phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add Immich

Browse source
This commit is contained in:
Paul-Henri Froidmont 2024-12-14 05:07:09 +01:00
parent a5637b3c07
commit 0facce0860
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
6 changed files with 70 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/default.nix
View file

@ -22,5 +22,6 @@
./dokuwiki.nix ./dokuwiki.nix
./postgresql.nix ./postgresql.nix
./foundryvtt.nix ./foundryvtt.nix
./immich.nix
]; ];
} }

43
modules/immich.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, lib, ... }:
let
cfg = config.custom.services.immich;
externalDomain = "photos.${config.networking.domain}";
in
{
options.custom.services.immich = {
enable = lib.mkEnableOption "immich";
};
config = lib.mkIf cfg.enable {
sops.secrets.immichSecretsFile = {
owner = config.systemd.services.immich-server.serviceConfig.User;
key = "immich/secrets_file";
restartUnits = [ "immich-server.service" ];
};
services = {
immich = {
enable = true;
host = "127.0.0.1";
group = "nextcloud";
secretsFile = config.sops.secrets.immichSecretsFile.path;
database.host = "127.0.0.1";
settings = {
server.externalDomain = "https://${externalDomain}";
};
};
nginx = {
virtualHosts = {
${externalDomain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.immich.port}";
proxyWebsockets = true;
};
};
};
};
};
};
}

11
modules/postgresql.nix
View file

@ -22,6 +22,7 @@ in
root_as_others root synapse root_as_others root synapse
root_as_others root nextcloud root_as_others root nextcloud
root_as_others root roundcube root_as_others root roundcube
root_as_others root immich
''; '';
authentication = '' authentication = ''
local all postgres peer local all postgres peer
@ -46,6 +47,11 @@ in
key = "roundcube/db_password"; key = "roundcube/db_password";
restartUnits = [ "postgresql-setup.service" ]; restartUnits = [ "postgresql-setup.service" ];
}; };
immichDbPasswordPg = {
owner = config.services.postgresql.superUser;
key = "immich/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
}; };
systemd.services.postgresql-setup = systemd.services.postgresql-setup =
@ -69,14 +75,17 @@ in
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'immich'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "immich"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'immich'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "immich" OWNER "immich"'
PSQL -tAc "ALTER ROLE synapse LOGIN" PSQL -tAc "ALTER ROLE synapse LOGIN"
PSQL -tAc "ALTER ROLE nextcloud LOGIN" PSQL -tAc "ALTER ROLE nextcloud LOGIN"
PSQL -tAc "ALTER ROLE roundcube LOGIN" PSQL -tAc "ALTER ROLE roundcube LOGIN"
PSQL -tAc "ALTER ROLE immich LOGIN"
synapse_password="$(<'${config.sops.secrets.synapseDbPasswordPg.path}')" synapse_password="$(<'${config.sops.secrets.synapseDbPasswordPg.path}')"
PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'" PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
@ -84,6 +93,8 @@ in
PSQL -tAc "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'" PSQL -tAc "ALTER ROLE nextcloud WITH PASSWORD '$nextcloud_password'"
roundcube_password="$(<'${config.sops.secrets.roundcubeDbPasswordPg.path}')" roundcube_password="$(<'${config.sops.secrets.roundcubeDbPasswordPg.path}')"
PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'" PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'"
immich_password="$(<'${config.sops.secrets.immichDbPasswordPg.path}')"
PSQL -tAc "ALTER ROLE immich WITH PASSWORD '$immich_password'"
''; '';
serviceConfig = { serviceConfig = {

1
profiles/hel.nix
View file

@ -204,6 +204,7 @@
monero.enable = true; monero.enable = true;
grafana.enable = true; grafana.enable = true;
monitoring-exporters.enable = true; monitoring-exporters.enable = true;
immich.enable = true;
backup-job = { backup-job = {
enable = true; enable = true;

