From 9f053869196d65063dc998c7d8cbe836a1a49117 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Sat, 6 Aug 2022 17:00:45 +0200
Subject: [PATCH] fix: fix immich config

---
 secrets/immich/.env.age        | Bin 644 -> 718 bytes
 secrets/immich/db-password.age | Bin 0 -> 527 bytes
 secrets/secrets.nix            |   1 +
 services/immich.nix            |  52 +++++++++++++++++++++++----------
 4 files changed, 37 insertions(+), 16 deletions(-)
 create mode 100644 secrets/immich/db-password.age

diff --git a/secrets/immich/.env.age b/secrets/immich/.env.age
index 25aa5b130392bbe834678d4900d324a7008232e7..49259f0fbd6566c98d2a8fa884f696c5e9932e89 100644
GIT binary patch
delta 666
zcmWm9OKZ~r003YZ8;-z+;6cQL1#ya9Nt-t90y0h0v`N}zeWXtWY11^#qe;_bc`0-U
z5r+ev9(-&bJct(+nL1%Ah_Z`^9z0D^I|SXqi-LlJp!ofR@9fxM?9z0fVuC1{gAk}|
z!YR9uW4le=ZGbL~c}=`n(-Ff-2ojtEy&~XXoEP#JOd{x64V(eH4G<@sIue2@H`yXs
zE}BN$q%4v_8wkw$45J<3n-C0#5T8QT(<<tV)?+S55sFuD+2u}HZ6#A=EvTV$x*yFp
z-Ljy&`LJho=RLv(VyU<eW3`Uv%uz^E<Z=QoB?Y2n)HG<mh(XCv%#vwDPcSpf-}m+%
zFdj}z1(eNGOxm<4QTOL~IqfJ4W0D?iVKz_9YhEX4=Kx!w$*e3R21g3HNKpjawj!hw
zQCDL!@l2JW1*lPul~g8#|DPOD)PT_A>jv+eno9T%wtP+J6bi&RCm(YwLX3gKY@f(O
zb%n=mHR7Z)VF>KR9n$W#aonjIYR?luq}YOrRuB%dMY9Rch*1?#L{<vhWsdS1LJBes
zE~|z8d8w;cFoudSY=z9)RSRmxF<Gi8E=r232zCsN)!Y0GTxtOEh$8`kK)@&Td$vZI
zFk4GhJ(3OuIj8Mcn_@)@i)Gr$$QaCLEDs@}Dh}*s?S*~6jxJWVciO+-Z;lRjZE4rn
z)~7$wiAT$?SGP^?ZS(MnljnKA)W31)+jH^iN^+zyREB##-}?G+ad!NJx4m<GN_#c9
zJ3Cq0ym$J*!UkzA|9HIS-n<|`%VKXPM*j}kt(A}Ct3!uhI`?Jr>BTb>f3A(#PbQR+
i!2MNuzj^z`ouBW#E9=V3rA##PAR%9-k8M<91NI;3dH1{k

delta 591
zcmWm9OKZ~r003Y;D43&)f~Oqj17g=EX_FLn&~{1sOtLg>vmi)bZI>p^vuP4>g)w$h
z6o)4Tr!oXj!;2`)lU_tUY=<2NdXV8|!VZcc4)Oa3-=|~C$L?O9BziIA1~Fum`@EKw
zU^z@z>Xt>SxrL&D$eLlfs65IyJ9HM14aLl=x<p0Ee1c%53I})bfkUv2J11yHC}{cE
z30iG}%mAqw(D(Z(T|;s?I1idtxi&0-2{R^Dh-nD0MZs2~(V}c)IL?twtSX+<iv75Y
z`vw-V1+oB`9?L2tOfOQyjEC3zQc<O{0d41PmX2%;Dm4d1u`T(PuyXI<>_ifpkXSdX
zqSQ5Wvnp2A^YdXpNdkj6`w7Y_Ih7*?J22<w0J5o8duStz^SyQ=Gf<#F^{B>|12K%;
zAky#=%y$Y=o%4wQ6Z6W2C{8Rm)$?@O*TJjQ^a2N-CuIi2swD%y)&SATE%qh{1S5ub
zJDoIPN(2JceWVh>zBA~#T|4iP8ePjkIN^*?g=5-rBON2HQl=sa2qw9`N=?)OcO27>
z=FRqd^PZtHme#WR3+X7T+eIHprBWb|i4@*62)ba@>|uxqc@z;vlw2&@VJpHt2=>!*
zw;OgwjRCL>udTbUH!f}LeSWf&dAj-IXLx7p?}=}RJLR>hH>mk?AGvr2d00AnT<$D=
z*<YENUZur9k22rc)5`PpUtc%ho_h7MeB?ejR;RX=$@b&-*OyLCAH3VWaeGxc_h9AO
O;_lv7=J3Od-~RxoGuYz*

