From 8b670682375f6a678b2672e5a7d6da5e8c2b5e61 Mon Sep 17 00:00:00 2001 From: oddlama Date: Tue, 23 Jan 2024 02:48:29 +0100 Subject: [PATCH] fix: enable oauth for immich; enable network access for immich containers; remove nixvim-wayland --- flake.lock | 293 +++--------------- flake.nix | 5 - hosts/sire/guests/grafana.nix | 2 +- hosts/sire/guests/immich.nix | 136 +++++++- hosts/ward/guests/kanidm.nix | 18 +- modules/config/nix.nix | 2 - modules/default.nix | 1 - .../ward-kanidm/kanidm-oauth2-immich.age | 10 + secrets/global.nix.age | Bin 2042 -> 2146 bytes 9 files changed, 201 insertions(+), 266 deletions(-) create mode 100644 secrets/generated/ward-kanidm/kanidm-oauth2-immich.age diff --git a/flake.lock b/flake.lock index da13959..1a7a827 100644 --- a/flake.lock +++ b/flake.lock @@ -352,11 +352,11 @@ ] }, "locked": { - "lastModified": 1705540973, - "narHash": "sha256-kNt/qAEy7ueV7NKbVc8YMHWiQAAgrir02MROYNI8fV0=", + "lastModified": 1705890365, + "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=", "owner": "nix-community", "repo": "disko", - "rev": "0033adc6e3f1ed076f3ed1c637ef1dfe6bef6733", + "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9", "type": "github" }, "original": { @@ -454,21 +454,6 @@ } }, "flake-compat_5": { - "locked": { - "lastModified": 1688025799, - "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", - "owner": "nix-community", - "repo": "flake-compat", - "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_6": { "flake": false, "locked": { "lastModified": 1696426674, @@ -484,7 +469,7 @@ "type": "github" } }, - "flake-compat_7": { + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1673956053, @@ -501,28 +486,6 @@ } }, "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1701473968, - "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nixvim", @@ -543,9 +506,9 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_2": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib_2" + "nixpkgs-lib": "nixpkgs-lib" }, "locked": { "lastModified": 1704982712, @@ -637,24 +600,6 @@ "inputs": { "systems": "systems_8" }, - "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_6": { - "inputs": { - "systems": "systems_9" - }, "locked": { "lastModified": 1681202837, "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", @@ -779,11 +724,11 @@ ] }, "locked": { - "lastModified": 1705535278, - "narHash": "sha256-V5+XKfNbiY0bLKLQlH+AXyhHttEL7XcZBH9iSbxxexA=", + "lastModified": 1705879479, + "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=", "owner": "nix-community", "repo": "home-manager", - "rev": "b84191db127c16a92cbdf7f7b9969d58bb456699", + "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913", "type": "github" }, "original": { @@ -800,11 +745,11 @@ ] }, "locked": { - "lastModified": 1705104164, - "narHash": "sha256-pllCu3Hcm1wP/B0SUxgUXvHeEd4w8s2aVrEQRdIL1yo=", + "lastModified": 1705879479, + "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=", "owner": "nix-community", "repo": "home-manager", - "rev": "0912d26b30332ae6a90e1b321ff88e80492127dd", + "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913", "type": "github" }, "original": { @@ -828,25 +773,6 @@ "type": "github" } }, - "lib-aggregate": { - "inputs": { - "flake-utils": "flake-utils_5", - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1705423846, - "narHash": "sha256-PULm77CvMZ9cQ4MaTXgvJom2ePB9c38p39JB4TFXEdw=", - "owner": "nix-community", - "repo": "lib-aggregate", - "rev": "1d0951ca1b3721ff4e6049c3a37df56c78c60c65", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lib-aggregate", - "type": "github" - } - }, "lib-net": { "flake": false, "locked": { @@ -871,11 +797,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1705592620, - "narHash": "sha256-97/yDm6n9C6fma0pSM/mMQeMLfmEOZPGbpKARNoKeG4=", + "lastModified": 1705802752, + "narHash": "sha256-0EY+M5vnXcm/0bQQo9Yu2k+NF69qoLdpa6Vb2ARa1Zw=", "owner": "astro", "repo": "microvm.nix", - "rev": "ccf44d60393a571b549448167fa03882693a5a3d", + "rev": "f07dd64526ee203d25329c517eec3b697860fa6b", "type": "github" }, "original": { @@ -892,11 +818,11 @@ ] }, "locked": { - "lastModified": 1704277720, - "narHash": "sha256-meAKNgmh3goankLGWqqpw73pm9IvXjEENJloF0coskE=", + "lastModified": 1705915768, + "narHash": "sha256-+Jlz8OAqkOwJlioac9wtpsCnjgGYUhvLpgJR/5tP9po=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "0dd382b70c351f528561f71a0a7df82c9d2be9a4", + "rev": "1e706ef323de76236eb183d7784f3bd57255ec0b", "type": "github" }, "original": { @@ -905,49 +831,6 @@ "type": "github" } }, - "nix-eval-jobs": { - "inputs": { - "flake-parts": "flake-parts", - "nix-github-actions": "nix-github-actions", - "nixpkgs": "nixpkgs_2", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1705242886, - "narHash": "sha256-TLj334vRwFtSym3m+NnKcNCnKKPNoTC/TDZL40vmOso=", - "owner": "nix-community", - "repo": "nix-eval-jobs", - "rev": "6b03a93296faf174b97546fd573c8b379f523a8d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-eval-jobs", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1701208414, - "narHash": "sha256-xrQ0FyhwTZK6BwKhahIkUVZhMNk21IEI1nUcWSONtpo=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "93e39cc1a087d65bcf7a132e75a650c44dd2b734", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -955,11 +838,11 @@ ] }, "locked": { - "lastModified": 1705282324, - "narHash": "sha256-LnURMA7yCM5t7et9O2+2YfGQh0FKAfE5GyahNDDzJVM=", + "lastModified": 1705806513, + "narHash": "sha256-FcOmNjhHFfPz2udZbRpZ1sfyhVMr+C2O8kOxPj+HDDk=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "49aaeecf41ae0a0944e2c627cb515bcde428a1d1", + "rev": "f8e04fbcebcc24cebc91989981bd45f69b963ed7", "type": "github" }, "original": { @@ -1068,11 +951,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705496572, - "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=", + "lastModified": 1705856552, + "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19", + "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", "type": "github" }, "original": { @@ -1083,21 +966,6 @@ } }, "nixpkgs-lib": { - "locked": { - "lastModified": 1705193289, - "narHash": "sha256-oL5EAaZHiA3ABLdyKag/DgT+457vmELv8A+eaox2xsI=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "da839f74dc77c9826fa333b1bc2c8258fd6ffcbe", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_2": { "locked": { "dir": "lib", "lastModified": 1703961334, @@ -1179,46 +1047,7 @@ "type": "github" } }, - "nixpkgs-wayland": { - "inputs": { - "flake-compat": "flake-compat_5", - "lib-aggregate": "lib-aggregate", - "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705585910, - "narHash": "sha256-5pvcEdTiVn5F+6gpyQbTxeLhcRlV/oN8nNiwjgLqigs=", - "owner": "nix-community", - "repo": "nixpkgs-wayland", - "rev": "5b2b874c87882a5fc7f30be353410432e685ca0d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs-wayland", - "type": "github" - } - }, "nixpkgs_2": { - "locked": { - "lastModified": 1703134684, - "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1681358109, "narHash": "sha256-eKyxW4OohHQx9Urxi7TQlFBTDWII+F+x2hklDOQPB50=", @@ -1236,7 +1065,7 @@ }, "nixvim": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts", "home-manager": "home-manager_2", "nix-darwin": "nix-darwin", "nixpkgs": [ @@ -1247,11 +1076,11 @@ ] }, "locked": { - "lastModified": 1705581923, - "narHash": "sha256-ms+6X+Sbx7Je8vMzux4ricuUR6JNHGoMZJLqhjGLxn8=", + "lastModified": 1705927744, + "narHash": "sha256-ESHLUjPRApElOJuyXidapwredduuUmJlJ7EAmlFePSY=", "owner": "nix-community", "repo": "nixvim", - "rev": "df7a90127b079a39bfaba3eae1885ce6ab3a062a", + "rev": "86d6ce5029c99362c96ccead428b366f81d5b8f0", "type": "github" }, "original": { @@ -1346,7 +1175,7 @@ }, "pre-commit-hooks_4": { "inputs": { - "flake-compat": "flake-compat_6", + "flake-compat": "flake-compat_5", "flake-utils": [ "flake-utils" ], @@ -1357,11 +1186,11 @@ "nixpkgs-stable": "nixpkgs-stable_4" }, "locked": { - "lastModified": 1705229514, - "narHash": "sha256-itILy0zimR/iyUGq5Dgg0fiW8plRDyxF153LWGsg3Cw=", + "lastModified": 1705757126, + "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "ffa9a5b90b0acfaa03b1533b83eaf5dead819a05", + "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc", "type": "github" }, "original": { @@ -1387,7 +1216,6 @@ "nixos-hardware": "nixos-hardware", "nixos-nftables-firewall": "nixos-nftables-firewall", "nixpkgs": "nixpkgs", - "nixpkgs-wayland": "nixpkgs-wayland", "nixvim": "nixvim", "pre-commit-hooks": "pre-commit-hooks_4", "stylix": "stylix", @@ -1424,8 +1252,8 @@ }, "rust-overlay_2": { "inputs": { - "flake-utils": "flake-utils_6", - "nixpkgs": "nixpkgs_3" + "flake-utils": "flake-utils_5", + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1705112162, @@ -1468,7 +1296,7 @@ "base16-kitty": "base16-kitty", "base16-tmux": "base16-tmux", "base16-vim": "base16-vim", - "flake-compat": "flake-compat_7", + "flake-compat": "flake-compat_6", "home-manager": [ "home-manager" ], @@ -1477,11 +1305,11 @@ ] }, "locked": { - "lastModified": 1705504375, - "narHash": "sha256-oRVxuJ6sCljsgfoWb+SsIK2MvUjsxrXQHRoVTUDVC40=", + "lastModified": 1705668784, + "narHash": "sha256-U/1Qol9H5nb8FtWSXSiHY8T4Y7TOIo7NHuqe4uuiBec=", "owner": "danth", "repo": "stylix", - "rev": "2d59480b4531ce8d062d20a42560a266cb42b9d0", + "rev": "a9e3ce064a778b386fb88fb152c02ae95aa2cbd2", "type": "github" }, "original": { @@ -1610,28 +1438,13 @@ "type": "github" } }, - "systems_9": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "templates": { "locked": { - "lastModified": 1704737624, - "narHash": "sha256-ypprYGtIL/DbV7D0zNA36gRdMqcv8LHgoxHjwTm7EGY=", + "lastModified": 1705684105, + "narHash": "sha256-R5PhRrDRuhHzo6zjrh3buGTBuWlY4UvM3+gJF9Hnhrs=", "owner": "NixOS", "repo": "templates", - "rev": "105b28c09033d1c137704cab544ed3cc4bc9ac40", + "rev": "35355cc7ba4822de499744bb3f3552008ea68970", "type": "github" }, "original": { @@ -1640,31 +1453,9 @@ "type": "github" } }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1702979157, - "narHash": "sha256-RnFBbLbpqtn4AoJGXKevQMCGhra4h6G2MPcuTSZZQ+g=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "2961375283668d867e64129c22af532de8e77734", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, "wired-notify": { "inputs": { - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_2", "nixpkgs": [ "nixpkgs" ], diff --git a/flake.nix b/flake.nix index c08381c..3623e8e 100644 --- a/flake.nix +++ b/flake.nix @@ -69,11 +69,6 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - nixpkgs-wayland = { - url = "github:nix-community/nixpkgs-wayland"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixvim = { url = "github:nix-community/nixvim"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index be30f4d..8237c07 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -117,7 +117,7 @@ in { client_id = "grafana"; client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}"; scopes = "openid email profile"; - login_attribute_path = "prefered_username"; + login_attribute_path = "preferred_username"; auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2"; token_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/token"; api_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/grafana/userinfo"; diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index 3064db8..f30fb7b 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -12,6 +12,112 @@ ipImmichPostgres = "10.89.0.12"; ipImmichRedis = "10.89.0.13"; ipImmichServer = "10.89.0.14"; + configFile = pkgs.writeText "immich.config.json" ( + builtins.toJSON { + ffmpeg = { + accel = "disabled"; + bframes = -1; + cqMode = "auto"; + crf = 23; + gopSize = 0; + maxBitrate = "0"; + npl = 0; + preset = "ultrafast"; + refs = 0; + targetAudioCodec = "aac"; + targetResolution = "720"; + targetVideoCodec = "h264"; + temporalAQ = false; + threads = 