fix: enable oauth for immich; enable network access for immich containers; remove nixvim-wayland

2025-10-10 14:50:40 +02:00 · 2024-01-23 02:48:29 +01:00 · 2024-01-23 02:48:29 +01:00 · 8b67068237
commit 8b67068237
parent 924645cafb
9 changed files with 201 additions and 266 deletions
--- a/flake.lock
+++ b/flake.lock
@ -352,11 +352,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1705540973,
-        "narHash": "sha256-kNt/qAEy7ueV7NKbVc8YMHWiQAAgrir02MROYNI8fV0=",
+        "lastModified": 1705890365,
+        "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "0033adc6e3f1ed076f3ed1c637ef1dfe6bef6733",
+        "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9",
        "type": "github"
      },
      "original": {
@ -454,21 +454,6 @@
      }
    },
    "flake-compat_5": {
-      "locked": {
-        "lastModified": 1688025799,
-        "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_6": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@ -484,7 +469,7 @@
        "type": "github"
      }
    },
-    "flake-compat_7": {
+    "flake-compat_6": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
@ -501,28 +486,6 @@
      }
    },
    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1701473968,
-        "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": [
          "nixvim",
@ -543,9 +506,9 @@
        "type": "github"
      }
    },
-    "flake-parts_3": {
+    "flake-parts_2": {
      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib_2"
+        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
        "lastModified": 1704982712,
@ -637,24 +600,6 @@
      "inputs": {
        "systems": "systems_8"
      },
-      "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_6": {
-      "inputs": {
-        "systems": "systems_9"
-      },
      "locked": {
        "lastModified": 1681202837,
        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
@ -779,11 +724,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1705535278,
-        "narHash": "sha256-V5+XKfNbiY0bLKLQlH+AXyhHttEL7XcZBH9iSbxxexA=",
+        "lastModified": 1705879479,
+        "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "b84191db127c16a92cbdf7f7b9969d58bb456699",
+        "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913",
        "type": "github"
      },
      "original": {
@ -800,11 +745,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1705104164,
-        "narHash": "sha256-pllCu3Hcm1wP/B0SUxgUXvHeEd4w8s2aVrEQRdIL1yo=",
+        "lastModified": 1705879479,
+        "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "0912d26b30332ae6a90e1b321ff88e80492127dd",
+        "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913",
        "type": "github"
      },
      "original": {
@ -828,25 +773,6 @@
        "type": "github"
      }
    },
-    "lib-aggregate": {
-      "inputs": {
-        "flake-utils": "flake-utils_5",
-        "nixpkgs-lib": "nixpkgs-lib"
-      },
-      "locked": {
-        "lastModified": 1705423846,
-        "narHash": "sha256-PULm77CvMZ9cQ4MaTXgvJom2ePB9c38p39JB4TFXEdw=",
-        "owner": "nix-community",
-        "repo": "lib-aggregate",
-        "rev": "1d0951ca1b3721ff4e6049c3a37df56c78c60c65",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "lib-aggregate",
-        "type": "github"
-      }
-    },
    "lib-net": {
      "flake": false,
      "locked": {
@ -871,11 +797,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1705592620,
-        "narHash": "sha256-97/yDm6n9C6fma0pSM/mMQeMLfmEOZPGbpKARNoKeG4=",
+        "lastModified": 1705802752,
+        "narHash": "sha256-0EY+M5vnXcm/0bQQo9Yu2k+NF69qoLdpa6Vb2ARa1Zw=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "ccf44d60393a571b549448167fa03882693a5a3d",
+        "rev": "f07dd64526ee203d25329c517eec3b697860fa6b",
        "type": "github"
      },
      "original": {
@ -892,11 +818,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704277720,
-        "narHash": "sha256-meAKNgmh3goankLGWqqpw73pm9IvXjEENJloF0coskE=",
+        "lastModified": 1705915768,
+        "narHash": "sha256-+Jlz8OAqkOwJlioac9wtpsCnjgGYUhvLpgJR/5tP9po=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "0dd382b70c351f528561f71a0a7df82c9d2be9a4",
+        "rev": "1e706ef323de76236eb183d7784f3bd57255ec0b",
        "type": "github"
      },
      "original": {
@ -905,49 +831,6 @@
        "type": "github"
      }
    },
-    "nix-eval-jobs": {
-      "inputs": {
-        "flake-parts": "flake-parts",
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": "nixpkgs_2",
-        "treefmt-nix": "treefmt-nix"
-      },
-      "locked": {
-        "lastModified": 1705242886,
-        "narHash": "sha256-TLj334vRwFtSym3m+NnKcNCnKKPNoTC/TDZL40vmOso=",
-        "owner": "nix-community",
-        "repo": "nix-eval-jobs",
-        "rev": "6b03a93296faf174b97546fd573c8b379f523a8d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-eval-jobs",
-        "type": "github"
-      }
-    },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1701208414,
-        "narHash": "sha256-xrQ0FyhwTZK6BwKhahIkUVZhMNk21IEI1nUcWSONtpo=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "93e39cc1a087d65bcf7a132e75a650c44dd2b734",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
    "nix-index-database": {
      "inputs": {
        "nixpkgs": [
@ -955,11 +838,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1705282324,
-        "narHash": "sha256-LnURMA7yCM5t7et9O2+2YfGQh0FKAfE5GyahNDDzJVM=",
+        "lastModified": 1705806513,
+        "narHash": "sha256-FcOmNjhHFfPz2udZbRpZ1sfyhVMr+C2O8kOxPj+HDDk=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "49aaeecf41ae0a0944e2c627cb515bcde428a1d1",
+        "rev": "f8e04fbcebcc24cebc91989981bd45f69b963ed7",
        "type": "github"
      },
      "original": {
@ -1068,11 +951,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1705496572,
-        "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=",
+        "lastModified": 1705856552,
+        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19",
+        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
        "type": "github"
      },
      "original": {
@ -1083,21 +966,6 @@
      }
    },
    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1705193289,
-        "narHash": "sha256-oL5EAaZHiA3ABLdyKag/DgT+457vmELv8A+eaox2xsI=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "da839f74dc77c9826fa333b1bc2c8258fd6ffcbe",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
-    "nixpkgs-lib_2": {
      "locked": {
        "dir": "lib",
        "lastModified": 1703961334,
@ -1179,46 +1047,7 @@
        "type": "github"
      }
    },
-    "nixpkgs-wayland": {
-      "inputs": {
-        "flake-compat": "flake-compat_5",
-        "lib-aggregate": "lib-aggregate",
-        "nix-eval-jobs": "nix-eval-jobs",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1705585910,
-        "narHash": "sha256-5pvcEdTiVn5F+6gpyQbTxeLhcRlV/oN8nNiwjgLqigs=",
-        "owner": "nix-community",
-        "repo": "nixpkgs-wayland",
-        "rev": "5b2b874c87882a5fc7f30be353410432e685ca0d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs-wayland",
-        "type": "github"
-      }
-    },
    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1703134684,
-        "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
      "locked": {
        "lastModified": 1681358109,
        "narHash": "sha256-eKyxW4OohHQx9Urxi7TQlFBTDWII+F+x2hklDOQPB50=",
@ -1236,7 +1065,7 @@
    },
    "nixvim": {
      "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
        "home-manager": "home-manager_2",
        "nix-darwin": "nix-darwin",
        "nixpkgs": [
@ -1247,11 +1076,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1705581923,
-        "narHash": "sha256-ms+6X+Sbx7Je8vMzux4ricuUR6JNHGoMZJLqhjGLxn8=",
+        "lastModified": 1705927744,
+        "narHash": "sha256-ESHLUjPRApElOJuyXidapwredduuUmJlJ7EAmlFePSY=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "df7a90127b079a39bfaba3eae1885ce6ab3a062a",
+        "rev": "86d6ce5029c99362c96ccead428b366f81d5b8f0",
        "type": "github"
      },
      "original": {
@ -1346,7 +1175,7 @@
    },
    "pre-commit-hooks_4": {
      "inputs": {
-        "flake-compat": "flake-compat_6",
+        "flake-compat": "flake-compat_5",
        "flake-utils": [
          "flake-utils"
        ],
@ -1357,11 +1186,11 @@
        "nixpkgs-stable": "nixpkgs-stable_4"
      },
      "locked": {
-        "lastModified": 1705229514,
-        "narHash": "sha256-itILy0zimR/iyUGq5Dgg0fiW8plRDyxF153LWGsg3Cw=",
+        "lastModified": 1705757126,
+        "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "ffa9a5b90b0acfaa03b1533b83eaf5dead819a05",
+        "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc",
        "type": "github"
      },
      "original": {
@ -1387,7 +1216,6 @@
        "nixos-hardware": "nixos-hardware",
        "nixos-nftables-firewall": "nixos-nftables-firewall",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-wayland": "nixpkgs-wayland",
        "nixvim": "nixvim",
        "pre-commit-hooks": "pre-commit-hooks_4",
        "stylix": "stylix",
@ -1424,8 +1252,8 @@
    },
    "rust-overlay_2": {
      "inputs": {
-        "flake-utils": "flake-utils_6",
-        "nixpkgs": "nixpkgs_3"
+        "flake-utils": "flake-utils_5",
+        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1705112162,
@ -1468,7 +1296,7 @@
        "base16-kitty": "base16-kitty",
        "base16-tmux": "base16-tmux",
        "base16-vim": "base16-vim",
-        "flake-compat": "flake-compat_7",
+        "flake-compat": "flake-compat_6",
        "home-manager": [
          "home-manager"
        ],
@ -1477,11 +1305,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1705504375,
-        "narHash": "sha256-oRVxuJ6sCljsgfoWb+SsIK2MvUjsxrXQHRoVTUDVC40=",
+        "lastModified": 1705668784,
+        "narHash": "sha256-U/1Qol9H5nb8FtWSXSiHY8T4Y7TOIo7NHuqe4uuiBec=",
        "owner": "danth",
        "repo": "stylix",
-        "rev": "2d59480b4531ce8d062d20a42560a266cb42b9d0",
+        "rev": "a9e3ce064a778b386fb88fb152c02ae95aa2cbd2",
        "type": "github"
      },
      "original": {
@ -1610,28 +1438,13 @@
        "type": "github"
      }
    },
-    "systems_9": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
    "templates": {
      "locked": {
-        "lastModified": 1704737624,
-        "narHash": "sha256-ypprYGtIL/DbV7D0zNA36gRdMqcv8LHgoxHjwTm7EGY=",
+        "lastModified": 1705684105,
+        "narHash": "sha256-R5PhRrDRuhHzo6zjrh3buGTBuWlY4UvM3+gJF9Hnhrs=",
        "owner": "NixOS",
        "repo": "templates",
-        "rev": "105b28c09033d1c137704cab544ed3cc4bc9ac40",
+        "rev": "35355cc7ba4822de499744bb3f3552008ea68970",
        "type": "github"
      },
      "original": {
@ -1640,31 +1453,9 @@
        "type": "github"
      }
    },
-    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1702979157,
-        "narHash": "sha256-RnFBbLbpqtn4AoJGXKevQMCGhra4h6G2MPcuTSZZQ+g=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "2961375283668d867e64129c22af532de8e77734",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
    "wired-notify": {
      "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_2",
        "nixpkgs": [
          "nixpkgs"
        ],
--- a/flake.nix
+++ b/flake.nix
@ -69,11 +69,6 @@

    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

-    nixpkgs-wayland = {
-      url = "github:nix-community/nixpkgs-wayland";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
    nixvim = {
      url = "github:nix-community/nixvim";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@ -117,7 +117,7 @@ in {
        client_id = "grafana";
        client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}";
        scopes = "openid email profile";
-        login_attribute_path = "prefered_username";
+        login_attribute_path = "preferred_username";
        auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2";
        token_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/token";
        api_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/grafana/userinfo";
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@ -12,6 +12,112 @@
  ipImmichPostgres = "10.89.0.12";
  ipImmichRedis = "10.89.0.13";
  ipImmichServer = "10.89.0.14";
+  configFile = pkgs.writeText "immich.config.json" (
+    builtins.toJSON {
+      ffmpeg = {
+        accel = "disabled";
+        bframes = -1;
+        cqMode = "auto";
+        crf = 23;
+        gopSize = 0;
+        maxBitrate = "0";
+        npl = 0;
+        preset = "ultrafast";
+        refs = 0;
+        targetAudioCodec = "aac";
+        targetResolution = "720";
+        targetVideoCodec = "h264";
+        temporalAQ = false;
+        threads = 0;
+        tonemap = "hable";
+        transcode = "required";
+        twoPass = false;
+      };
+      job = {
+        backgroundTask.concurrency = 5;
+        faceDetection.concurrency = 10;
+        library.concurrency = 5;
+        metadataExtraction.concurrency = 10;
+        migration.concurrency = 5;
+        search.concurrency = 5;
+        sidecar.concurrency = 5;
+        smartSearch.concurrency = 10;
+        thumbnailGeneration.concurrency = 10;
+        videoConversion.concurrency = 5;
+      };
+      library.scan = {
+        enabled = true;
+        cronExpression = "0 0 * * *";
+      };
+      logging = {
+        enabled = true;
+        level = "log";
+      };
+      machineLearning = {
+        clip = {
+          enabled = true;
+          modelName = "ViT-B-32__openai";
+        };
+        enabled = true;
+        facialRecognition = {
+          enabled = true;
+          maxDistance = 0.6;
+          minFaces = 3;
+          minScore = 0.7;
+          modelName = "buffalo_l";
+        };
+        url = "http://${ipImmichMachineLearning}:3003";
+      };
+      map = {
+        enabled = true;
+        darkStyle = "";
+        lightStyle = "";
+      };
+      newVersionCheck.enabled = true;
+      # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run:
+      # kanidm system oauth2 warning-insecure-client-disable-pkce immich
+      # kanidm system oauth2 warning-enable-legacy-crypto immich
+      oauth = rec {
+        enabled = true;
+        autoLaunch = false;
+        autoRegister = true;
+        buttonText = "Login with Kanidm";
+
+        mobileOverrideEnabled = true;
+        mobileRedirectUri = "https://${immichDomain}/api/oauth/mobile-redirect";
+
+        clientId = "immich";
+        # clientSecret will be dynamically added in activation script
+        issuerUrl = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}";
+        scope = "openid email profile";
+        storageLabelClaim = "preferred_username";
+      };
+      passwordLogin.enabled = true;
+      reverseGeocoding.enabled = true;
+      server = {
+        externalDomain = "https://${immichDomain}";
+        loginPageMessage = "Besser im Stuhl einschlafen als im Schlaf einstuhlen.";
+      };
+      storageTemplate = {
+        enabled = true;
+        hashVerificationEnabled = true;
+        template = "{{y}}/{{MM}}/{{filename}}";
+      };
+      theme.customCss = "";
+      thumbnail = {
+        colorspace = "p3";
+        jpegSize = 1440;
+        quality = 80;
+        webpSize = 250;
+      };
+      trash = {
+        days = 30;
+        enabled = true;
+      };
+    }
+  );
+
+  processedConfigFile = "/run/agenix/immich.config.json";

