first commit

2026-01-26 01:16:35 +01:00 · 2026-01-26 01:16:35 +01:00 · 2a3ea31491
commit 2a3ea31491
52 changed files with 2991 additions and 0 deletions
--- a/hosts/hetzner/immich.nix
+++ b/hosts/hetzner/immich.nix
@ -0,0 +1,79 @@
+{
+  domain,
+  lib,
+  isProd,
+  config,
+  pkgs,
+  ...
+}:
+{
+  sops.secrets.immich_db_password = { };
+  sops.secrets.immich_jwt_secret = { };
+
+  sops.templates."immich.env".content = ''
+    DB_PASSWORD=${config.sops.placeholder.immich_db_password}
+    JWT_SECRET=${config.sops.placeholder.immich_jwt_secret}
+  '';
+
+  #users.users.immich.extraGroups = [ "users" ];
+  users.users.immich.uid = 900;
+  users.groups.immich.gid = 900;
+
+  services.immich = {
+    enable = true;
+    host = "127.0.0.1";
+    port = 2283;
+
+    mediaLocation = "/mnt/media/immich";
+
+    secretsFile = config.sops.templates."immich.env".path;
+
+    redis.enable = true;
+    database = {
+      enable = true;
+      createDB = true;
+      user = "immich";
+      name = "immich";
+      host = "/run/postgresql";
+    };
+
+    machine-learning.enable = true;
+  };
+
+  systemd.services.immich-server = {
+    requires = [ "mnt-media.mount" ];
+    after = [ "mnt-media.mount" ];
+
+    serviceConfig = {
+      DynamicUser = lib.mkForce false;
+      ReadWritePaths = [ "/mnt/media/immich" ];
+      BindPaths = [ "/mnt/media/immich" ];
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+
+    dataDir = "/mnt/data/postgresql";
+
+    ensureDatabases = [ "immich" ];
+    ensureUsers = [
+      {
+        name = "immich";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  services.nginx.virtualHosts."photo.${domain}" = {
+    forceSSL = isProd;
+    enableACME = isProd;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:2283";
+      proxyWebsockets = true;
+      extraConfig = "client_max_body_size 50G;";
+    };
+
+  };
+}