58 lines
1.8 KiB
Nix
58 lines
1.8 KiB
Nix
{ config, ... }:
|
|
let
|
|
domain = "immich.sprechtl.me";
|
|
in
|
|
{
|
|
age.secrets.immich-oauth-secret = {
|
|
file = ../../secrets/immich.age;
|
|
owner = "immich";
|
|
group = "immich";
|
|
mode = "0400";
|
|
};
|
|
services.immich = {
|
|
enable = true;
|
|
database.host = "/run/postgresql";
|
|
port = 2283; # default
|
|
settings = {
|
|
externalDomain = domain;
|
|
oauth = {
|
|
enabled = true;
|
|
issuerUrl = "https://auth.sprechtl.me/application/o/immich/.well-known/openid-configuration";
|
|
clientId = "EXMPaB2SoZYSSWu56ebB6CYV8W1hQS2eTwLdFBDw";
|
|
clientSecret._secret = config.age.secrets.immich-oauth-secret.path;
|
|
scope = "openid email profile";
|
|
buttonText = "Login with Authentik";
|
|
autoRegister = true;
|
|
autoLaunch = false; # set true to skip local login page entirely
|
|
};
|
|
};
|
|
mediaLocation = "/data/immich/";
|
|
};
|
|
|
|
# nginx reverse proxy
|
|
services.nginx.virtualHosts.${domain}= {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:2283";
|
|
proxyWebsockets = true;
|
|
# https://docs.immich.app/administration/reverse-proxy/
|
|
extraConfig = ''
|
|
# allow large file uploads
|
|
client_max_body_size 50000M;
|
|
|
|
# disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause)
|
|
proxy_request_buffering off;
|
|
|
|
# increase body buffer to avoid limiting upload speed
|
|
client_body_buffer_size 1024k;
|
|
|
|
# Set headers
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
'';
|
|
};
|
|
};
|
|
}
|