chore: update flake and make necessary changes, disable immich for now

2025-10-10 14:50:40 +02:00 · 2025-09-05 20:48:22 +02:00 · 2025-09-05 20:48:22 +02:00 · 3c322bbdbf
commit 3c322bbdbf
parent 20477ecdc5
13 changed files with 228 additions and 156 deletions
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@ -19,7 +19,7 @@ let
    "photos.${globals.domains.me}"
    "s3.photos.${globals.domains.me}"
    globals.services.mealie.domain
-    globals.services.immich.domain
+    # globals.services.immich.domain
    globals.services.influxdb.domain
    globals.services.loki.domain
    globals.services.paperless.domain
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@ -145,9 +145,9 @@
      // mkMicrovm "paperless" {
        enablePaperlessDataset = true;
      }
-      // mkMicrovm "immich" {
-        enableStorageDataset = true;
-      }
+      # // mkMicrovm "immich" {
+      #   enableStorageDataset = true;
+      # }
      // mkMicrovm "ai" { }
      // mkMicrovm "minecraft" { }
      // mkMicrovm "ente" {
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -21,7 +21,7 @@ let
    "photos.${globals.domains.me}"
    "s3.photos.${globals.domains.me}"
    globals.services.mealie.domain
-    globals.services.immich.domain
+    # globals.services.immich.domain
    globals.services.influxdb.domain
    globals.services.loki.domain
    globals.services.paperless.domain
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -91,42 +91,41 @@ in
        ];
        dhcp.enabled = false;
      };
-      filtering.rewrites =
-        [
-          # Undo the /etc/hosts entry so we don't answer with the internal
-          # wireguard address for influxdb
-          {
-            inherit (globals.services.influxdb) domain;
-            answer = globals.domains.me;
-          }
-        ]
-        # Use the local mirror-proxy for some services (not necessary, just for speed)
-        ++
-          map
-            (domain: {
-              inherit domain;
-              answer = globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4;
-            })
-            [
-              # FIXME: dont hardcode, filter global service domains by internal state
-              # FIXME: new entry here? make new firezone entry too.
-              # FIXME: new entry here? make new firezone gateway on ward entry too.
-              globals.services.grafana.domain
-              "accounts.photos.${globals.domains.me}"
-              "albums.photos.${globals.domains.me}"
-              "api.photos.${globals.domains.me}"
-              "cast.photos.${globals.domains.me}"
-              "photos.${globals.domains.me}"
-              "s3.photos.${globals.domains.me}"
-              globals.services.mealie.domain
-              globals.services.immich.domain
-              globals.services.influxdb.domain
-              globals.services.loki.domain
-              globals.services.paperless.domain
-              globals.services.esphome.domain
-              globals.services.home-assistant.domain
-              "fritzbox.${globals.domains.personal}"
-            ];
+      filtering.rewrites = [
+        # Undo the /etc/hosts entry so we don't answer with the internal
+        # wireguard address for influxdb
+        {
+          inherit (globals.services.influxdb) domain;
+          answer = globals.domains.me;
+        }
+      ]
+      # Use the local mirror-proxy for some services (not necessary, just for speed)
+      ++
+        map
+          (domain: {
+            inherit domain;
+            answer = globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4;
+          })
+          [
+            # FIXME: dont hardcode, filter global service domains by internal state
+            # FIXME: new entry here? make new firezone entry too.
+            # FIXME: new entry here? make new firezone gateway on ward entry too.
+            globals.services.grafana.domain
+            "accounts.photos.${globals.domains.me}"
+            "albums.photos.${globals.domains.me}"
+            "api.photos.${globals.domains.me}"
+            "cast.photos.${globals.domains.me}"
+            "photos.${globals.domains.me}"
+            "s3.photos.${globals.domains.me}"
+            globals.services.mealie.domain
+            # globals.services.immich.domain
+            globals.services.influxdb.domain
+            globals.services.loki.domain
+            globals.services.paperless.domain
+            globals.services.esphome.domain
+            globals.services.home-assistant.domain
+            "fritzbox.${globals.domains.personal}"
+          ];
      filters = [
        {
          name = "AdGuard DNS filter";
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -37,7 +37,7 @@ in

  age.secrets.kanidm-oauth2-forgejo = mkRandomSecret;
  age.secrets.kanidm-oauth2-grafana = mkRandomSecret;
-  age.secrets.kanidm-oauth2-immich = mkRandomSecret;
+  # age.secrets.kanidm-oauth2-immich = mkRandomSecret;
  age.secrets.kanidm-oauth2-firezone = mkRandomSecret;
  age.secrets.kanidm-oauth2-mealie = mkRandomSecret;
  age.secrets.kanidm-oauth2-paperless = mkRandomSecret;
@ -115,27 +115,27 @@ in

      inherit (globals.kanidm) persons;

-      # Immich
-      groups."immich.access" = { };
-      systems.oauth2.immich = {
-        displayName = "Immich";
-        originUrl = [
-          "https://${globals.services.immich.domain}/auth/login"
-          "https://${globals.services.immich.domain}/api/oauth/mobile-redirect"
-        ];
-        originLanding = "https://${globals.services.immich.domain}/";
-        basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
-        preferShortUsername = true;
-        # XXX: PKCE is currently not supported by immich
-        allowInsecureClientDisablePkce = true;
-        # XXX: RS256 is used instead of ES256 so additionally we need legacy crypto
-        enableLegacyCrypto = true;
-        scopeMaps."immich.access" = [
-          "openid"
-          "email"
-          "profile"
-        ];
-      };
+      # # Immich
+      # groups."immich.access" = { };
+      # systems.oauth2.immich = {
+      #   displayName = "Immich";
+      #   originUrl = [
+      #     "https://${globals.services.immich.domain}/auth/login"
+      #     "https://${globals.services.immich.domain}/api/oauth/mobile-redirect"
+      #   ];
+      #   originLanding = "https://${globals.services.immich.domain}/";
+      #   basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
+      #   preferShortUsername = true;
+      #   # XXX: PKCE is currently not supported by immich
+      #   allowInsecureClientDisablePkce = true;
+      #   # XXX: RS256 is used instead of ES256 so additionally we need legacy crypto
+      #   enableLegacyCrypto = true;
+      #   scopeMaps."immich.access" = [
+      #     "openid"
+      #     "email"
+      #     "profile"
+      #   ];
+      # };

      # Firezone
      groups."firezone.access" = { };