flakes/modules/nixos/services/immich/default.nix

{
  config,
  lib,
  pkgs,
  ...
}: {
  options.snowflake.services.immich = {
    enable = lib.mkEnableOption "Enable immich service";

    domain = lib.mkOption {
      type = lib.types.str;
      default = "";
      description = "Configuration domain to use for the immich service";
    };
  };

  config = let
    cfg = config.snowflake.services.immich;
  in
    lib.mkIf cfg.enable {
      services.immich = {
        enable = true;
        package = pkgs.immich;
        mediaLocation = "/storage/media/immich-library";
        port = 9121;
      };

      users.users.immich.extraGroups = ["media" "video" "render"];

      # Requires services.nginx.enable.
      services.nginx = {
        virtualHosts = {
          "${cfg.domain}" = {
            serverName = "${cfg.domain}";
            enableACME = true;
            forceSSL = true;
            locations."/" = {
              proxyPass = "http://${config.services.immich.host}:${toString config.services.immich.port}/";
              proxyWebsockets = true;
            };
            extraConfig = ''
              client_max_body_size 0;
              proxy_connect_timeout 600;
              proxy_read_timeout 600;
              proxy_send_timeout 600;
            '';
          };
        };
      };

      services.fail2ban.jails.immich = {
        enabled = true;
        filter = "immich";
      };

      environment.etc = {
        immich = {
          target = "fail2ban/filter.d/immich.conf";
          text = ''
            [INCLUDES]
            before = common.conf

            [Definition]
            failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
            ignoreregex =
            journalmatch = _SYSTEMD_UNIT=immich-server.service
          '';
        };
      };
    };
}
feat: add module for immich service Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-29 23:32:15 +05:30			`{`
			`config,`
			`lib,`
chore: move lanzaboote to system module and remove nixpkgs-immich input * lanzaboote is needed to evaluate nix configuration, even if it's not used in the system. * removed nixpkgs-immich since nixpkgs now has immich service Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-30 11:14:57 +05:30			`pkgs,`
feat: add module for immich service Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-29 23:32:15 +05:30			`...`
			`}: {`
			`options.snowflake.services.immich = {`
			`enable = lib.mkEnableOption "Enable immich service";`

			`domain = lib.mkOption {`
			`type = lib.types.str;`
			`default = "";`
			`description = "Configuration domain to use for the immich service";`
			`};`
			`};`

			`config = let`
			`cfg = config.snowflake.services.immich;`
			`in`
			`lib.mkIf cfg.enable {`
			`services.immich = {`
			`enable = true;`
chore: move lanzaboote to system module and remove nixpkgs-immich input * lanzaboote is needed to evaluate nix configuration, even if it's not used in the system. * removed nixpkgs-immich since nixpkgs now has immich service Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-30 11:14:57 +05:30			`package = pkgs.immich;`
feat: add module for immich service Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-29 23:32:15 +05:30			`mediaLocation = "/storage/media/immich-library";`
			`port = 9121;`
			`};`

			`users.users.immich.extraGroups = ["media" "video" "render"];`

			`# Requires services.nginx.enable.`
			`services.nginx = {`
			`virtualHosts = {`
			`"${cfg.domain}" = {`
			`serverName = "${cfg.domain}";`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyPass = "http://${config.services.immich.host}:${toString config.services.immich.port}/";`
			`proxyWebsockets = true;`
			`};`
			`extraConfig = ''`
			`client_max_body_size 0;`
			`proxy_connect_timeout 600;`
			`proxy_read_timeout 600;`
			`proxy_send_timeout 600;`
			`'';`
			`};`
			`};`
			`};`
feat: add fail2ban setup for services Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-10-05 21:00:53 +05:30
			`services.fail2ban.jails.immich = {`
			`enabled = true;`
			`filter = "immich";`
			`};`

			`environment.etc = {`
			`immich = {`
			`target = "fail2ban/filter.d/immich.conf";`
			`text = ''`
			`[INCLUDES]`
			`before = common.conf`

			`[Definition]`
			`failregex = ^.Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.$`
			`ignoreregex =`
			`journalmatch = _SYSTEMD_UNIT=immich-server.service`
			`'';`
			`};`
			`};`
feat: add module for immich service Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-29 23:32:15 +05:30			`};`
			`}`