9
secrets.enc.yml
View file

@ -20,6 +20,9 @@ nextcloud:
roundcube: roundcube:
db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str] db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str]
pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str] pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str]
immich:
db_password: ENC[AES256_GCM,data:hIsMf271x+0jRgTJB4hP1ijEkly55pb5EPmQ2tQ7gsadMv+DiACK84bcIJR+erMcCTdsK5dLe/97+KqM,iv:ls5yQp3pwckCGY5IRuoSF2I/vlf9Fm5w4I26Go8UIjw=,tag:3+Unwrq3VSaEsrEZL0nZ9A==,type:str]
secrets_file: ENC[AES256_GCM,data:+dP8FSS1i0ZYc1vi2yuGup5ekI5OiswB19dl9BBEErWu4/Oc0lQqBzG8kg+7S78DhnUhW8zJONJm5vhriBVklNZpa0wr2oHs,iv:KYxZ5KtitI1QIRunrFQExj0chRddlSx39rJ5epa50oI=,tag:JJXbPHBQhHH2+yLvoQ5AHg==,type:str]
murmur.env: ENC[AES256_GCM,data:bErJrzpPRrBhUeW113qt9xbJWsrxiI8YIibZ3l0=,iv:2dIlmdLKB+nktQ4/O1W3xtfcCRowW9MkxncDiDpZyck=,tag:3UkSGVKV00385iZ66rHOpw==,type:str] murmur.env: ENC[AES256_GCM,data:bErJrzpPRrBhUeW113qt9xbJWsrxiI8YIibZ3l0=,iv:2dIlmdLKB+nktQ4/O1W3xtfcCRowW9MkxncDiDpZyck=,tag:3UkSGVKV00385iZ66rHOpw==,type:str]
transmission: transmission:
rpc_config.json: ENC[AES256_GCM,data:2dXn4De3RilQpOOtqjZQILJ7+/t8ipQHLiNuYdbQQRZC4fya0l9MLyGRuqfqeBu1B07VYSDMImV/5BZ+5ygCLk2JjhLn8NzbM3IRWg==,iv:SWqUCobb1+MzISjOTF9BySeAGXHMEbX/27MxIl5tPIE=,tag:4tat0yvkE/4njWYyr/IRfA==,type:str] rpc_config.json: ENC[AES256_GCM,data:2dXn4De3RilQpOOtqjZQILJ7+/t8ipQHLiNuYdbQQRZC4fya0l9MLyGRuqfqeBu1B07VYSDMImV/5BZ+5ygCLk2JjhLn8NzbM3IRWg==,iv:SWqUCobb1+MzISjOTF9BySeAGXHMEbX/27MxIl5tPIE=,tag:4tat0yvkE/4njWYyr/IRfA==,type:str]
@ -68,8 +71,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-12-10T00:50:13Z" lastmodified: "2024-12-14T02:34:20Z"
mac: ENC[AES256_GCM,data:yM21T3BYoC9/jH9n7tdSK6Bgkw7n32SA17tKUoxZ7AgHuKDQRHdwGW1ujfGEBxo337uHdOaTW9mjjvMAy8KnrOQReipuM6yPKf8Fi8ptX+JXtxfg9QmcdjxMHX8vxpWHIFIkz4ScOQ2MSCwa3UXakhhpNJUssp31MMKlkpABOkA=,iv:2PwpgEGidQW2yiUg0qszf5FRw3f5wWM7vgydQL9dzGU=,tag:tRLFzeLNyrpDFVlBTjq2uQ==,type:str] mac: ENC[AES256_GCM,data:H1CKyLrN3RpzotFbPHS8rY8hEpySJ858d19B9veE3jrgJFeG2qsVmGsFwRiOyHqXGntvak6hP4lMsZFHl3XK21kduwgq0N10i9hpPvfa+L2Zifjtt7+7mVWsFJrCEZ1Ku963DAZL3nujeZKm4BNgbijD2N6bx1Oz1lW1AFO9VQo=,iv:j2cMWQ7L1dXG8BzYG0bHCtpXYJDb33oDMUXaFzsOvrg=,tag:+hny9nFCAcoa2zgmK+BYcw==,type:str]
pgp: pgp:
- created_at: "2024-12-05T00:56:17Z" - created_at: "2024-12-05T00:56:17Z"
enc: |- enc: |-
@ -172,4 +175,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 0f0c4c2f9877cb8a53efadacb90613a2af502673 fp: 0f0c4c2f9877cb8a53efadacb90613a2af502673
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.9.2

8
terraform/dns.tf
View file

@ -165,6 +165,14 @@ resource "hetznerdns_record" "vtt_a" {
ttl = 600 ttl = 600
} }
resource "hetznerdns_record" "photos_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "photos"
value = local.hel1_ip
type = "A"
ttl = 600
}
resource "hetznerdns_record" "monero_a" { resource "hetznerdns_record" "monero_a" {
zone_id = data.hetznerdns_zone.banditlair_zone.id zone_id = data.hetznerdns_zone.banditlair_zone.id
name = "monero" name = "monero"