  version = "v1.93.3";
  environment = {
@ -24,6 +130,7 @@
    IMMICH_SERVER_URL = "http://${ipImmichServer}:3001/";
    IMMICH_MACHINE_LEARNING_URL = "http://${ipImmichMachineLearning}:3003";
    REDIS_HOSTNAME = ipImmichRedis;
+    IMMICH_CONFIG_FILE = "/immich.config.json";
  };

  upload_folder = "/storage/immich";
@ -41,10 +148,30 @@ in {
  microvm.mem = 1024 * 12;
  microvm.vcpu = 16;

+  # Mirror the original oauth2 secret
+  age.secrets.immich-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-immich) rekeyFile;
+    mode = "440";
+    group = "root";
+  };
+
+  system.activationScripts.agenixRooterDerivedSecrets = {
+    # Run after agenix has generated secrets
+    deps = ["agenix"];
+    text = ''
+      immichClientSecret=$(< ${config.age.secrets.immich-oauth2-client-secret.path})
+      ${pkgs.jq}/bin/jq --arg immichClientSecret "$immichClientSecret" '.oauth.clientSecret = $immichClientSecret' ${configFile} > ${processedConfigFile}
+      chmod 444 ${processedConfigFile}
+    '';
+  };
+
  meta.wireguard-proxy.sentinel.allowedTCPPorts = [2283];
  networking.nftables.chains.forward.into-immich-container = {
    after = ["conntrack"];
-    rules = ["iifname proxy-sentinel ip saddr 10.43.0.29 tcp dport 3001 accept"];
+    rules = [
+      "iifname proxy-sentinel ip saddr 10.43.0.29 tcp dport 3001 accept"
+      "iifname podman1 oifname lan accept"
+    ];
  };

  nodes.sentinel = {
@ -61,8 +188,6 @@ in {
      virtualHosts.${immichDomain} = {
        forceSSL = true;
        useACMEWildcardHost = true;
-        oauth2.enable = true;
-        oauth2.allowedGroups = ["access_immich"];
        locations."/" = {
          proxyPass = "http://immich";
          proxyWebsockets = true;
@ -91,18 +216,19 @@ in {
  age.secrets.postgres_password.generator.script = "alnum";

  # Runtime
+  virtualisation.oci-containers.backend = "podman";
  virtualisation.podman = {
    enable = true;
    autoPrune.enable = true;
    dockerCompat = true;
  };
-  virtualisation.oci-containers.backend = "podman";