0; + tonemap = "hable"; + transcode = "required"; + twoPass = false; + }; + job = { + backgroundTask.concurrency = 5; + faceDetection.concurrency = 10; + library.concurrency = 5; + metadataExtraction.concurrency = 10; + migration.concurrency = 5; + search.concurrency = 5; + sidecar.concurrency = 5; + smartSearch.concurrency = 10; + thumbnailGeneration.concurrency = 10; + videoConversion.concurrency = 5; + }; + library.scan = { + enabled = true; + cronExpression = "0 0 * * *"; + }; + logging = { + enabled = true; + level = "log"; + }; + machineLearning = { + clip = { + enabled = true; + modelName = "ViT-B-32__openai"; + }; + enabled = true; + facialRecognition = { + enabled = true; + maxDistance = 0.6; + minFaces = 3; + minScore = 0.7; + modelName = "buffalo_l"; + }; + url = "http://${ipImmichMachineLearning}:3003"; + }; + map = { + enabled = true; + darkStyle = ""; + lightStyle = ""; + }; + newVersionCheck.enabled = true; + # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run: + # kanidm system oauth2 warning-insecure-client-disable-pkce immich + # kanidm system oauth2 warning-enable-legacy-crypto immich + oauth = rec { + enabled = true; + autoLaunch = false; + autoRegister = true; + buttonText = "Login with Kanidm"; + + mobileOverrideEnabled = true; + mobileRedirectUri = "https://${immichDomain}/api/oauth/mobile-redirect"; + + clientId = "immich"; + # clientSecret will be dynamically added in activation script + issuerUrl = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}"; + scope = "openid email profile"; + storageLabelClaim = "preferred_username"; + }; + passwordLogin.enabled = true; + reverseGeocoding.enabled = true; + server = { + externalDomain = "https://${immichDomain}"; + loginPageMessage = "Besser im Stuhl einschlafen als im Schlaf einstuhlen."; + }; + storageTemplate = { + enabled = true; + hashVerificationEnabled = true; + template = "{{y}}/{{MM}}/{{filename}}"; + }; + theme.customCss = ""; + thumbnail = { + colorspace = "p3"; + jpegSize = 1440; + quality = 80; + webpSize = 250; + }; + trash = { + days = 30; + enabled = true; + }; + } + ); + + processedConfigFile = "/run/agenix/immich.config.json"; version = "v1.93.3"; environment = { @@ -24,6 +130,7 @@ IMMICH_SERVER_URL = "http://${ipImmichServer}:3001/"; IMMICH_MACHINE_LEARNING_URL = "http://${ipImmichMachineLearning}:3003"; REDIS_HOSTNAME = ipImmichRedis; + IMMICH_CONFIG_FILE = "/immich.config.json"; }; upload_folder = "/storage/immich"; @@ -41,10 +148,30 @@ in { microvm.mem = 1024 * 12; microvm.vcpu = 16; + # Mirror the original oauth2 secret + age.secrets.immich-oauth2-client-secret = { + inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-immich) rekeyFile; + mode = "440"; + group = "root"; + }; + + system.activationScripts.agenixRooterDerivedSecrets = { + # Run after agenix has generated secrets + deps = ["agenix"]; + text = '' + immichClientSecret=$(< ${config.age.secrets.immich-oauth2-client-secret.path}) + ${pkgs.jq}/bin/jq --arg immichClientSecret "$immichClientSecret" '.oauth.clientSecret = $immichClientSecret' ${configFile} > ${processedConfigFile} + chmod 444 ${processedConfigFile} + ''; + }; + meta.wireguard-proxy.sentinel.allowedTCPPorts = [2283]; networking.nftables.chains.forward.into-immich-container = { after = ["conntrack"]; - rules = ["iifname proxy-sentinel ip saddr 10.43.0.29 tcp dport 3001 accept"]; + rules = [ + "iifname proxy-sentinel ip saddr 10.43.0.29 tcp dport 3001 accept" + "iifname podman1 oifname lan accept" + ]; }; nodes.sentinel = { @@ -61,8 +188,6 @@ in { virtualHosts.${immichDomain} = { forceSSL = true; useACMEWildcardHost = true; - oauth2.enable = true; - oauth2.allowedGroups = ["access_immich"]; locations."/" = { proxyPass = "http://immich"; proxyWebsockets = true; @@ -91,18 +216,19 @@ in { age.secrets.postgres_password.generator.script = "alnum"; # Runtime + virtualisation.oci-containers.backend = "podman"; virtualisation.podman = { enable = true; autoPrune.enable = true; dockerCompat = true; }; - virtualisation.oci-containers.backend = "podman"; # Containers virtualisation.oci-containers.containers."immich_machine_learning" = { image = "ghcr.io/immich-app/immich-machine-learning:${version}"; inherit environment; volumes = [ + "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro" "${model_folder}:/cache:rw" ]; log-driver = "journald"; @@ -117,6 +243,7 @@ in { image = "ghcr.io/immich-app/immich-server:${version}"; inherit environment; volumes = [ + "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro" "${config.age.secrets.postgres_password.path}:${config.age.secrets.postgres_password.path}:ro" "/etc/localtime:/etc/localtime:ro" "${upload_folder}:/usr/src/app/upload:rw" @@ -174,6 +301,7 @@ in { image = "ghcr.io/immich-app/immich-server:${version}"; inherit environment; volumes = [ + "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro" "${config.age.secrets.postgres_password.path}:${config.age.secrets.postgres_password.path}:ro" "/etc/localtime:/etc/localtime:ro" "${upload_folder}:/usr/src/app/upload:rw" diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index 0ea07ce..be2e22a 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -35,6 +35,13 @@ in { group = "kanidm"; }; + age.secrets.kanidm-oauth2-immich = { + generator.script = "alnum"; + generator.tags = ["oauth2"]; + mode = "440"; + group = "kanidm"; + }; + age.secrets.kanidm-oauth2-grafana = { generator.script = "alnum"; generator.tags = ["oauth2"]; @@ -114,6 +121,15 @@ in { inherit (config.repo.secrets.global.kanidm) persons; + # Immich + groups.immich = {}; + systems.oauth2.immich = { + displayName = "Immich"; + originUrl = "https://${sentinelCfg.networking.providedDomains.immich}"; + basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path; + scopeMaps.immich = ["openid" "email" "profile"]; + }; + # Grafana groups.grafana = {}; groups."grafana.admins" = {}; @@ -148,7 +164,6 @@ in { groups.web-sentinel = {}; groups."web-sentinel.adguardhome" = {}; groups."web-sentinel.influxdb" = {}; - groups."web-sentinel.immich" = {}; systems.oauth2.web-sentinel = { displayName = "Web Sentinel"; originUrl = "https://oauth2.