feat: Added sso to immich

2025-07-29 05:29:33 +05:30
parent 26b5ab00d5
commit 6f4b4b0e29
2 changed files with 34 additions and 26 deletions
--- a/nixos/mirai/services/immich.nix
+++ b/nixos/mirai/services/immich.nix
@@ -9,13 +9,33 @@
      mode = "0440";
    };
    templates = {
-      "OAUTH_CLIENT.env" = {
-        content = ''
-          OAUTH_CLIENT_ID=${config.sops.placeholder."authelia/oidc/immich/client_id"}
-          OAUTH_CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/immich/client_secret"}
-        '';
+      "immich-config.json" = {
+        content =
+          /*
+          json
+          */
+          ''
+            {
+              "oauth": {
+                "clientId": "${config.sops.placeholder."authelia/oidc/immich/client_id"}",
+                "clientSecret": "${config.sops.placeholder."authelia/oidc/immich/client_secret"}",
+                "enabled": true,
+                "autoLaunch": true,
+                "autoRegister": true,
+                "buttonText": "Login with Authelia",
+                "scope": "openid email profile",
+                "issuerUrl": "https://auth.darksailor.dev"
+              },
+              "passwordLogin" : {
+                "enabled": false
+              },
+              "server": {
+                "externalDomain": "https://photos.darksailor.dev"
+              }
+            }
+          '';
        mode = "0400";
-        owner = config.services.immich.user;
+        owner = "immich";
      };
    };
  };
@@ -23,21 +43,9 @@
  services.immich = {
    enable = true;
    mediaLocation = "/media/photos/immich";
-    settings = {
-      oauth = {
-        enabled = true;
-        autoLaunch = true;
-        autoRegister = true;
-        buttonText = "Login with Authelia";
-        clientId = "immich";
-        scope = "openid email profile";
-        issuerUrl = "https://auth.darksailor.dev/.well-known/openid-configuration";
-      };
-      passwordLogin = {
-        enabled = false;
-      };
+    environment = {
+      IMMICH_CONFIG_FILE = config.sops.templates."immich-config.json".path;
    };
-    secretsFile = config.sops.templates."OAUTH_CLIENT.env".path;
  };
  services.caddy = {
    virtualHosts."photos.darksailor.dev".extraConfig = ''
@@ -52,8 +60,8 @@
            clients = [
              {
                client_name = "immich";
-                client_id = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_id".path}" }}'';
-                client_secret = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_secret".path}" }}'';
+                client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/immich/client_id".path}" }}'';
+                client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/immich/client_secret".path}" }}'';
                public = false;
                authorization_policy = "one_factor";
                require_pkce = false;
@@ -65,7 +73,7 @@
                scopes = ["openid" "profile" "email"];
                response_types = ["code"];
                grant_types = ["authorization_code"];
-                access_token_signed_response_alg = "none";
+                # access_token_signed_response_alg = "none";
                userinfo_signed_response_alg = "none";
                token_endpoint_auth_method = "client_secret_post";
              }