fix: enable oauth for immich; enable network access for immich containers; remove nixvim-wayland

flake.lock

@@ -352,11 +352,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705540973,
-        "narHash": "sha256-kNt/qAEy7ueV7NKbVc8YMHWiQAAgrir02MROYNI8fV0=",
+        "lastModified": 1705890365,
+        "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "0033adc6e3f1ed076f3ed1c637ef1dfe6bef6733",
+        "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9",
         "type": "github"
       },
       "original": {
@@ -454,21 +454,6 @@
       }
     },
     "flake-compat_5": {
-      "locked": {
-        "lastModified": 1688025799,
-        "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_6": {
       "flake": false,
       "locked": {
         "lastModified": 1696426674,
@@ -484,7 +469,7 @@
         "type": "github"
       }
     },
-    "flake-compat_7": {
+    "flake-compat_6": {
       "flake": false,
       "locked": {
         "lastModified": 1673956053,
@@ -501,28 +486,6 @@
       }
     },
     "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1701473968,
-        "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": [
           "nixvim",
@@ -543,9 +506,9 @@
         "type": "github"
       }
     },
-    "flake-parts_3": {
+    "flake-parts_2": {
       "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib_2"
+        "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
         "lastModified": 1704982712,
@@ -637,24 +600,6 @@
       "inputs": {
         "systems": "systems_8"
       },
-      "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_6": {
-      "inputs": {
-        "systems": "systems_9"
-      },
       "locked": {
         "lastModified": 1681202837,
         "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
@@ -779,11 +724,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705535278,
-        "narHash": "sha256-V5+XKfNbiY0bLKLQlH+AXyhHttEL7XcZBH9iSbxxexA=",
+        "lastModified": 1705879479,
+        "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b84191db127c16a92cbdf7f7b9969d58bb456699",
+        "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913",
         "type": "github"
       },
       "original": {
@@ -800,11 +745,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705104164,
-        "narHash": "sha256-pllCu3Hcm1wP/B0SUxgUXvHeEd4w8s2aVrEQRdIL1yo=",
+        "lastModified": 1705879479,
+        "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0912d26b30332ae6a90e1b321ff88e80492127dd",
+        "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913",
         "type": "github"
       },
       "original": {
@@ -828,25 +773,6 @@
         "type": "github"
       }
     },
-    "lib-aggregate": {
-      "inputs": {
-        "flake-utils": "flake-utils_5",
-        "nixpkgs-lib": "nixpkgs-lib"
-      },
-      "locked": {
-        "lastModified": 1705423846,
-        "narHash": "sha256-PULm77CvMZ9cQ4MaTXgvJom2ePB9c38p39JB4TFXEdw=",
-        "owner": "nix-community",
-        "repo": "lib-aggregate",
-        "rev": "1d0951ca1b3721ff4e6049c3a37df56c78c60c65",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "lib-aggregate",
-        "type": "github"
-      }
-    },
     "lib-net": {
       "flake": false,
       "locked": {
@@ -871,11 +797,11 @@
         "spectrum": "spectrum"
       },
       "locked": {
-        "lastModified": 1705592620,
-        "narHash": "sha256-97/yDm6n9C6fma0pSM/mMQeMLfmEOZPGbpKARNoKeG4=",
+        "lastModified": 1705802752,
+        "narHash": "sha256-0EY+M5vnXcm/0bQQo9Yu2k+NF69qoLdpa6Vb2ARa1Zw=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "ccf44d60393a571b549448167fa03882693a5a3d",
+        "rev": "f07dd64526ee203d25329c517eec3b697860fa6b",
         "type": "github"
       },
       "original": {
@@ -892,11 +818,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704277720,
-        "narHash": "sha256-meAKNgmh3goankLGWqqpw73pm9IvXjEENJloF0coskE=",
+        "lastModified": 1705915768,
+        "narHash": "sha256-+Jlz8OAqkOwJlioac9wtpsCnjgGYUhvLpgJR/5tP9po=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "0dd382b70c351f528561f71a0a7df82c9d2be9a4",
+        "rev": "1e706ef323de76236eb183d7784f3bd57255ec0b",
         "type": "github"
       },
       "original": {
@@ -905,49 +831,6 @@
         "type": "github"
       }
     },
-    "nix-eval-jobs": {
-      "inputs": {
-        "flake-parts": "flake-parts",
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": "nixpkgs_2",
-        "treefmt-nix": "treefmt-nix"
-      },
-      "locked": {
-        "lastModified": 1705242886,
-        "narHash": "sha256-TLj334vRwFtSym3m+NnKcNCnKKPNoTC/TDZL40vmOso=",
-        "owner": "nix-community",
-        "repo": "nix-eval-jobs",
-        "rev": "6b03a93296faf174b97546fd573c8b379f523a8d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-eval-jobs",
-        "type": "github"
-      }
-    },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1701208414,
-        "narHash": "sha256-xrQ0FyhwTZK6BwKhahIkUVZhMNk21IEI1nUcWSONtpo=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "93e39cc1a087d65bcf7a132e75a650c44dd2b734",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
     "nix-index-database": {
       "inputs": {
         "nixpkgs": [
@@ -955,11 +838,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705282324,
-        "narHash": "sha256-LnURMA7yCM5t7et9O2+2YfGQh0FKAfE5GyahNDDzJVM=",
+        "lastModified": 1705806513,
+        "narHash": "sha256-FcOmNjhHFfPz2udZbRpZ1sfyhVMr+C2O8kOxPj+HDDk=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "49aaeecf41ae0a0944e2c627cb515bcde428a1d1",
+        "rev": "f8e04fbcebcc24cebc91989981bd45f69b963ed7",
         "type": "github"
       },
       "original": {
@@ -1068,11 +951,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1705496572,
-        "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=",
+        "lastModified": 1705856552,
+        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19",
+        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
         "type": "github"
       },
       "original": {
@@ -1083,21 +966,6 @@
       }
     },
     "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1705193289,
-        "narHash": "sha256-oL5EAaZHiA3ABLdyKag/DgT+457vmELv8A+eaox2xsI=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "da839f74dc77c9826fa333b1bc2c8258fd6ffcbe",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
-    "nixpkgs-lib_2": {
       "locked": {
         "dir": "lib",
         "lastModified": 1703961334,
@@ -1179,46 +1047,7 @@
         "type": "github"
       }
     },
-    "nixpkgs-wayland": {
-      "inputs": {
-        "flake-compat": "flake-compat_5",
-        "lib-aggregate": "lib-aggregate",
-        "nix-eval-jobs": "nix-eval-jobs",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1705585910,
-        "narHash": "sha256-5pvcEdTiVn5F+6gpyQbTxeLhcRlV/oN8nNiwjgLqigs=",
-        "owner": "nix-community",
-        "repo": "nixpkgs-wayland",
-        "rev": "5b2b874c87882a5fc7f30be353410432e685ca0d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs-wayland",
-        "type": "github"
-      }
-    },
     "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1703134684,
-        "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
       "locked": {
         "lastModified": 1681358109,
         "narHash": "sha256-eKyxW4OohHQx9Urxi7TQlFBTDWII+F+x2hklDOQPB50=",
@@ -1236,7 +1065,7 @@
     },
     "nixvim": {
       "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
         "home-manager": "home-manager_2",
         "nix-darwin": "nix-darwin",
         "nixpkgs": [
@@ -1247,11 +1076,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705581923,
-        "narHash": "sha256-ms+6X+Sbx7Je8vMzux4ricuUR6JNHGoMZJLqhjGLxn8=",
+        "lastModified": 1705927744,
+        "narHash": "sha256-ESHLUjPRApElOJuyXidapwredduuUmJlJ7EAmlFePSY=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "df7a90127b079a39bfaba3eae1885ce6ab3a062a",
+        "rev": "86d6ce5029c99362c96ccead428b366f81d5b8f0",
         "type": "github"
       },
       "original": {
@@ -1346,7 +1175,7 @@
     },
     "pre-commit-hooks_4": {
       "inputs": {
-        "flake-compat": "flake-compat_6",
+        "flake-compat": "flake-compat_5",
         "flake-utils": [
           "flake-utils"
         ],
@@ -1357,11 +1186,11 @@
         "nixpkgs-stable": "nixpkgs-stable_4"
       },
       "locked": {
-        "lastModified": 1705229514,
-        "narHash": "sha256-itILy0zimR/iyUGq5Dgg0fiW8plRDyxF153LWGsg3Cw=",
+        "lastModified": 1705757126,
+        "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "ffa9a5b90b0acfaa03b1533b83eaf5dead819a05",
+        "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc",
         "type": "github"
       },
       "original": {
@@ -1387,7 +1216,6 @@
         "nixos-hardware": "nixos-hardware",
         "nixos-nftables-firewall": "nixos-nftables-firewall",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-wayland": "nixpkgs-wayland",
         "nixvim": "nixvim",
         "pre-commit-hooks": "pre-commit-hooks_4",
         "stylix": "stylix",
@@ -1424,8 +1252,8 @@
     },
     "rust-overlay_2": {
       "inputs": {
-        "flake-utils": "flake-utils_6",
-        "nixpkgs": "nixpkgs_3"
+        "flake-utils": "flake-utils_5",
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
         "lastModified": 1705112162,
@@ -1468,7 +1296,7 @@
         "base16-kitty": "base16-kitty",
         "base16-tmux": "base16-tmux",
         "base16-vim": "base16-vim",
-        "flake-compat": "flake-compat_7",
+        "flake-compat": "flake-compat_6",
         "home-manager": [
           "home-manager"
         ],
@@ -1477,11 +1305,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705504375,
-        "narHash": "sha256-oRVxuJ6sCljsgfoWb+SsIK2MvUjsxrXQHRoVTUDVC40=",
+        "lastModified": 1705668784,
+        "narHash": "sha256-U/1Qol9H5nb8FtWSXSiHY8T4Y7TOIo7NHuqe4uuiBec=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "2d59480b4531ce8d062d20a42560a266cb42b9d0",
+        "rev": "a9e3ce064a778b386fb88fb152c02ae95aa2cbd2",
         "type": "github"
       },
       "original": {
@@ -1610,28 +1438,13 @@
         "type": "github"
       }
     },
-    "systems_9": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "templates": {
       "locked": {
-        "lastModified": 1704737624,
-        "narHash": "sha256-ypprYGtIL/DbV7D0zNA36gRdMqcv8LHgoxHjwTm7EGY=",
+        "lastModified": 1705684105,
+        "narHash": "sha256-R5PhRrDRuhHzo6zjrh3buGTBuWlY4UvM3+gJF9Hnhrs=",
         "owner": "NixOS",
         "repo": "templates",
-        "rev": "105b28c09033d1c137704cab544ed3cc4bc9ac40",
+        "rev": "35355cc7ba4822de499744bb3f3552008ea68970",
         "type": "github"
       },
       "original": {
@@ -1640,31 +1453,9 @@
         "type": "github"
       }
     },
-    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-wayland",
-          "nix-eval-jobs",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1702979157,
-        "narHash": "sha256-RnFBbLbpqtn4AoJGXKevQMCGhra4h6G2MPcuTSZZQ+g=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "2961375283668d867e64129c22af532de8e77734",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
     "wired-notify": {
       "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_2",
         "nixpkgs": [
           "nixpkgs"
         ],

