thunderbottom/flakes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
21fed27891
flakes/modules/nixos/services/immich/default.nix
Chinmay D. Pai abb9050f0c
chore: remove default CSP and add CSP for immich 
Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
2024-10-06 17:49:49 +05:30

82 lines
2.8 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}: {
options.snowflake.services.immich = {
enable = lib.mkEnableOption "Enable immich service";
domain = lib.mkOption {
type = lib.types.str;
default = "";
description = "Configuration domain to use for the immich service";
};
};
config = let
cfg = config.snowflake.services.immich;
in
lib.mkIf cfg.enable {
services.immich = {
enable = true;
package = pkgs.immich;
mediaLocation = "/storage/media/immich-library";
port = 9121;
};
users.users.immich.extraGroups = ["media" "video" "render"];
# Requires services.nginx.enable.
services.nginx = {
virtualHosts = {
"${cfg.domain}" = {
serverName = "${cfg.domain}";
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${config.services.immich.host}:${toString config.services.immich.port}/";
proxyWebsockets = true;
};
extraConfig = ''
client_max_body_size 0;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://${cfg.domain} https://static.immich.cloud https://tiles.immich.cloud 'sha256-h5wSYKWbmHcoYTdkHNNguMswVNCphpvwW+uxooXhF/Y=' 'sha256-+tEpShk9UPRYp31qABDDu+0EulxL6LIbIZ035p8TTss='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' https://${cfg.domain} https://tiles.immich.cloud https://static.immich.cloud; frame-ancestors 'self'; worker-src 'self' blob:;" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
'';
};
};
};
services.fail2ban.jails.immich = {
enabled = true;
filter = "immich";
};
environment.etc = {
immich = {
target = "fail2ban/filter.d/immich.conf";
text = ''
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
journalmatch = _SYSTEMD_UNIT=immich-server.service
'';
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink