feat: immich sso

hosts/hitsugibune/immich.nix

@@ -3,11 +3,30 @@ let
   domain = "immich.sprechtl.me";
 in
 {
+  age.secrets.immich = {
+    file = ../../secrets/immich.age;
+    owner = "immich";
+    group = "immich";
+    mode = "0400";
+  };
   services.immich = {
     enable = true;
     database.host = "/run/postgresql";
     port = 2283; # default
-    settings.externalDomain = domain;
+    settings = {
+      externalDomain = domain;
+      oauth = {
+        enabled = true;
+        issuerUrl = "https://auth.sprechtl.me/application/o/immich/.well-known/openid-configuration";
+        clientId = "EXMPaB2SoZYSSWu56ebB6CYV8W1hQS2eTwLdFBDw";
+        # clientSecret = ""; saved in secrets file
+        scope = "openid email profile";
+        buttonText = "Login with Authentik";
+        autoRegister = true;
+        autoLaunch = false; # set true to skip local login page entirely
+      };
+    };
+    secretsFile = config.age.secrets.immich.path;
     mediaLocation = "/data/immich/";
   };