${personalDomain}"; @@ -157,7 +172,6 @@ in { supplementaryScopeMaps = { "web-sentinel.adguardhome" = ["access_adguardhome"]; "web-sentinel.influxdb" = ["access_influxdb"]; - "web-sentinel.immich" = ["access_immich"]; }; }; }; diff --git a/modules/config/nix.nix b/modules/config/nix.nix index 99b956b..a3f4e66 100644 --- a/modules/config/nix.nix +++ b/modules/config/nix.nix @@ -17,13 +17,11 @@ "https://cache.nixos.org" "https://nix-community.cachix.org" "https://nix-config.cachix.org" - "https://nixpkgs-wayland.cachix.org" ]; trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-config.cachix.org-1:Vd6raEuldeIZpttVQfrUbLvXJHzzzkS0pezXCVVjDG4=" - "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; cores = 0; max-jobs = "auto"; diff --git a/modules/default.nix b/modules/default.nix index 46bf981..dda1c11 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -44,7 +44,6 @@ ]; nixpkgs.overlays = [ - inputs.nixpkgs-wayland.overlay inputs.nixvim.overlays.default inputs.wired-notify.overlays.default ]; diff --git a/secrets/generated/ward-kanidm/kanidm-oauth2-immich.age b/secrets/generated/ward-kanidm/kanidm-oauth2-immich.age new file mode 100644 index 0000000..231b353 --- /dev/null +++ b/secrets/generated/ward-kanidm/kanidm-oauth2-immich.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 Ty4SRY71eyfLWJGIC0cv89Rg+PEJr1LTyJQgIvj8mRg +3z6gLE56zvPRWWFpCkAx6GdFwAztMgBZnfI/OJfCtzU +-> piv-p256 xqSe8Q AyEmhugnXJ33KHAVh/9B0C9oQ1SF3/gFtoAPpThy/4Ef +eEPKdBTKx7Px39zRu7Dtdm6vyZxEzN23SekmsjZ9ILU +-> d^!fR-grease +WjaPB3mvS8+aKj9FKDdeSMrIDRu4cvxT9llTrxZxOD+Ej4o8lCN+LRmrAZ6eb1W8 +BWuUvPLUgyWi4eyDIARjperIrX8ESLgqIg +--- rKC5HveByQdXritRQdLqNgasq6y20rT/nfrQenVmoTo +_ A5N1iBl[ OIpJ;iq,#KOx}K Zs0(!ࣁdY2Mv? \ No newline at end of file diff --git a/secrets/global.nix.age b/secrets/global.nix.age index ade9174b0aae482a042a862fcdfbfedfe827f425..3fb5cc29004368b21bca5ecbe4d1356d471b7d75 100644 GIT binary patch delta 2137 zcmV-f2&VV?58@DzAb)vGMKUmXM0#s)ZdYY$D|2dQLs>&mcv@pKSYc06LoaAzb7D&} zH8yT;a|&rkH8e3uWMo4~RYyf=Rb*>3LNaPiH%n|(D@0*VR%moZIAupvZZ=X(K?*HC zAaH4REpRe5HXwL$Q)M_&AVDi_Gj1zaM`%klLS{})RBJ~|HGfW8N=Z;@YGFoAGfr_i zFf?p2D{?kSPfQ9`Q)^Q&az;ZoPi|0ZVK!oOQC2fXQFL!}GhuaQK}bbZYIk&VRVz(r zN@EHwJ|KH|W_NBxWIZisa%Ew2Wgt;LdLU$4AZ2?eeRCjR3N$iAX?1Z|IC*9{D`sOf zQ%6!qQaCqGP=9xKQ8h9$Z%sK+Gb>YZZ%1%WLwQb1aaMSCSW<0pbZcrfN_uN=GfxUJ zXEX{eEiE8KNH8%*QB7HEYb!W;b2UUlG*x3UZ89}QXJTb+G<9ZLV{UXdVQ5WID{~5} zZB@4MoDmK>xm7ybD8;sd5d0si>2iH^Zr~{_I@NZ6L4V(-A?Z!D_)7gvFU+tIf)B?5 zBk*#Lno?4V5ezQvN;JrA*S<>~sm2^PAmo3n^uu3COW_hYAGr9w?3=|6H=qi5&%`7{ zZbV2d3+${TbH~r~>mz$rUQ6gjBTV7VC=46w)6f^1(yPNPKl%~Ok+hT++Ntme!GB{W z@KXN_+J7$+_!4y+iV@MsSMB*GeFOf+RPCUj|CO->B3DL*#TbZfv^v~%i4})4PYAsu zG5B&P4+5BuL;{5%mahA>l}&07gTGv$M&HDg+|OcnuQ+Ic!6e6;I|Vidok_|IbNg`Z zWsgQ}-B!Pt_xA)U6p^2Tcl;t3MM_T?