From 0ff0828ca99541ec2d5f3cd8520a40ae44cf4785 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sat, 25 Jan 2025 20:24:30 +0100
Subject: [PATCH] fix: immich internet access via vlan

---
 hosts/sire/guests/immich.nix | 3 +--
 hosts/ward/guests/kanidm.nix | 5 ++++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix
index 5f09f24..8eec40f 100644
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@@ -23,7 +23,6 @@ let
         crf = 23;
         gopSize = 0;
         maxBitrate = "0";
-        npl = 0;
         preset = "ultrafast";
         refs = 0;
         targetAudioCodec = "aac";
@@ -178,7 +177,7 @@ in
     rules = [
       "iifname proxy-sentinel ip saddr ${sentinelCfg.wireguard.proxy-sentinel.ipv4} tcp dport 2283 accept"
       "iifname proxy-home ip saddr ${wardWebProxyCfg.wireguard.proxy-home.ipv4} tcp dport 2283 accept"
-      "iifname podman1 oifname lan accept"
+      "iifname podman1 oifname vlan-services accept"
     ];
   };
 
diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix
index 867c56b..993de8e 100644
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@@ -117,7 +117,10 @@ in
       groups."immich.access" = { };
       systems.oauth2.immich = {
         displayName = "Immich";
-        originUrl = "https://${globals.services.immich.domain}/auth/login";
+        originUrl = [
+          "https://${globals.services.immich.domain}/auth/login"
+          "https://${globals.services.immich.domain}/api/oauth/mobile-redirect"
+        ];
         originLanding = "https://${globals.services.immich.domain}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
         preferShortUsername = true;