From a162c71e78212669b8bd71d1974251515a941a44 Mon Sep 17 00:00:00 2001
From: Joshua Bell <abc@joshuabell.xyz>
Date: Sun, 8 Feb 2026 22:34:52 -0600
Subject: [PATCH 1/2] Refactor immich container config; enable firewall,
 resolved, PostgreSQL

---
 hosts/h001/containers/immich.nix | 135 ++++++++++++++++---------------
 1 file changed, 69 insertions(+), 66 deletions(-)

diff --git a/hosts/h001/containers/immich.nix b/hosts/h001/containers/immich.nix
index 04a6f3d8..4063495a 100644
--- a/hosts/h001/containers/immich.nix
+++ b/hosts/h001/containers/immich.nix
@@ -149,81 +149,84 @@ in
           ...
         }:
         {
-          config = {
-            system.stateVersion = "25.05";
+          config = lib.mkMerge [
+            {
+              system.stateVersion = "25.05";
 
-            networking = {
-              firewall = {
+              networking = {
+                firewall = {
+                  enable = true;
+                  allowedTCPPorts = [
+                    2283
+                  ];
+                };
+                # Use systemd-resolved inside the container
+                # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+                useHostResolvConf = lib.mkForce false;
+              };
+              services.resolved.enable = true;
+
+              # Ensure users exist on container
+              inherit users;
+
+              services.postgresql = {
                 enable = true;
-                allowedTCPPorts = [
-                  2283
+                package = pkgs.postgresql_17.withPackages (ps: [ ps.pgvecto-rs ]);
+                enableJIT = true;
+                authentication = ''
+                  local all all trust
+                  host all all 127.0.0.1/8 trust
+                  host all all ::1/128 trust
+                  host all all fc00::1/128 trust
+                '';
+                ensureDatabases = [ "immich" ];
+                ensureUsers = [
+                  {
+                    name = "immich";
+                    ensureDBOwnership = true;
+                    ensureClauses.login = true;
+                  }
                 ];
+                settings = {
+                  shared_preload_libraries = [ "vectors.so" ];
+                };
               };
-              # Use systemd-resolved inside the container
-              # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-              useHostResolvConf = lib.mkForce false;
-            };
-            services.resolved.enable = true;
 
-            # Ensure users exist on container
-            inherit users;
-
-            services.postgresql = {
-              enable = true;
-              package = pkgs.postgresql_17.withPackages (ps: [ ps.pgvecto-rs ]);
-              enableJIT = true;
-              authentication = ''
-                local all all trust
-                host all all 127.0.0.1/8 trust
-                host all all ::1/128 trust
-                host all all fc00::1/128 trust
-              '';
-              ensureDatabases = [ "immich" ];
-              ensureUsers = [
-                {
-                  name = "immich";
-                  ensureDBOwnership = true;
-                  ensureClauses.login = true;
-                }
-              ];
-              settings = {
-                shared_preload_libraries = [ "vectors.so" ];
-              };
-            };
-
-            # Backup database
-            services.postgresqlBackup = {
-              enable = true;
-            };
-
-            services.immich = {
-              enable = true;
-              host = "0.0.0.0";
-              port = 2283;
-              openFirewall = true;
-              mediaLocation = "/var/lib/immich";
-              database = {
+              # Backup database
+              services.postgresqlBackup = {
                 enable = true;
-                createDB = false; # We create it manually above
-                name = "immich";
-                user = "immich";
               };
-              redis.enable = true;
-              machine-learning.enable = true;
-              settings = {
-                server.externalDomain = "https://photos.joshuabell.xyz";
-                newVersionCheck.enabled = false;
+
+              services.immich = {
+                enable = true;
+                host = "0.0.0.0";
+                port = 2283;
+                openFirewall = true;
+                mediaLocation = "/var/lib/immich";
+                database = {
+                  enable = true;
+                  createDB = false; # We create it manually above
+                  name = "immich";
+                  user = "immich";
+                };
+                redis.enable = true;
+                machine-learning.enable = true;
+                settings = {
+                  server.externalDomain = "https://photos.joshuabell.xyz";
+                  newVersionCheck.enabled = false;
+                };
               };
-            };
 
-            systemd.services.immich-server = {
-              requires = [ "postgresql.service" ];
-              after = [ "postgresql.service" ];
-            };
-
-            # Allow Immich user to access the media directory
-            users.users.immich.extraGroups = [ "video" "render" ];
-          };
+              systemd.services.immich-server = {
+                requires = [ "postgresql.service" ];
+                after = [ "postgresql.service" ];
+              };
+            }
+            {
+              # Allow Immich user to access the media directory for hardware transcoding
+              users.users.immich.extraGroups = [ "video" "render" ];
+            }
+          ];
         };
     };
   };

From c259a93c7aed09810233b4986602f6bc9e133972 Mon Sep 17 00:00:00 2001
From: Joshua Bell <abc@joshuabell.xyz>
Date: Sun, 8 Feb 2026 22:41:54 -0600
Subject: [PATCH 2/2] Switch Immich container to PostgreSQL 16

---
 hosts/h001/containers/immich.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hosts/h001/containers/immich.nix b/hosts/h001/containers/immich.nix
index 4063495a..16481028 100644
--- a/hosts/h001/containers/immich.nix
+++ b/hosts/h001/containers/immich.nix
@@ -32,7 +32,7 @@ let
     {
       host = "${hostVarLibDir}/postgres";
       # Adjust based on container postgres data dir
-      container = "/var/lib/postgresql/17";
+      container = "/var/lib/postgresql/16";
       user = "postgres";
       uid = config.ids.uids.postgres;
       gid = config.ids.gids.postgres;
@@ -171,7 +171,7 @@ in
 
               services.postgresql = {
                 enable = true;
-                package = pkgs.postgresql_17.withPackages (ps: [ ps.pgvecto-rs ]);
+                package = pkgs.postgresql_16.withPackages (ps: [ ps.pgvecto-rs ]);
                 enableJIT = true;
                 authentication = ''
                   local all all trust