-7x5(PJgH6-5!k`W5frX%myiZ%$1gMe-4`N zUUa!izwCbvvY+e?*!toAvnd&BulGC;2gI__i>bF={UV>mscNxq#)rDE-qEx>JBqi^oc}@ zROE4edDaQ!-vPY6yA8+!afq5dBFbz)>VLpeLx?pCF7Vb2UU~$o+<-hbwy_81*8pg8 zhmSQiwXHR?&QJeze6YZV;b8`Lf`bxQPd|W89EKf8N@G-PxtqPMQ-rv}GJQu25S|%v zD$91wL0Cts4_k%gFjQJ(z&)Jb*X12Z`VL@^=z12*=eY9&#b{oAFg8TnuaX`vrhgPE zexQ@AB&L>NX|2BX_tdMkz$EjuYge?7kbK3Lx(bJxA{sfnO*D$)ECNuHBComT?tha9q4hJ2!4nsN$q1w+kUntmpnUHSC5Fe938%|W*3EA&lH-~4LMJHJaX;=AbI;04U=g*ZgWQ^BvZ zg63nT8Inn=$G9WmP$qDTGJgm|`^vZNXYL3^bR_N0_ zF;+GZuXI6Xkfe$!Js;CUSf8aBx}+@CZ-JzG?%TvLE(i6!VsRPTcv}cEuJ3*%wboTP zf6|j3uDjuNYmZoQ&g2MkoyP~&hnA6PxFCuto;;9#*xO+@7SVV#wtr!vSgU2yrL;gg zKm81>jQD57A4+Z7eg_^!nB^wepS~fM%*Zf-N?Sj?**tI=C^dakq%W2ItmX9o+Y>9o z^Bf*p-ubd4J0`Lc4i`jOU_s^o%x%%T{rAYPIV`Ot)uL$e_l{cqqA$0?^;~~`Ik2|x zTHQyb1`rb^zYwQP@_$`e{4QL`5*Zq))4{X8$u$j~kN-nE_Com_iI>wh_cwDLqOT=| zbx%v?^5%*!8rd(zEk8YxGjoGVM1!OqGAGnx)hLDoxNgH6qMs-mYdA}522A=&|H6*H zxC`g__h`m<%|H?uZw_Y5?k%P1!ZSl6U2g?oR1F#Y~r7hZh+dV?2;Aer@{7_X6ul5g&-w=1! zC05*tmsZ1xt*&E$wmTWF^y-=RandUZxQyX|!(wl)k^Shb1IW6&v=3N3za$!Lj=(=h zO|Bu@Ymfi>S$|wF;j+`dk0=bb4#TT%TSMuS=Jf3-X%Q|W)b{w3P4Y8B6Mh})nH|zN z-dVlBc46p;v~CIly7K9;DcJyxsTl{E!RKOFKFrF>LbrEJIMWJGgWma{E^Zdkx{zDMcYQ>6=S PeXrP?IaS9$MUvVhe%9Vo delta 2032 zcmVwNNRI1abrP4XJu|hT5LyCRCYp3XJkrYN=I#RMPW2!Lv$}O zYFa`wNeWX`QfNzLazR*dWolYuaab@yWkXsqY;IUZN=Il#Lsd&NL{T|ZGf8Vc2!qtYh`g$NqR#{L~>O(R#;|hcT#OHc1}c2S7&us zLvso(J|IOSHEu0ua%Ew2WeQeTS6FLsGc<8mSVc@_byZq7GfPTrM@3CXacg&RH)BCE zQByBSMp-sTZhufSWlu{~GHFdpQ)5O%S9wNlVPSL%Lozv3Rc=8uIc;QmV|77FR6|B$ zOmJ3VcS})MWLI@VV=!1SOHo=(K{P^5ICey8Mlo1+GdOPwEiEk|LvvVaPDyQJPj*I6 zXhCl)YD{c;csEXMSV1#tbVqA-X>nLERby#pVmD_Blz;Vn!NDykfQzc$#662FY&Gg& z&lP@=xsJQ*JMD6U2>8jr$mc};9n_q_(Ob<88dkB(ZpyTciaytX=4!A0wk(q(_4ni| z65V@rSXJwCTyF{;&BD{7;ttKjRa-<6XZOTaeoxD)h~yKKMkB>d6)??k_cb1k9uHbbdIkgCQ?32YW%Wj5AR`ZqCQRw6ThQe}R zqjMf%V7SA-1&A6aTpR^>NayTuw%B+fzFq{I*?&S;#Gv8okL?GGx{K)2N-Lc0c2|^h z7vwPiAn2CeNiZ^*8+7bcUm?vLilV%(EyoF_2enc^K?)+M)>DJvK1K+H`@D}4II+`d z!^%Pp;dL0;%{Eq`ilv56OT4OhfT6v{M0Y2o_Z@`7d~YTu20~id>yLR^0$d;c2b0nD zlYf1x0z|>nbVmat=^tLG&yUv!vpd`u>i&s7a6gP#X*OQ5-k7mf(OPI3+{B9V4fU`67w09w7@l)@fvo1s4xyjwngD>1Z#i+ z@E!^_e#YF5XB}LQMVe6MeMXEWqDQ*>dA4zOME<34Ao{qNmogRwWbOxec++yt+B3^ZvcqWX0(jD| zmCZ;Y*V#pDkDH?$Z0rubnt#|&{a~N1XW%GfmoOOcpj3E&;tMy-y;~=mabT3$)knLO z+ss0^?Bh3j>=c=#f}q|H=Hw|sWY|w>8clfJk0#F!zn&=*CBQ#pHbr}(=HuG0XIh9w z5*kh1fNAN*MGljkhu;)%&Cue)$)XzDT9dMXpReTVZRKPXMz71Lmw#_V2m}p(A?ZN+ zs5L`PvWaN|RiH?D6rKv~ok#SW3dj?w?c#m;)RI`%D7lE($++FA+ zx1-5&5iOBJHximFj~E~TA64eQeZmm1_bd9q00xPDs37ysjG{@XU)uBTt0PH8K#q;( z-;azWYiY19L@uZ#$A4J($M&ClnDWszst=6Y9=>F}7UgUN8qlT3i4K*9y#UzSxiX7z zI!$Hwm?&D90l56vaen?db1^kG-;jJrS@qI?JP@q+M~)9i&bY+A!=X1AI9vsO2S|=W z=udq7vu;Yz50=*k&XVyclkd3xpKdi#8Y{RR3EN-eGsX{#E`RLAqYP_>!e0C^ELV** z9$B-|8g0k_$`l8D?DAfF<1YxNdj#8l1*%q((ix(i| z_zp7D;CIwMrN9w5#WM=)M|RSe8g3p6d$mx=L8vabZI?$+(WIU1ASNg=7*3a26zAxt zTFwj{uc`e1$7z@PDM;UV0a++=p&?PB1AGWw6BO0cozO)QdJ5R_hsn|8F1CD8