flake.nix

@@ -69,11 +69,6 @@
 
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 
-    nixpkgs-wayland = {
-      url = "github:nix-community/nixpkgs-wayland";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     nixvim = {
       url = "github:nix-community/nixvim";
       inputs.nixpkgs.follows = "nixpkgs";

hosts/sire/guests/grafana.nix

@@ -117,7 +117,7 @@ in {
         client_id = "grafana";
         client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}";
         scopes = "openid email profile";
-        login_attribute_path = "prefered_username";
+        login_attribute_path = "preferred_username";
         auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2";
         token_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/token";
         api_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/grafana/userinfo";

hosts/sire/guests/immich.nix

@@ -12,6 +12,112 @@
   ipImmichPostgres = "10.89.0.12";
   ipImmichRedis = "10.89.0.13";
   ipImmichServer = "10.89.0.14";
+  configFile = pkgs.writeText "immich.config.json" (
+    builtins.toJSON {
+      ffmpeg = {
+        accel = "disabled";
+        bframes = -1;
+        cqMode = "auto";
+        crf = 23;
+        gopSize = 0;
+        maxBitrate = "0";
+        npl = 0;
+        preset = "ultrafast";
+        refs = 0;
+        targetAudioCodec = "aac";
+        targetResolution = "720";
+        targetVideoCodec = "h264";
+        temporalAQ = false;
+        threads = 0;
+        tonemap = "hable";
+        transcode = "required";
+        twoPass = false;
+      };
+      job = {
+        backgroundTask.concurrency = 5;
+        faceDetection.concurrency = 10;
+        library.concurrency = 5;
+        metadataExtraction.concurrency = 10;
+        migration.concurrency = 5;
+        search.concurrency = 5;
+        sidecar.concurrency = 5;
+        smartSearch.concurrency = 10;
+        thumbnailGeneration.concurrency = 10;
+        videoConversion.concurrency = 5;
+      };
+      library.scan = {
+        enabled = true;
+        cronExpression = "0 0 * * *";
+      };
+      logging = {
+        enabled = true;
+        level = "log";
+      };
+      machineLearning = {
+        clip = {
+          enabled = true;
+          modelName = "ViT-B-32__openai";
+        };
+        enabled = true;
+        facialRecognition = {
+          enabled = true;
+          maxDistance = 0.6;
+          minFaces = 3;
+          minScore = 0.7;
+          modelName = "buffalo_l";
+        };
+        url = "http://${ipImmichMachineLearning}:3003";
+      };
+      map = {
+        enabled = true;
+        darkStyle = "";
+        lightStyle = "";
+      };
+      newVersionCheck.enabled = true;
+      # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run:
+      # kanidm system oauth2 warning-insecure-client-disable-pkce immich
+      # kanidm system oauth2 warning-enable-legacy-crypto immich
+      oauth = rec {
+        enabled = true;
+        autoLaunch = false;
+        autoRegister = true;
+        buttonText = "Login with Kanidm";
+
+        mobileOverrideEnabled = true;
+        mobileRedirectUri = "https://${immichDomain}/api/oauth/mobile-redirect";
+
+        clientId = "immich";
+        # clientSecret will be dynamically added in activation script
+        issuerUrl = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}";
+        scope = "openid email profile";
+        storageLabelClaim = "preferred_username";
+      };
+      passwordLogin.enabled = true;
+      reverseGeocoding.enabled = true;
+      server = {
+        externalDomain = "https://${immichDomain}";
+        loginPageMessage = "Besser im Stuhl einschlafen als im Schlaf einstuhlen.";
+      };
+      storageTemplate = {
+        enabled = true;
+        hashVerificationEnabled = true;
+        template = "{{y}}/{{MM}}/{{filename}}";
+      };
+      theme.customCss = "";
+      thumbnail = {
+        colorspace = "p3";
+        jpegSize = 1440;
+        quality = 80;
+        webpSize = 250;
+      };
+      trash = {
+        days = 30;
+        enabled = true;
+      };
+    }
+  );
+
+  processedConfigFile = "/run/agenix/immich.config.json";
 
   version = "v1.93.3";
   environment = {
@@ -24,6 +130,7 @@
     IMMICH_SERVER_URL = "http://${ipImmichServer}:3001/";
     IMMICH_MACHINE_LEARNING_URL = "http://${ipImmichMachineLearning}:3003";
     REDIS_HOSTNAME = ipImmichRedis;
+    IMMICH_CONFIG_FILE = "/immich.config.json";
   };
 
   upload_folder = "/storage/immich";
@@ -41,10 +148,30 @@ in {
   microvm.mem = 1024 * 12;
   microvm.vcpu = 16;
 
+  # Mirror the original oauth2 secret
+  age.secrets.immich-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-immich) rekeyFile;
+    mode = "440";
+    group = "root";
+  };
+
+  system.activationScripts.agenixRooterDerivedSecrets = {
+    # Run after agenix has generated secrets
+    deps = ["agenix"];
+    text = ''
+      immichClientSecret=$(< ${config.age.secrets.immich-oauth2-client-secret.path})
+      ${pkgs.jq}/bin/jq --arg immichClientSecret "$immichClientSecret" '.oauth.clientSecret = $immichClientSecret' ${configFile} > ${processedConfigFile}
+      chmod 444 ${processedConfigFile}
+    '';
+  };
+
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [2283];
   networking.nftables.chains.forward.into-immich-container = {
     after = ["conntrack"];
-    rules = ["iifname proxy-sentinel ip saddr 10.43.0.29 tcp dport 3001 accept"];
+    rules = [
+      "iifname proxy-sentinel ip saddr 10.43.0.29 tcp dport 3001 accept"
+      "iifname podman1 oifname lan accept"
+    ];
   };
 
   nodes.sentinel = {
@@ -61,8 +188,6 @@ in {
       virtualHosts.${immichDomain} = {
         forceSSL = true;
         useACMEWildcardHost = true;
-        oauth2.enable = true;
-        oauth2.allowedGroups = ["access_immich"];
         locations."/" = {
           proxyPass = "http://immich";
           proxyWebsockets = true;
@@ -91,18 +216,19 @@ in {
   age.secrets.postgres_password.generator.script = "alnum";
 
   # Runtime
+  virtualisation.oci-containers.backend = "podman";
   virtualisation.podman = {
     enable = true;
     autoPrune.enable = true;
     dockerCompat = true;
   };
-  virtualisation.oci-containers.backend = "podman";
 
