Skip to content

Instantly share code, notes, and snippets.

@Deliganli
Created March 13, 2025 22:22
Show Gist options
  • Save Deliganli/554dcc0d05fbd859fb768d2ed2c717c7 to your computer and use it in GitHub Desktop.
Save Deliganli/554dcc0d05fbd859fb768d2ed2c717c7 to your computer and use it in GitHub Desktop.
example immich config using sops and secrets

There is a closed discussion on immich repo immich-app/immich#14815

Until immich supports better security, below method can be used to template a file with secrets on ramdisk. Circumventing the nixpkgs config generation parts, and pointing immich systemd service to this templated file.

{ config, ... }:
let
  domain = config.networking.domain;
  data = "/mnt/mydisk/immich";
in
{
  users.users.immich.extraGroups = [
    "media"
    "render"
    "video"
  ];

  systemd.tmpfiles.rules =
    let
      cfg = config.services.immich;
    in
    [ "d ${data} 0755 ${cfg.user} ${cfg.group} -" ];

  sops = {
    secrets = {
      "immich/db/pass" = { };
      "immich/oidc/secret" = { };
    };

    templates = {
      "immich.env" = {
        restartUnits = [ config.systemd.services.immich-server.name ];
        # We pass the supported secrets as recommended, such as DB_PASSWORD
        # We also pass the templated config file for service to use instead
        content = ''
          DB_PASSWORD=${config.sops.placeholder."immich/db/pass"}
          IMMICH_CONFIG_FILE=${config.sops.templates."immich-config.json".path}
        '';
      };

      # Put all your configs here, instead of config.services.immich.settings
      "immich-config.json" = {
        owner = config.services.immich.user;
        restartUnits = [ config.systemd.services.immich-server.name ];
        content = builtins.toJSON {
          newVersionCheck.enabled = false;
          oauth = {
            enabled = true;
            clientId = "myid";
            clientSecret = config.sops.placeholder."immich/oidc/secret";
            issuerUrl = "https://authelia.${domain}/.well-known/openid-configuration";
          };
          server = {
            externalDomain = "https://immich.${domain}";
          };
        };
      };
    };
  };

  services.immich = {
    enable = true;
    host = "127.0.0.1";
    mediaLocation = data;
    secretsFile = config.sops.templates."immich.env".path;
    machine-learning.enable = true;

    accelerationDevices = [
      "/dev/dri/renderD128"
    ];

    redis = {
      enable = true;
    };
  };
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment