = 0;
@ -48,14 +75,24 @@ in {
accelDecode = true; accelDecode = true;
}; };
}; };
accelerationDevices = lib.mkDefault null;
}; };
users.users.immich = lib.mkIf cfg {extraGroups = ["video" "render"];}; #NOTE: was first groups = lib.mkIf.. but then users.immich gets set even when server is disabled.
services.caddy.virtualHosts."photos.jsw.tf" = { systemd = {
extraConfig = '' services.immich-server = {
reverse_proxy localhost:9002 preStart = let
refConfig = (pkgs.formats.json {}).generate "immich.json" config.services.immich.settings;
newConfig = "${config-dir}/immich.json";
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
in ''
umask 077
cp -f '${refConfig}' '${newConfig}'
chmod u+w '${newConfig}'
${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.immich-oidc.path}' '${newConfig}'
''; '';
}; };
tmpfiles.rules = [
"d ${config-dir} 0700 immich immich"
];
};
};
} }