Skip to content

Instantly share code, notes, and snippets.

@zouppen

zouppen/README.md

Last active March 27, 2025 09:10
Show Gist options
  • Save zouppen/7283779ae7d78ccfdf28ac26b25c27a1 to your computer and use it in GitHub Desktop.
Save zouppen/7283779ae7d78ccfdf28ac26b25c27a1 to your computer and use it in GitHub Desktop.
Download ZIP
Immich on Podman
Raw
README.md

Immich on Podman

Why? Since Podman is more advanced than Docker, especially on CoW filesystem such as btrfs. However, some tweaks are needed to avoid problems with a DNS server and take advantage of btrfs subvolumes.

The instructions are for Debian Bookworm. For other distros you may need to improvise.

Preparations

Install Podman and podman-compose:

sudo apt install podman podman-compose

Create file /etc/containers/containers.conf with the following contents:

[network]
dns_bind_port = 20053

Create file /etc/containers/storage.conf with the following contents:

[storage]
driver = "btrfs"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers"

I preferred putting Immich volume as a subvolume to allow easy snapshotting and incremental backups:

sudo btrfs subvolume create /mnt/immich
sudo chmod go= /mnt/immich # Prevent user access

Then, follow official instructions and use wget to fetch files docker-compose.yml and .env.

Edit (with sudoedit) /mnt/immich/.env and generate a proper password to DB_PASSWORD by using pwgen or similar tool. Also, set timezone to something like TZ=Europe/Helsinki.

Nginx as a reverse proxy

This helps you to get it running with https and avoids you to open and remember random TCP ports.

If you use nginx as a reverse proxy, limit port exposure to localhost only by editing /mnt/immich/docker-compose.yml and replacing 2283:2283 with 127.0.0.1:2283:2283 in ports section.

Example nginx reverse proxy configuration (adapted from Immich Docs):

server {
    listen 80;
    listen [::]:80;
    server_name immich.example.com;
    return 301 https://$host$request_uri;
}

server {
    server_name immich.example.com;
    listen [::]:443;
    listen 443;

    # allow large file uploads
    client_max_body_size 50000M;

    # Set headers
    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # enable websockets: http://nginx.org/en/docs/http/websocket.html
    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    # set timeout
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://127.0.0.1:2283;
    }
}

And finally, you need to use certbot to extend your Letsencrypt certificate to contain that domain.

Running and auto-update

Create file /mnt/immich/update with the following contents:

#!/bin/sh -eu

cd /mnt/immich
podman-compose pull
podman-compose down
podman-compose up -d
echo 'Ja eikun kovaan ajoon!'

You can launch it first time by simply running the update script:

sudo /mnt/immich/update

Final words

If you have found errors, legacy methods or something to improve, drop me a message! On Matrix I'm @zouppen:hacklab.fi.

Thanks to Dr. Jaska for proof-reading and showing me Immich for the first time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment