From 6f4b4b0e29d3a98c89f5e05bbbbd77823c3a6798 Mon Sep 17 00:00:00 2001 From: uttarayan21 Date: Tue, 29 Jul 2025 05:29:33 +0530 Subject: [PATCH] feat: Added sso to immich --- nixos/mirai/services/immich.nix | 54 +++++++++++++++++++-------------- secrets/secrets.yaml | 6 ++-- 2 files changed, 34 insertions(+), 26 deletions(-) diff --git a/nixos/mirai/services/immich.nix b/nixos/mirai/services/immich.nix index 5c4f885e..5137d6b8 100644 --- a/nixos/mirai/services/immich.nix +++ b/nixos/mirai/services/immich.nix @@ -9,13 +9,33 @@ mode = "0440"; }; templates = { - "OAUTH_CLIENT.env" = { - content = '' - OAUTH_CLIENT_ID=${config.sops.placeholder."authelia/oidc/immich/client_id"} - OAUTH_CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/immich/client_secret"} - ''; + "immich-config.json" = { + content = + /* + json + */ + '' + { + "oauth": { + "clientId": "${config.sops.placeholder."authelia/oidc/immich/client_id"}", + "clientSecret": "${config.sops.placeholder."authelia/oidc/immich/client_secret"}", + "enabled": true, + "autoLaunch": true, + "autoRegister": true, + "buttonText": "Login with Authelia", + "scope": "openid email profile", + "issuerUrl": "https://auth.darksailor.dev" + }, + "passwordLogin" : { + "enabled": false + }, + "server": { + "externalDomain": "https://photos.darksailor.dev" + } + } + ''; mode = "0400"; - owner = config.services.immich.user; + owner = "immich"; }; }; }; @@ -23,21 +43,9 @@ services.immich = { enable = true; mediaLocation = "/media/photos/immich"; - settings = { - oauth = { - enabled = true; - autoLaunch = true; - autoRegister = true; - buttonText = "Login with Authelia"; - clientId = "immich"; - scope = "openid email profile"; - issuerUrl = "https://auth.darksailor.dev/.well-known/openid-configuration"; - }; - passwordLogin = { - enabled = false; - }; + environment = { + IMMICH_CONFIG_FILE = config.sops.templates."immich-config.json".path; }; - secretsFile = config.sops.templates."OAUTH_CLIENT.env".path; }; services.caddy = { virtualHosts."photos.darksailor.dev".extraConfig = '' @@ -52,8 +60,8 @@ clients = [ { client_name = "immich"; - client_id = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_id".path}" }}''; - client_secret = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_secret".path}" }}''; + client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/immich/client_id".path}" }}''; + client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/immich/client_secret".path}" }}''; public = false; authorization_policy = "one_factor"; require_pkce = false; @@ -65,7 +73,7 @@ scopes = ["openid" "profile" "email"]; response_types = ["code"]; grant_types = ["authorization_code"]; - access_token_signed_response_alg = "none"; + # access_token_signed_response_alg = "none"; userinfo_signed_response_alg = "none"; token_endpoint_auth_method = "client_secret_post"; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 0c01294b..d44c654e 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -28,7 +28,7 @@ authelia: oidc: immich: client_id: ENC[AES256_GCM,data:LpB+nR7SGI2EV4YK0VptF5zJ6Ai/LDfikUpoAnFWnT8krMOQ/voqjS6jhqaFz9IKhtPQL9TNZOONr5JjkDZR7sI63Ohv4Lnx,iv:J96CL8EHHj88YbQW7rdQK9C6MxXaHnMt+mgL3iL5Heg=,tag:aXD/HdWXO/e6aKGnay0W+g==,type:str] - client_secret: ENC[AES256_GCM,data:mZ9bxeuKEYtZRRncsXBRgFeu0exO+VN9MRXFEF/KQxrDHnGkiFGQH8/wbeHnqIO8Xpmhd5PJEz5Q29rNKJE6hsomVFHASYe6w/JCaxP24Qu2nQH60YBYsk0vfVgB8QyfpbIN1lDeW+3F8YZLa1IJuxt1Cpg9cgMtaZ4AZh4cGgBxSDE=,iv:QErPIwOTBs3UJMRDTyLpNFc8unucQKzLl6WbSuJ97fY=,tag:NRQYmn6GfIMPAUKyI7QxMQ==,type:str] + client_secret: ENC[AES256_GCM,data:O+EF+Cim65J5LZTCcXVj0ln0TES6IOUk/YZ04JKxJZNJevOKxFq/CJdhkEgXTfgnDklob8m0nOBLAzHR0KhX+5sYW54PKge+nrnAT2qqHnHPCz9RxvyIEE1IbaF2vkBbz/s7d5L/+tiWz95aq8D3H93JDf3x6Ej0tG0auDx1Ui8=,iv:pYGNnFy+EotN5a/ODnlmYu0lqVY29IVl1KGiwoldJ5M=,tag:hwh4XjO7T650WsLBP0QptA==,type:str] jwks: ENC[AES256_GCM,data:1efhdlYmiD/y4kzK0hFfLAmY6rXK0hvZez/tu1cb2hfUhIM/DzNNthKQjH8Cu2TlZwDQpUIrCO7Tr0BbkiREC+VNK4vYgi+GWswnG7VCZS40xRAZhSArNO2uQ4dpf/KAHRSSJa3i7gGOqSG/Pnrl3TRhzkhkfWSRk+7koPWKpYJOKLem+ZLN75yssCsEbYIOHjcXyizNHt6SE2ylqqCjyWnlhlnRQStYaFPWAAABcm96MkSThSyRd6hTAifC/aZiM1IMlLw7wJJk01uwjJytlxBxDiFrdr4Grg0PzOsOAocex9Siw5fzcr7dFpVBoaS7e7nD/sccGSyEysw/t+wvkMou1Ewr5U2Pnew8lPjSrEiiGxuPwmK9kHxD3L6cADxF6xs4bn+Iqa/yy9FWbtGZfBYOxJiRvXgxBPiO7CH4tJyVIbnLfi8K/zCJC9u5vO+WFXiVIzXxAPVUL7VKQQZGxV7989LMdcjzck+B1zFHVQz25siwbpu0FxMxiJsVtBxu1U+QBRfQrwLacX2NAJvqYNZxr+9l43Fh0x8dS5CBheVEy39sXge9jLyS7kIW0FfvgJaHuLL2/GhDGsvfi7zFPOc8Thg+8LP58L8wzPT+LvVoidq/j3K2Ct6udn9JsOnbZT3Gs1RiY+E77H09GbdwIrP0sGVi4ZJe++w+sKNjyzLzceEYGkfa1EiMQhYPHzqUAwqtgmJZo9tY+2jOBJb9ZU+Kj0xtqZsjFpHaGWsRj8XGkPrAFEh6Z6/Ak9/BpYaapPeAO3Wa6tzNVlTCtaX786nSTjfGC7v9O4Uz8XQr0HV3A7wj36Fw3dqERZFKea7BJbiiAiEZtnOsbWVqQXpIUVfCvPhfwuFcOU/ClyM1fGyZXaCIeB62Tkqa+ZlqRQgzzf3bSFUK0