There is a closed discussion on immich repo immich-app/immich#14815
Until immich supports better security, below method can be used to template a file with secrets on ramdisk. Circumventing the nixpkgs config generation parts, and pointing immich systemd service to this templated file.
{ config, ... }:
let
domain = config.networking.domain;
data = "/mnt/mydisk/immich";
in
{
users.users.immich.extraGroups = [
"media"
"render"
"video"
];
systemd.tmpfiles.rules =
let
cfg = config.services.immich;
in
[ "d ${data} 0755 ${cfg.user} ${cfg.group} -" ];
sops = {
secrets = {
"immich/db/pass" = { };
"immich/oidc/secret" = { };
};
templates = {
"immich.env" = {
restartUnits = [ config.systemd.services.immich-server.name ];
# We pass the supported secrets as recommended, such as DB_PASSWORD
# We also pass the templated config file for service to use instead
content = ''
DB_PASSWORD=${config.sops.placeholder."immich/db/pass"}
IMMICH_CONFIG_FILE=${config.sops.templates."immich-config.json".path}
'';
};
# Put all your configs here, instead of config.services.immich.settings
"immich-config.json" = {
owner = config.services.immich.user;
restartUnits = [ config.systemd.services.immich-server.name ];
content = builtins.toJSON {
newVersionCheck.enabled = false;
oauth = {
enabled = true;
clientId = "myid";
clientSecret = config.sops.placeholder."immich/oidc/secret";
issuerUrl = "https://authelia.${domain}/.well-known/openid-configuration";
};
server = {
externalDomain = "https://immich.${domain}";
};
};
};
};
};
services.immich = {
enable = true;
host = "127.0.0.1";
mediaLocation = data;
secretsFile = config.sops.templates."immich.env".path;
machine-learning.enable = true;
accelerationDevices = [
"/dev/dri/renderD128"
];
redis = {
enable = true;
};
};
}