ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor immich container config; enable firewall, resolved, PostgreSQL

Browse source
This commit is contained in:
Joshua Bell 2026-02-08 22:34:52 -06:00
parent 6a871b1234
commit a162c71e78
1 changed files with 69 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

135
hosts/h001/containers/immich.nix
View file

@ -149,81 +149,84 @@ in
... ...
}: }:
{ {
config = { config = lib.mkMerge [
system.stateVersion = "25.05"; {
system.stateVersion = "25.05";
networking = { networking = {
firewall = { firewall = {
enable = true;
allowedTCPPorts = [
2283
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
# Ensure users exist on container
inherit users;
services.postgresql = {
enable = true; enable = true;
allowedTCPPorts = [ package = pkgs.postgresql_17.withPackages (ps: [ ps.pgvecto-rs ]);
2283 enableJIT = true;
authentication = ''
local all all trust
host all all 127.0.0.1/8 trust
host all all ::1/128 trust
host all all fc00::1/128 trust
'';
ensureDatabases = [ "immich" ];
ensureUsers = [
{
name = "immich";
ensureDBOwnership = true;
ensureClauses.login = true;
}
]; ];
settings = {
shared_preload_libraries = [ "vectors.so" ];
};
}; };
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
# Ensure users exist on container # Backup database
inherit users; services.postgresqlBackup = {
services.postgresql = {
enable = true;
package = pkgs.postgresql_17.withPackages (ps: [ ps.pgvecto-rs ]);
enableJIT = true;
authentication = ''
local all all trust
host all all 127.0.0.1/8 trust
host all all ::1/128 trust
host all all fc00::1/128 trust
'';
ensureDatabases = [ "immich" ];
ensureUsers = [
{
name = "immich";
ensureDBOwnership = true;
ensureClauses.login = true;
}
];
settings = {
shared_preload_libraries = [ "vectors.so" ];
};
};
# Backup database
services.postgresqlBackup = {
enable = true;
};
services.immich = {
enable = true;
host = "0.0.0.0";
port = 2283;
openFirewall = true;
mediaLocation = "/var/lib/immich";
database = {
enable = true; enable = true;
createDB = false; # We create it manually above
name = "immich";
user = "immich";
}; };
redis.enable = true;
machine-learning.enable = true; services.immich = {
settings = { enable = true;
server.externalDomain = "https://photos.joshuabell.xyz"; host = "0.0.0.0";
newVersionCheck.enabled = false; port = 2283;
openFirewall = true;
mediaLocation = "/var/lib/immich";
database = {
enable = true;
createDB = false; # We create it manually above
name = "immich";
user = "immich";
};
redis.enable = true;
machine-learning.enable = true;
settings = {
server.externalDomain = "https://photos.joshuabell.xyz";
newVersionCheck.enabled = false;
};
}; };
};
systemd.services.immich-server = { systemd.services.immich-server = {
requires = [ "postgresql.service" ]; requires = [ "postgresql.service" ];
after = [ "postgresql.service" ]; after = [ "postgresql.service" ];
}; };
}
# Allow Immich user to access the media directory {
users.users.immich.extraGroups = [ "video" "render" ]; # Allow Immich user to access the media directory for hardware transcoding
}; users.users.immich.extraGroups = [ "video" "render" ];
}
];
}; };
}; };
}; };