config/modules/services/immich/default.nix

79 lines
2.1 KiB
Nix
Raw Normal View History

2024-09-27 15:03:43 +03:00
{
config,
lib,
pkgs,
myData,
...
}:
let
cfg = config.mj.services.immich;
2024-09-29 22:33:46 +03:00
immich-user = config.services.immich.user;
immich-group = config.services.immich.group;
startScript = pkgs.writeShellApplication {
name = "immich-mj";
2024-09-29 23:14:41 +03:00
runtimeInputs = with pkgs; [
bindfs
util-linux
];
2024-09-29 22:33:46 +03:00
text = ''
set -x
2024-09-29 23:21:04 +03:00
${lib.concatMapStringsSep "\n"
(name: ''
mkdir /data/${name}
2024-09-29 23:41:17 +03:00
bindfs -u ${immich-user} -g ${immich-group} /var/run/immich/bind-paths/${name} /data/${name}'')
2024-09-29 23:21:04 +03:00
(lib.attrNames cfg.bindPaths)
}
2024-09-29 23:14:41 +03:00
exec setpriv \
2024-09-29 23:21:04 +03:00
--ruid ${immich-user} \
2024-10-01 15:52:20 +03:00
--inh-caps -all \
${lib.getExe pkgs.immich}
2024-09-29 22:33:46 +03:00
'';
};
2024-09-27 15:03:43 +03:00
in
{
options.mj.services.immich = with lib.types; {
enable = lib.mkEnableOption "enable immich";
2024-09-27 20:04:41 +03:00
bindPaths = lib.mkOption { type = attrsOf str; };
2024-09-27 15:03:43 +03:00
};
config = lib.mkIf cfg.enable {
2024-10-19 21:37:26 +03:00
2024-09-27 15:03:43 +03:00
services.immich = {
enable = true;
2024-09-27 15:11:54 +03:00
port = myData.ports.immich-server;
2024-11-28 21:19:23 +02:00
# N.B. as of 24.11 default redis socket has permissions incompatible
# with how immich is configured.
# If immich can't find/connect to redis, it will fail on boot, so it's
# safe to experiment.
redis = {
enable = true;
host = "127.0.0.1";
port = 6379;
};
2024-09-27 15:03:43 +03:00
};
2024-09-29 23:21:38 +03:00
services.caddy.virtualHosts."photos.jakstys.lt:80".extraConfig = ''
2024-09-27 15:46:44 +03:00
@denied not remote_ip ${myData.subnets.tailscale.cidr}
2024-09-27 16:01:47 +03:00
reverse_proxy localhost:${toString myData.ports.immich-server}
2024-09-27 15:46:44 +03:00
'';
2024-09-27 15:03:43 +03:00
2024-09-27 20:04:41 +03:00
systemd = {
2024-10-01 14:36:41 +03:00
tmpfiles.rules = [ "d /data 0755 root root -" ];
2024-09-27 20:04:41 +03:00
services.immich-server.serviceConfig = {
2024-09-29 22:33:46 +03:00
RuntimeDirectory = "immich";
2024-09-27 23:20:15 +03:00
TemporaryFileSystem = "/data";
2024-09-29 22:33:46 +03:00
BindPaths = lib.mapAttrsToList (
2024-09-29 23:14:41 +03:00
name: srcpath: "${srcpath}:/var/run/immich/bind-paths/${name}"
2024-09-29 22:33:46 +03:00
) cfg.bindPaths;
2024-09-27 23:20:15 +03:00
PrivateDevices = lib.mkForce false; # /dev/fuse
2024-10-01 15:52:20 +03:00
CapabilityBoundingSet = lib.mkForce "~";
2024-09-29 22:33:46 +03:00
ExecStart = lib.mkForce ("!" + (lib.getExe startScript));
2024-09-29 22:40:53 +03:00
PrivateUsers = lib.mkForce false; # bindfs fails otherwise
2024-09-27 20:04:41 +03:00
};
};
2024-09-27 15:03:43 +03:00
};
}