50 lines
1.3 KiB
Nix
50 lines
1.3 KiB
Nix
{ config, ... }:
|
|
let
|
|
domain = "immich.sprechtl.me";
|
|
in
|
|
{
|
|
age.secrets.immich-oauth-secret = {
|
|
file = ../../secrets/immich.age;
|
|
owner = "immich";
|
|
group = "immich";
|
|
mode = "0400";
|
|
};
|
|
services.immich = {
|
|
enable = true;
|
|
database.host = "/run/postgresql";
|
|
port = 2283; # default
|
|
settings = {
|
|
externalDomain = domain;
|
|
oauth = {
|
|
enabled = true;
|
|
issuerUrl = "https://auth.sprechtl.me/application/o/immich/.well-known/openid-configuration";
|
|
clientId = "EXMPaB2SoZYSSWu56ebB6CYV8W1hQS2eTwLdFBDw";
|
|
clientSecret._secret = config.age.secrets.immich-oauth-secret.path;
|
|
scope = "openid email profile";
|
|
buttonText = "Login with Authentik";
|
|
autoRegister = true;
|
|
autoLaunch = false; # set true to skip local login page entirely
|
|
};
|
|
};
|
|
mediaLocation = "/data/immich/";
|
|
};
|
|
|
|
# nginx reverse proxy
|
|
services.nginx.virtualHosts.${domain}= {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:2283";
|
|
proxyWebsockets = true;
|
|
extraConfig = """
|
|
client_max_body_size 0;
|
|
|
|
# Timeouts for large/slow uploads
|
|
proxy_connect_timeout 3600s;
|
|
proxy_send_timeout 3600s;
|
|
proxy_read_timeout 3600s;
|
|
send_timeout 3600s;
|
|
""";
|
|
};
|
|
};
|
|
}
|