From 7a7ef55522a23445d54e23ca5f1018a6831e7c45 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Tue, 24 Mar 2026 12:12:50 +0100
Subject: [PATCH] feat: immich sso

---
 hosts/hitsugibune/immich.nix |  21 ++++++++++++++++++++-
 secrets/immich.age           | Bin 0 -> 907 bytes
 secrets/secrets.nix          |   1 +
 3 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 secrets/immich.age

diff --git a/hosts/hitsugibune/immich.nix b/hosts/hitsugibune/immich.nix
index 9d4ccbb..af2d81b 100644
--- a/hosts/hitsugibune/immich.nix
+++ b/hosts/hitsugibune/immich.nix
@@ -3,11 +3,30 @@ let
   domain = "immich.sprechtl.me";
 in
 {
+  age.secrets.immich = {
+    file = ../../secrets/immich.age;
+    owner = "immich";
+    group = "immich";
+    mode = "0400";
+  };
   services.immich = {
     enable = true;
     database.host = "/run/postgresql";
     port = 2283; # default
-    settings.externalDomain = domain;
+    settings = {
+      externalDomain = domain;
+      oauth = {
+        enabled = true;
+        issuerUrl = "https://auth.sprechtl.me/application/o/immich/.well-known/openid-configuration";
+        clientId = "EXMPaB2SoZYSSWu56ebB6CYV8W1hQS2eTwLdFBDw";
+        # clientSecret = ""; saved in secrets file
+        scope = "openid email profile";
+        buttonText = "Login with Authentik";
+        autoRegister = true;
+        autoLaunch = false; # set true to skip local login page entirely
+      };
+    };
+    secretsFile = config.age.secrets.immich.path;
     mediaLocation = "/data/immich/";
   };
 
diff --git a/secrets/immich.age b/secrets/immich.age
new file mode 100644
index 0000000000000000000000000000000000000000..2273d4c0214743b1c34bc6ab54a656bb4938c53c
GIT binary patch
literal 907
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP5AezMN>?znG!6{N
zw5&)mFYwAp_jL}gD5}he^bW}OGYE{xaM!Oe&h$?=E-@~u%;)mbFU|HYt*9(c_DwhT
zGcfcBcP&YaGI3A$_o*t&@vd_A^EdU&PKmJabA;JeRGg^blkR5h8pxFqo*kJIU|8Yo
zo0w^8S&<cG<XxT>P~fYdYv~o17Gap-U8SAk92S)3njG$JRBY&7=BBM3>YZI>k>cnY
zVphs!5|~)!R_RlinUP%(Tvg~(o|qYytZf<@QR0ziY?Pei6;&RZX&Gf?X<nJ_mFsVw
zYLKPx?^9H+9g(dco|5mu73FH?p5q)@km(lW@0nZVU+feSoaJnq?QM{gVqjzvV34UF
z<xyo|nC6veToDpjYFJWQ?(1$89O)iVlo=JJ&1K~280?c}<mef08fKB<Tv*^#?3U)~
zSX2_0k{jXb;i_MrmtW}}>6hW<T5hIaYT*_bRH<L)SL&giU!h;_<<DiDm*QdIpJtKk
zVi_Ldn3fb&;AWI==o%X7o|Rqd>){yS5s+k-Vdi315#|(Zl3i?8Q5=|B7?7K2QBay1
zo)O69Y!(_;Xc6QQX>Q?Y9Gc`@Zk%c4<dUjinC|HwR_LFUos$-vn~@(9Qs|shsqYwG
z;;d~@u3eE^Zef__Vw&sEWsn!?<LwzxVBwyrookd=mg${aViBHWViFbVk?mOM>YJ4o
zV3c1PUYc&~<L2mJQtEDz?H`qD>}(e3mRp`;&Q%nyo$g&?>6TV%QSOqSlHu&_Z0_jg
zZ0s5AlbL0ZsBLEA<{ji~;bUr6P+k^b8lDvyl9w4^W)_iAn3ZedmcqrQtE;Qvm9B5#
zl@{!)U2f!NTAo@^8f9ErkmqR}s_zz+Z|aqp=9d~}8fD~OoaxAQqFS;vr+fXslvjo?
z{<5)%o3WhH-Ts_O^08$`cHu-RM|SQ?`KqQDW*(n6$^;7+8q{5%@-=gP=2_MF#?I{b
zt*IW*6;!s&-g=Mm!}N`t^QW@z6n1`BKSx(Ar+A5o!j9~7Aq-D<>^#M-{gZXV;(62D
z9<|Oo^EmO-#z4JS-izwKGzVs{TW0W~lJiKmlK;fEXAkTC$NRpVKDm`yiP!V@wf$Gq
ijvn5nSRc~<%#3mI2hGk|Ss}&D6%)T$v~$<b`vU+RXG9kO

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6815f44..6935e19 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -20,4 +20,5 @@ in {
   "authentik.age".publicKeys = [hitsugibune key];
   "vaultwarden.age".publicKeys = [hitsugibune key];
   "forgejo-mailer-password.age".publicKeys = [hitsugibune key];
+  "immich.age".publicKeys = [hitsugibune key];
 }