2024-09-27 12:03:43 +00:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
myData,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
cfg = config.mj.services.immich;
|
2024-09-29 19:33:46 +00:00
|
|
|
immich-user = config.services.immich.user;
|
|
|
|
|
immich-group = config.services.immich.group;
|
|
|
|
|
startScript = pkgs.writeShellApplication {
|
|
|
|
|
name = "immich-mj";
|
2024-09-29 20:14:41 +00:00
|
|
|
runtimeInputs = with pkgs; [
|
|
|
|
|
bindfs
|
|
|
|
|
util-linux
|
|
|
|
|
];
|
2024-09-29 19:33:46 +00:00
|
|
|
text = ''
|
|
|
|
|
set -x
|
2024-09-29 20:21:04 +00:00
|
|
|
${lib.concatMapStringsSep "\n"
|
|
|
|
|
(name: ''
|
|
|
|
|
mkdir /data/${name}
|
2024-09-29 20:41:17 +00:00
|
|
|
bindfs -u ${immich-user} -g ${immich-group} /var/run/immich/bind-paths/${name} /data/${name}'')
|
2024-09-29 20:21:04 +00:00
|
|
|
(lib.attrNames cfg.bindPaths)
|
|
|
|
|
}
|
2024-09-29 20:14:41 +00:00
|
|
|
exec setpriv \
|
2024-09-29 20:21:04 +00:00
|
|
|
--ruid ${immich-user} \
|
2024-10-01 12:52:20 +00:00
|
|
|
--inh-caps -all \
|
2024-11-15 23:51:50 +00:00
|
|
|
${lib.getExe pkgs.immich}
|
2024-09-29 19:33:46 +00:00
|
|
|
'';
|
|
|
|
|
};
|
2024-09-27 12:03:43 +00:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options.mj.services.immich = with lib.types; {
|
|
|
|
|
enable = lib.mkEnableOption "enable immich";
|
2024-09-27 17:04:41 +00:00
|
|
|
bindPaths = lib.mkOption { type = attrsOf str; };
|
2024-09-27 12:03:43 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
2024-10-19 18:37:26 +00:00
|
|
|
|
2024-09-27 12:03:43 +00:00
|
|
|
services.immich = {
|
|
|
|
|
enable = true;
|
2024-09-27 12:11:54 +00:00
|
|
|
port = myData.ports.immich-server;
|
2024-11-28 19:17:30 +00:00
|
|
|
|
2024-11-28 19:19:23 +00:00
|
|
|
# N.B. as of 24.11 default redis socket has permissions incompatible
|
|
|
|
|
# with how immich is configured.
|
|
|
|
|
# If immich can't find/connect to redis, it will fail on boot, so it's
|
2024-11-28 19:17:30 +00:00
|
|
|
# safe to experiment.
|
|
|
|
|
redis = {
|
|
|
|
|
enable = true;
|
|
|
|
|
host = "127.0.0.1";
|
|
|
|
|
port = 6379;
|
|
|
|
|
};
|
2024-09-27 12:03:43 +00:00
|
|
|
};
|
|
|
|
|
|
2024-09-29 20:21:38 +00:00
|
|
|
services.caddy.virtualHosts."photos.jakstys.lt:80".extraConfig = ''
|
2024-09-27 12:46:44 +00:00
|
|
|
@denied not remote_ip ${myData.subnets.tailscale.cidr}
|
2024-09-27 13:01:47 +00:00
|
|
|
reverse_proxy localhost:${toString myData.ports.immich-server}
|
2024-09-27 12:46:44 +00:00
|
|
|
'';
|
2024-09-27 12:03:43 +00:00
|
|
|
|
2024-09-27 17:04:41 +00:00
|
|
|
systemd = {
|
2024-10-01 11:36:41 +00:00
|
|
|
tmpfiles.rules = [ "d /data 0755 root root -" ];
|
2024-09-27 17:04:41 +00:00
|
|
|
services.immich-server.serviceConfig = {
|
2024-09-29 19:33:46 +00:00
|
|
|
RuntimeDirectory = "immich";
|
2024-09-27 20:20:15 +00:00
|
|
|
TemporaryFileSystem = "/data";
|
2024-09-29 19:33:46 +00:00
|
|
|
BindPaths = lib.mapAttrsToList (
|
2024-09-29 20:14:41 +00:00
|
|
|
name: srcpath: "${srcpath}:/var/run/immich/bind-paths/${name}"
|
2024-09-29 19:33:46 +00:00
|
|
|
) cfg.bindPaths;
|
2024-09-27 20:20:15 +00:00
|
|
|
PrivateDevices = lib.mkForce false; # /dev/fuse
|
2024-10-01 12:52:20 +00:00
|
|
|
CapabilityBoundingSet = lib.mkForce "~";
|
2024-09-29 19:33:46 +00:00
|
|
|
ExecStart = lib.mkForce ("!" + (lib.getExe startScript));
|
2024-09-29 19:40:53 +00:00
|
|
|
PrivateUsers = lib.mkForce false; # bindfs fails otherwise
|
2024-09-27 17:04:41 +00:00
|
|
|
};
|
|
|
|
|
};
|
2024-09-27 12:03:43 +00:00
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
}
|