  # Containers
  virtualisation.oci-containers.containers."immich_machine_learning" = {
    image = "ghcr.io/immich-app/immich-machine-learning:${version}";
    inherit environment;
    volumes = [
+      "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
      "${model_folder}:/cache:rw"
    ];
    log-driver = "journald";
@ -117,6 +243,7 @@ in {
    image = "ghcr.io/immich-app/immich-server:${version}";
    inherit environment;
    volumes = [
+      "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
      "${config.age.secrets.postgres_password.path}:${config.age.secrets.postgres_password.path}:ro"
      "/etc/localtime:/etc/localtime:ro"
      "${upload_folder}:/usr/src/app/upload:rw"
@ -174,6 +301,7 @@ in {
    image = "ghcr.io/immich-app/immich-server:${version}";
    inherit environment;
    volumes = [
+      "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
      "${config.age.secrets.postgres_password.path}:${config.age.secrets.postgres_password.path}:ro"
      "/etc/localtime:/etc/localtime:ro"
      "${upload_folder}:/usr/src/app/upload:rw"
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -35,6 +35,13 @@ in {
    group = "kanidm";
  };

+  age.secrets.kanidm-oauth2-immich = {
+    generator.script = "alnum";
+    generator.tags = ["oauth2"];
+    mode = "440";
+    group = "kanidm";
+  };
+
  age.secrets.kanidm-oauth2-grafana = {
    generator.script = "alnum";
    generator.tags = ["oauth2"];
@ -114,6 +121,15 @@ in {

      inherit (config.repo.secrets.global.kanidm) persons;

+      # Immich
+      groups.immich = {};
+      systems.oauth2.immich = {
+        displayName = "Immich";
+        originUrl = "https://${sentinelCfg.networking.providedDomains.immich}";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
+        scopeMaps.immich = ["openid" "email" "profile"];
+      };
+
      # Grafana
      groups.grafana = {};
      groups."grafana.admins" = {};
@ -148,7 +164,6 @@ in {
      groups.web-sentinel = {};
      groups."web-sentinel.adguardhome" = {};
      groups."web-sentinel.influxdb" = {};
-      groups."web-sentinel.immich" = {};
      systems.oauth2.web-sentinel = {
        displayName = "Web Sentinel";
        originUrl = "https://oauth2.${personalDomain}";
@ -157,7 +172,6 @@ in {
        supplementaryScopeMaps = {
          "web-sentinel.adguardhome" = ["access_adguardhome"];
          "web-sentinel.influxdb" = ["access_influxdb"];
-          "web-sentinel.immich" = ["access_immich"];
        };
      };
    };
--- a/modules/config/nix.nix
+++ b/modules/config/nix.nix
@ -17,13 +17,11 @@
        "https://cache.nixos.org"
        "https://nix-community.cachix.org"
        "https://nix-config.cachix.org"
-        "https://nixpkgs-wayland.cachix.org"
      ];
      trusted-public-keys = [
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
        "nix-config.cachix.org-1:Vd6raEuldeIZpttVQfrUbLvXJHzzzkS0pezXCVVjDG4="
-        "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
      ];
      cores = 0;
      max-jobs = "auto";
--- a/modules/default.nix
+++ b/modules/default.nix
@ -44,7 +44,6 @@
  ];

  nixpkgs.overlays = [
-    inputs.nixpkgs-wayland.overlay
    inputs.nixvim.overlays.default
    inputs.wired-notify.overlays.default
  ];
--- a/secrets/generated/ward-kanidm/kanidm-oauth2-immich.age
+++ b/secrets/generated/ward-kanidm/kanidm-oauth2-immich.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 Ty4SRY71eyfLWJGIC0cv89Rg+PEJr1LTyJQgIvj8mRg
+3z6gLE56zvPRWWFpCkAx6GdFwAztMgBZnfI/OJfCtzU
+-> piv-p256 xqSe8Q AyEmhugnXJ33KHAVh/9B0C9oQ1SF3/gFtoAPpThy/4Ef
+eEPKdBTKx7Px39zRu7Dtdm6vyZxEzN23SekmsjZ9ILU
+-> d^!fR-grease
+WjaPB3mvS8+aKj9FKDdeSMrIDRu4cvxT9llTrxZxOD+Ej4o8lCN+LRmrAZ6eb1W8
+BWuUvPLUgyWi4eyDIARjperIrX8ESLgqIg
+--- rKC5HveByQdXritRQdLqNgasq6y20rT/nfrQenVmoTo
+Ñ_A5ðN1iB ö÷•ãlµ[O�IpªØJ;iÀq,Û¶õ#¾Îý¸KOè‹òãx}Kô´¸›Zs0û„(«!à£�dÈÊY2ÚMvÆ?
--- a/secrets/global.nix.age
+++ b/secrets/global.nix.age