   # Containers
   virtualisation.oci-containers.containers."immich_machine_learning" = {
     image = "ghcr.io/immich-app/immich-machine-learning:${version}";
     inherit environment;
     volumes = [
+      "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
       "${model_folder}:/cache:rw"
     ];
     log-driver = "journald";
@@ -117,6 +243,7 @@ in {
     image = "ghcr.io/immich-app/immich-server:${version}";
     inherit environment;
     volumes = [
+      "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
       "${config.age.secrets.postgres_password.path}:${config.age.secrets.postgres_password.path}:ro"
       "/etc/localtime:/etc/localtime:ro"
       "${upload_folder}:/usr/src/app/upload:rw"
@@ -174,6 +301,7 @@ in {
     image = "ghcr.io/immich-app/immich-server:${version}";
     inherit environment;
     volumes = [
+      "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
       "${config.age.secrets.postgres_password.path}:${config.age.secrets.postgres_password.path}:ro"
       "/etc/localtime:/etc/localtime:ro"
       "${upload_folder}:/usr/src/app/upload:rw"

hosts/ward/guests/kanidm.nix

@@ -35,6 +35,13 @@ in {
     group = "kanidm";
   };
 
+  age.secrets.kanidm-oauth2-immich = {
+    generator.script = "alnum";
+    generator.tags = ["oauth2"];
+    mode = "440";
+    group = "kanidm";
+  };
+
   age.secrets.kanidm-oauth2-grafana = {
     generator.script = "alnum";
     generator.tags = ["oauth2"];
@@ -114,6 +121,15 @@ in {
 
       inherit (config.repo.secrets.global.kanidm) persons;
 
+      # Immich
+      groups.immich = {};
+      systems.oauth2.immich = {
+        displayName = "Immich";
+        originUrl = "https://${sentinelCfg.networking.providedDomains.immich}";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
+        scopeMaps.immich = ["openid" "email" "profile"];
+      };
+
       # Grafana
       groups.grafana = {};
       groups."grafana.admins" = {};
@@ -148,7 +164,6 @@ in {
       groups.web-sentinel = {};
       groups."web-sentinel.adguardhome" = {};
       groups."web-sentinel.influxdb" = {};
-      groups."web-sentinel.immich" = {};
       systems.oauth2.web-sentinel = {
         displayName = "Web Sentinel";
         originUrl = "https://oauth2.${personalDomain}";
@@ -157,7 +172,6 @@ in {
         supplementaryScopeMaps = {
           "web-sentinel.adguardhome" = ["access_adguardhome"];
           "web-sentinel.influxdb" = ["access_influxdb"];
-          "web-sentinel.immich" = ["access_immich"];
         };
       };
     };

modules/config/nix.nix

@@ -17,13 +17,11 @@
         "https://cache.nixos.org"
         "https://nix-community.cachix.org"
         "https://nix-config.cachix.org"
-        "https://nixpkgs-wayland.cachix.org"
       ];
       trusted-public-keys = [
         "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
         "nix-config.cachix.org-1:Vd6raEuldeIZpttVQfrUbLvXJHzzzkS0pezXCVVjDG4="
-        "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
       ];
       cores = 0;
       max-jobs = "auto";

modules/default.nix

@@ -44,7 +44,6 @@
   ];
 
   nixpkgs.overlays = [
-    inputs.nixpkgs-wayland.overlay
     inputs.nixvim.overlays.default
     inputs.wired-notify.overlays.default
   ];

secrets/generated/ward-kanidm/kanidm-oauth2-immich.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 Ty4SRY71eyfLWJGIC0cv89Rg+PEJr1LTyJQgIvj8mRg
+3z6gLE56zvPRWWFpCkAx6GdFwAztMgBZnfI/OJfCtzU
+-> piv-p256 xqSe8Q AyEmhugnXJ33KHAVh/9B0C9oQ1SF3/gFtoAPpThy/4Ef
+eEPKdBTKx7Px39zRu7Dtdm6vyZxEzN23SekmsjZ9ILU
+-> d^!fR-grease
+WjaPB3mvS8+aKj9FKDdeSMrIDRu4cvxT9llTrxZxOD+Ej4o8lCN+LRmrAZ6eb1W8
+BWuUvPLUgyWi4eyDIARjperIrX8ESLgqIg
+--- rKC5HveByQdXritRQdLqNgasq6y20rT/nfrQenVmoTo
+Ñ_A5ðN1iB ö÷•ãlµ[O�IpªØJ;iÀq,Û¶õ#¾Îý¸KOè‹òãx}Kô´¸›Zs0û„(«!à£�d
ÈÊY2ÚMvÆ?