feat: update immich; decrease restart timer between failed attempts for all services to 60 seconds

hosts/sire/guests/grafana.nix

@@ -157,5 +157,5 @@ in {
     };
   };
 
-  systemd.services.grafana.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  systemd.services.grafana.serviceConfig.RestartSec = "60"; # Retry every minute
 }

hosts/sire/guests/immich.nix

@@ -116,7 +116,7 @@
 
   processedConfigFile = "/run/agenix/immich.config.json";
 
-  version = "v1.93.3";
+  version = "v1.98.2";
   environment = {
     DB_DATABASE_NAME = "immich";
     DB_HOSTNAME = ipImmichPostgres;
@@ -269,7 +269,7 @@ in {
       ];
     };
   virtualisation.oci-containers.containers."immich_postgres" = {
-    image = "tensorchord/pgvecto-rs:pg14-v0.1.11@sha256:0335a1a22f8c5dd1b697f14f079934f5152eaaa216c09b61e293be285491f8ee";
+    image = "tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0";
     environment = {
       POSTGRES_DB = environment.DB_DATABASE_NAME;
       POSTGRES_PASSWORD_FILE = environment.DB_PASSWORD_FILE;
@@ -288,7 +288,7 @@ in {
   };
   systemd.services."podman-immich_postgres" = serviceConfig;
   virtualisation.oci-containers.containers."immich_redis" = {
-    image = "redis:6.2-alpine@sha256:c5a607fb6e1bb15d32bbcf14db22787d19e428d59e31a5da67511b49bb0f1ccc";
+    image = "redis:6.2-alpine@sha256:51d6c56749a4243096327e3fb964a48ed92254357108449cb6e23999c37773c5";
     log-driver = "journald";
     extraOptions = [
       "--network-alias=immich_redis"

hosts/sire/guests/influxdb.nix

@@ -97,5 +97,5 @@ in {
 
   environment.systemPackages = [pkgs.influxdb2-cli];
 
-  systemd.services.grafana.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  systemd.services.grafana.serviceConfig.RestartSec = "60"; # Retry every minute
 }

hosts/sire/guests/loki.nix

@@ -131,5 +131,5 @@ in {
     };
   };
 
-  systemd.services.loki.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  systemd.services.loki.serviceConfig.RestartSec = "60"; # Retry every minute
 }

hosts/sire/guests/paperless.nix

@@ -102,7 +102,7 @@ in {
     };
   };
 
-  systemd.services.paperless.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  systemd.services.paperless.serviceConfig.RestartSec = "60"; # Retry every minute
 
   systemd.tmpfiles.settings."10-paperless".${paperlessBackupDir}.d = {
     inherit (config.services.paperless) user;

hosts/ward/guests/adguardhome.nix

@@ -110,6 +110,6 @@ in {
       INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show lan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+")
       sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml"
     '';
-    serviceConfig.RestartSec = lib.mkForce "600"; # Retry every 10 minutes
+    serviceConfig.RestartSec = lib.mkForce "60"; # Retry every minute
   };
 }

hosts/ward/guests/forgejo.nix

@@ -167,7 +167,7 @@ in {
   };
 
   systemd.services.forgejo = {
-    serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+    serviceConfig.RestartSec = "60"; # Retry every minute
     preStart = let
       exe = lib.getExe config.services.forgejo.package;
       providerName = "kanidm";

hosts/ward/guests/kanidm.nix

@@ -124,6 +124,8 @@ in {
         basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
         preferShortUsername = true;
         # XXX: PKCE is currently not supported by immich
+        # XXX: Also RS256 is used instead of ES256 so additionally needed:
+        # kanidm system oauth2 warning-enable-legacy-crypto immich
         allowInsecureClientDisablePkce = true;
         scopeMaps."immich.access" = ["openid" "email" "profile"];
       };
@@ -137,6 +139,7 @@ in {
         displayName = "Grafana";
         originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
+        preferShortUsername = true;
         scopeMaps."grafana.access" = ["openid" "email" "profile"];
         claimMaps.groups = {
           joinType = "array";
@@ -174,6 +177,7 @@ in {
         displayName = "Web Sentinel";
         originUrl = "https://oauth2.${domains.me}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
+        preferShortUsername = true;
         scopeMaps."web-sentinel.access" = ["openid" "email"];
         claimMaps.groups = {
           joinType = "array";

hosts/ward/guests/radicale.nix

@@ -76,7 +76,7 @@ in {
     };
   };
 
-  systemd.services.radicale.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  systemd.services.radicale.serviceConfig.RestartSec = "60"; # Retry every minute
 
   backups.storageBoxes.dusk = {
     subuser = "radicale";

hosts/ward/guests/vaultwarden.nix

@@ -79,7 +79,7 @@ in {
   systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";
   systemd.services.vaultwarden.serviceConfig = {
     StateDirectory = lib.mkForce "vaultwarden";
-    RestartSec = "600"; # Retry every 10 minutes
+    RestartSec = "60"; # Retry every minute
   };
 
   # Needed so we don't run out of tmpfs space for large backups.

modules/oauth2-proxy.nix

@@ -120,7 +120,7 @@ in {
       RuntimeDirectory = "oauth2_proxy";
       RuntimeDirectoryMode = "0750";
       UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed
-      RestartSec = "600"; # Retry every 10 minutes
+      RestartSec = "60"; # Retry every minute
     };
 
     users.groups.oauth2_proxy.members = ["nginx"];

modules/promtail.nix

@@ -145,6 +145,6 @@ in {
       };
     };
 
-    systemd.services.promtail.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+    systemd.services.promtail.serviceConfig.RestartSec = "60"; # Retry every minute
   };
 }

modules/telegraf.nix

@@ -212,7 +212,7 @@ in {
         ];
         # For wireguard statistics
         AmbientCapabilities = ["CAP_NET_ADMIN"];
-        RestartSec = "600"; # Retry every 10 minutes
+        RestartSec = "60"; # Retry every minute
       };
     };
   };