config

NixOS config
Log | Files | Refs | README | LICENSE

default.nix (2359B) - Raw

      1 {
      2   config,
      3   lib,
      4   pkgs,
      5   myData,
      6   ...
      7 }:
      8 let
      9   cfg = config.mj.services.immich;
     10   immich-user = config.services.immich.user;
     11   immich-group = config.services.immich.group;
     12   startScript = pkgs.writeShellApplication {
     13     name = "immich-mj";
     14     runtimeInputs = with pkgs; [
     15       bindfs
     16       util-linux
     17     ];
     18     text = ''
     19       set -x
     20       ${lib.concatMapStringsSep "\n"
     21         (name: ''
     22           mkdir /data/${name}
     23           bindfs -u ${immich-user} -g ${immich-group} /var/run/immich/bind-paths/${name} /data/${name}'')
     24         (lib.attrNames cfg.bindPaths)
     25       }
     26       exec setpriv \
     27         --ruid ${immich-user} \
     28         --inh-caps -all \
     29         ${lib.getExe pkgs.immich}
     30     '';
     31   };
     32 in
     33 {
     34   options.mj.services.immich = with lib.types; {
     35     enable = lib.mkEnableOption "enable immich";
     36     bindPaths = lib.mkOption { type = attrsOf str; };
     37   };
     38 
     39   config = lib.mkIf cfg.enable {
     40 
     41     services.immich = {
     42       enable = true;
     43       port = myData.ports.immich-server;
     44 
     45       # Database configuration for NixOS 25.11
     46       database = {
     47         enable = true;
     48         enableVectorChord = true; # New vector search backend (recommended)
     49         enableVectors = false; # Disable deprecated pgvecto-rs
     50       };
     51 
     52       # N.B. as of 24.11 default redis socket has permissions incompatible
     53       # with how immich is configured.
     54       # If immich can't find/connect to redis, it will fail on boot, so it's
     55       # safe to experiment.
     56       redis = {
     57         enable = true;
     58         host = "127.0.0.1";
     59         port = 6379;
     60       };
     61     };
     62 
     63     services.caddy.virtualHosts."photos.jakstys.lt:80".extraConfig = ''
     64       @denied not remote_ip ${myData.subnets.tailscale.cidr}
     65       reverse_proxy localhost:${toString myData.ports.immich-server}
     66     '';
     67 
     68     systemd = {
     69       tmpfiles.rules = [ "d /data 0755 root root -" ];
     70       services.immich-server.serviceConfig = {
     71         RuntimeDirectory = "immich";
     72         TemporaryFileSystem = "/data";
     73         BindPaths = lib.mapAttrsToList (
     74           name: srcpath: "${srcpath}:/var/run/immich/bind-paths/${name}"
     75         ) cfg.bindPaths;
     76         PrivateDevices = lib.mkForce false; # /dev/fuse
     77         CapabilityBoundingSet = lib.mkForce "~";
     78         ExecStart = lib.mkForce ("!" + (lib.getExe startScript));
     79         PrivateUsers = lib.mkForce false; # bindfs fails otherwise
     80       };
     81     };
     82 
     83   };
     84 
     85 }