PgxE3Ny5pIPzNEINqse+6DeFuF91uY1dLQB4Vizyzv1H+X/OecO9K8kECM1wUy3Fbbyh4tYYxt4VvqFQZ1o4A7Jd04WCIf3hdAHmwvOQW+/8dfnyLa8kqTcQYeI3jfjtRvD6TaZl21K9kFY2VJAexdno9bbozDOus1Ep92ublwonVjfvzbyDURHGF6Cw2OL7xcbHQIMz/ZmkVHMra49NHgWlI6X0slgYDxKKDszHhZ9SHkEXF8pJf+uogbwSwz1glRkEdn1oprbs8GsFoc7HGVvSHRgOWKHwvhZD2tMiSE4cEFZ9/2nSPISQMNGuS7wgnVkalKPW+gF1EWVXczanzKsrpcDtpMdFufMRVusaJBV5Jw62I++cx1AMW2dRTseQyWLchRWtOba6dd9gbNzGi39+njHClHIEUxaxXzxIQLhSgCA9loXRc26ZA6DpwHQR+gtH2OybeFEiH390YoSfFeZuU+f0E2awMdpiEsBL/AniUcboDaBEaDQYpwUawNL+II7rmSn4rTJM64n5z3B88U/vAQh9BQFhf7SDKb05n/ArCibkdy3gbo8rTVH1gGbmW53DTxzuW+AEpFcuueiP3yz1vGzEwKSX+LMkCwFwk6Y/VcqHXW+PdZ88SFUr5WELGPkZxT3AvmduBCifE0KDzKWrN3yy1xwEQDGrYiqeHqeqHpEuk/KpxeAwepqWayGMq6iT4BWUBojNo6quoXkPPodSsotbBFLjyRHoDGm0NZSbgluOUyERrN6M+ELdHqQjeNTS046KB6QnG5s+uTA+uxyonvmPCPBgFAd0q0qfq4T/SISHrPe13Y7nHnATxoMBszvIfKznqFthTBsc3V9C5+g/kcOzcEQpAC6baGe+eq23m/Go3uDa7O84Euxhj9C5NBcidvgmYmRZuY6l2ehnxf1oGoGwHBJEaYEuCk7sc3Wac6u2OvqCIKPxRdi2tUiZ9FwCGLqd8qcLEPtsSaBNk2CVlK9ZkgPzSYH794qpNQDWkyv5SJ4V9zy2LL+s9MHtHNQu6QxALZ8c0GfQetTI5ArkC3cBz/3mRdDMy9k7HpO7b6USoxqGAZ+H4kzJhus9QwjaqJnnB+fJI5O2ek5TVLY9RWXo+W2pCBDjt925BVoChkvkUEg4GtvR+8/yChgYEgYWUPqRV4vMEwQiRoaJamL/E+lRaUx+c0f9ga8+k0JdfxfzoIPUA3/rBGcfO8Y12RF8Ool4hreP409KjdPP0PeeOVKg58MPYNO5O0BdT62nyL+fSvJkw7uPGcOwtOtcxjcBsNhoFv0twrCp8S3cLX45GTNaTw+JHcxsTzG9ibL3bFtVkAAiZHZGMisEjTSGElSGIDk+MoPt68hq4BRioab,iv:gGKyTUigpnqg3Fgd76INrESRT27hJRzYQ3xk8heNkWk=,tag:fVc8rg1Or63X/14neG+8Cw==,type:str] lldap: jwt: ENC[AES256_GCM,data:61dwC1ElOOGaf0CmalzXZnxImEyufKjUUWcNaEcOuv3TEODhQyHK7g==,iv:CVEJVuaCc2gDmSYWHS3fPL8FjbvblF6IladAzGoGb0o=,tag:OMm/OdKjliHjsGqJripLbg==,type:str] @@ -60,7 +60,7 @@ sops: VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-28T22:24:11Z" - mac: ENC[AES256_GCM,data:k7nnnBg4/5i0JdRXIvQK/zM9Xm6Ex14UTu9ZjZntal6IJuccNvMvbNLIDa4+cnjVjwaOHAXCzmCP5xQZ2R5k7b8EJ853lahMYy4ORbg0Ve5nCIZOVc0A43CfErPz4SdK+NMALP7s7z5aeb1grJ6U3RBRBTrKib//1oo5u44ozNw=,iv:6UiMxysglG0CeSUWXAPlL7qjXR876JS4yUGwBqlwcyU=,tag:mCFw+UU+7SOjw1k+A6jAqQ==,type:str] + lastmodified: "2025-07-28T23:58:36Z" + mac: ENC[AES256_GCM,data:7JGT769FVxF8SRs3CeXXzAo1arSST95bnzx6QIsFfifF4nI/xy+bGkDr+Iq4wL83AgEuL2DtJ+ZCUaCLYlfNiMgfEft/s5+fhOvJ9gB6O5YHwLOjwn2CKhqjQ38v/34URMG3P9N9GLR5nuqRpVKrjf95P5cLr9FQDMr6pe9GmPw=,iv:Pzrt44nn0Bxj8xZLi6G3bGl8nMwGHCcBFsV0b8YsJZw=,tag:tNljFnq1rb3lUBuAjQfcZA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2