feat: reenable immich with native module, prepare nixos-extra-modules update

2025-10-10 23:00:39 +02:00 · 2025-09-13 20:18:54 +02:00 · 2025-09-13 20:18:54 +02:00 · 157c303f38
commit 157c303f38
parent ef2f2a9b77
25 changed files with 1521 additions and 184 deletions
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -37,7 +37,7 @@ in

  age.secrets.kanidm-oauth2-forgejo = mkRandomSecret;
  age.secrets.kanidm-oauth2-grafana = mkRandomSecret;
-  # age.secrets.kanidm-oauth2-immich = mkRandomSecret;
+  age.secrets.kanidm-oauth2-immich = mkRandomSecret;
  age.secrets.kanidm-oauth2-firezone = mkRandomSecret;
  age.secrets.kanidm-oauth2-mealie = mkRandomSecret;
  age.secrets.kanidm-oauth2-paperless = mkRandomSecret;
@ -115,27 +115,23 @@ in

      inherit (globals.kanidm) persons;

-      # # Immich
-      # groups."immich.access" = { };
-      # systems.oauth2.immich = {
-      #   displayName = "Immich";
-      #   originUrl = [
-      #     "https://${globals.services.immich.domain}/auth/login"
-      #     "https://${globals.services.immich.domain}/api/oauth/mobile-redirect"
-      #   ];
-      #   originLanding = "https://${globals.services.immich.domain}/";
-      #   basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
-      #   preferShortUsername = true;
-      #   # XXX: PKCE is currently not supported by immich
-      #   allowInsecureClientDisablePkce = true;
-      #   # XXX: RS256 is used instead of ES256 so additionally we need legacy crypto
-      #   enableLegacyCrypto = true;
-      #   scopeMaps."immich.access" = [
-      #     "openid"
-      #     "email"
-      #     "profile"
-      #   ];
-      # };
+      # Immich
+      groups."immich.access" = { };
+      systems.oauth2.immich = {
+        displayName = "Immich";
+        originUrl = [
+          "https://${globals.services.immich.domain}/auth/login"
+          "https://${globals.services.immich.domain}/api/oauth/mobile-redirect"
+        ];
+        originLanding = "https://${globals.services.immich.domain}/";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
+        preferShortUsername = true;
+        scopeMaps."immich.access" = [
+          "openid"
+          "email"
+          "profile"
+        ];
+      };

      # Firezone
      groups."firezone.access" = { };