diff --git a/secrets/immich/db-password.age b/secrets/immich/db-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..78741ffacd1922863f95e109de94c06df37d0ab5
GIT binary patch
literal 527
zcmZ9_yKd7^002-VI$4NMKwdhaD<`(EV`BsrPUAf6II$hKc?eWF_VqiC<3}7L{s4r!
zb*ThQAh9t3q7p3m0VWm(M#Kh{D$xnC_WZyxT|}VRN~<LImvL>Gy7e`M5qo%+c?7cQ
zMuXz<p)k`t0ar+ETy-+Q#$8G6$S`V6Xot6Eq&Q61ZhfQAWmHbg_)g?vo5QjP1)j4D
zU_eId4`W4zX_dkzv%ipymA0Y6(i~Y+N4UC0k}1amKH(1x*LFuv(j%ENu@$EW^(dwX
z8ChpHM!l7C(@Y%aqi~Ax(5Dj>Ci6)X&|xN0?J3=C%vH9dE)s<oR=yR;Rxg|e+0~7s
z{eUa+95j6G@gxtF0+o5uwDegfTS{ARFF>F3kYr0HP||U~C18Ei0YyIQ4-IM!NTdQ*
zvqQiuV<tepb0BGRlgm~LSaH_>4eo-dsT@5b+!UD^!aeX{jx#m9%ixDTMwy$OoXG=f
zAC<ObYht$wF@hlQ!iaK#_1Csnxs*wTC`FO$7IDX?$)%weNl<#L(3gUs#4exRK7ae<
z?!%w)=Nn)7(;a4e>*C(~_V1HdCpTZ5|2kv;eEa@dzku79U#{2G%Qv5Pt{okV&#@o(
Ss}EqX{rgda;rQLz)4hM=r?s~L

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index dc6a33d..4b37642 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -28,6 +28,7 @@ in {
   "paperless.age".publicKeys = [ felschr home-pc home-server ];
   "nextcloud/admin.age".publicKeys = [ felschr home-pc home-server ];
   "immich/.env.age".publicKeys = [ felschr home-pc home-server ];
+  "immich/db-password.age".publicKeys = [ felschr home-pc home-server ];
 
   # home-server
   "home-server/hostKey.age".publicKeys = [ felschr home-server ];
diff --git a/services/immich.nix b/services/immich.nix
index 692335a..0158b61 100644
--- a/services/immich.nix
+++ b/services/immich.nix
@@ -1,16 +1,17 @@
 { config, lib, pkgs, ... }:
 
 let
-  uploadDir = "/var/lib/immich/upload";
+  dataDir = "/var/lib/immich";
+  uploadDir = "${dataDir}/upload";
   dbuser = "immich";
   dbname = "immich";
+  dbPasswordFile = config.age.secrets.immich-db-password.path;
   ociBackend = config.virtualisation.oci-containers.backend;
-  containersHost = if ociBackend == "podman" then
-    "host.containers.internal"
-  else
-    "host.docker.internal";
+  containersHost = "localhost";
   domain = "photos.felschr.com";
 
+  pgSuperUser = config.services.postgresql.superUser;
+
   immichEnv = {
     environment = {
       NODE_ENV = "production";
@@ -21,18 +22,17 @@ let
       REDIS_HOSTNAME = containersHost;
       REDIS_PORT = toString config.services.redis.servers.immich.port;
       VITE_SERVER_ENDPOINT = "https://${domain}/api";
-
-      # immich requires this value, even though we don't have password auth
-      DB_PASSWORD = "x";
     };
-    # only secrets need to be included, e.g. JWT_SECRET, MAPBOX_KEY
+    # only secrets need to be included, e.g. DB_PASSWORD, JWT_SECRET, MAPBOX_KEY
     environmentFiles = [ config.age.secrets.immich-env.path ];
   };
 in {
   age.secrets.immich-env.file = ../secrets/immich/.env.age;
+  age.secrets.immich-db-password.file = ../secrets/immich/db-password.age;
 
   services.postgresql = {
     enable = true;
+    enableTCPIP = true;
     ensureDatabases = [ dbname ];
     ensureUsers = [{
       name = dbuser;
@@ -40,14 +40,16 @@ in {
     }];
   };
 
-  services.redis.servers.immich.enable = true;
-
-  systemd.services.prepare-immich = {
+  services.redis.servers.immich = {
     enable = true;
-    wantedBy = [ "multi-user.target" ];
-    script = ''
-      mkdir -p ${uploadDir}
-    '';
+    port = 31640;
+  };
+
+  systemd.services.immich-init = {
+    enable = true;
+    description = "Set up paths & database access";
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
     before = [
       "${ociBackend}-immich-server.service"
       "${ociBackend}-immich-microservices.service"
@@ -55,14 +57,28 @@ in {
       "${ociBackend}-immich-web.service"
       "${ociBackend}-immich-proxy.service"
     ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      LoadCredential = [ "db_password:${dbPasswordFile}" ];
+    };
+    script = ''
+      mkdir -p ${dataDir} ${uploadDir}
+      echo "Set immich postgres user password"
+      db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")"
+      ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} ${pkgs.postgresql}/bin/psql postgres \
+        -c "alter user ${dbuser} with password '$db_password'"
+    '';
   };
 
   virtualisation.oci-containers.containers = {
     immich-server = immichEnv // {
       image = "altran1502/immich-server:release";
+      ports = [ "3001:3001" ];
       entrypoint = "/bin/sh";
       cmd = [ "./start-server.sh" ];
       volumes = [ "${uploadDir}:/usr/src/app/upload" ];
+      extraOptions = [ "--network=host" ];
     };
 
     immich-microservices = immichEnv // {
@@ -70,6 +86,7 @@ in {
       entrypoint = "/bin/sh";
       cmd = [ "./start-microservices.sh" ];
       volumes = [ "${uploadDir}:/usr/src/app/upload" ];
+      extraOptions = [ "--network=host" ];
     };
 
     immich-machine-learning = immichEnv // {
@@ -77,12 +94,15 @@ in {
       entrypoint = "/bin/sh";
       cmd = [ "./entrypoint.sh" ];
       volumes = [ "${uploadDir}:/usr/src/app/upload" ];
+      extraOptions = [ "--network=host" ];
     };
 
     immich-web = immichEnv // {
       image = "altran1502/immich-web:release";
+      ports = [ "3000:3000" ];
       entrypoint = "/bin/sh";
       cmd = [ "./entrypoint.sh" ];
+      extraOptions = [ "--network=host" ];
     };
   };