feat: Added sso to immich

2025-07-29 05:29:33 +05:30
parent 26b5ab00d5
commit 6f4b4b0e29
2 changed files with 34 additions and 26 deletions
--- a/nixos/mirai/services/immich.nix
+++ b/nixos/mirai/services/immich.nix
@@ -9,13 +9,33 @@
      mode = "0440";
    };
    templates = {
-      "OAUTH_CLIENT.env" = {
+      "immich-config.json" = {
-        content = ''
+        content =
-          OAUTH_CLIENT_ID=${config.sops.placeholder."authelia/oidc/immich/client_id"}
+          /*
-          OAUTH_CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/immich/client_secret"}
+          json
          */
          ''
            {
              "oauth": {
                "clientId": "${config.sops.placeholder."authelia/oidc/immich/client_id"}",
                "clientSecret": "${config.sops.placeholder."authelia/oidc/immich/client_secret"}",
                "enabled": true,
                "autoLaunch": true,
                "autoRegister": true,
                "buttonText": "Login with Authelia",
                "scope": "openid email profile",
                "issuerUrl": "https://auth.darksailor.dev"
              },
              "passwordLogin" : {
                "enabled": false
              },
              "server": {
                "externalDomain": "https://photos.darksailor.dev"
              }
            }
          '';
        mode = "0400";
-        owner = config.services.immich.user;
+        owner = "immich";
      };
    };
  };
@@ -23,21 +43,9 @@
  services.immich = {
    enable = true;
    mediaLocation = "/media/photos/immich";
-    settings = {
+    environment = {
-      oauth = {
+      IMMICH_CONFIG_FILE = config.sops.templates."immich-config.json".path;
        enabled = true;
        autoLaunch = true;
        autoRegister = true;
        buttonText = "Login with Authelia";
        clientId = "immich";
        scope = "openid email profile";
        issuerUrl = "https://auth.darksailor.dev/.well-known/openid-configuration";
    };
      passwordLogin = {
        enabled = false;
      };
    };
    secretsFile = config.sops.templates."OAUTH_CLIENT.env".path;
  };
  services.caddy = {
    virtualHosts."photos.darksailor.dev".extraConfig = ''
@@ -52,8 +60,8 @@
            clients = [
              {
                client_name = "immich";
-                client_id = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_id".path}" }}'';
+                client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/immich/client_id".path}" }}'';
-                client_secret = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_secret".path}" }}'';
+                client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/immich/client_secret".path}" }}'';
                public = false;
                authorization_policy = "one_factor";
                require_pkce = false;
@@ -65,7 +73,7 @@
                scopes = ["openid" "profile" "email"];
                response_types = ["code"];
                grant_types = ["authorization_code"];
-                access_token_signed_response_alg = "none";
+                # access_token_signed_response_alg = "none";
                userinfo_signed_response_alg = "none";
                token_endpoint_auth_method = "client_secret_post";
              }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -28,7 +28,7 @@ authelia:
    oidc:
        immich:
            client_id: ENC[AES256_GCM,data:LpB+nR7SGI2EV4YK0VptF5zJ6Ai/LDfikUpoAnFWnT8krMOQ/voqjS6jhqaFz9IKhtPQL9TNZOONr5JjkDZR7sI63Ohv4Lnx,iv:J96CL8EHHj88YbQW7rdQK9C6MxXaHnMt+mgL3iL5Heg=,tag:aXD/HdWXO/e6aKGnay0W+g==,type:str]
-            client_secret: ENC[AES256_GCM,data:mZ9bxeuKEYtZRRncsXBRgFeu0exO+VN9MRXFEF/KQxrDHnGkiFGQH8/wbeHnqIO8Xpmhd5PJEz5Q29rNKJE6hsomVFHASYe6w/JCaxP24Qu2nQH60YBYsk0vfVgB8QyfpbIN1lDeW+3F8YZLa1IJuxt1Cpg9cgMtaZ4AZh4cGgBxSDE=,iv:QErPIwOTBs3UJMRDTyLpNFc8unucQKzLl6WbSuJ97fY=,tag:NRQYmn6GfIMPAUKyI7QxMQ==,type:str]
+            client_secret: ENC[AES256_GCM,data:O+EF+Cim65J5LZTCcXVj0ln0TES6IOUk/YZ04JKxJZNJevOKxFq/CJdhkEgXTfgnDklob8m0nOBLAzHR0KhX+5sYW54PKge+nrnAT2qqHnHPCz9RxvyIEE1IbaF2vkBbz/s7d5L/+tiWz95aq8D3H93JDf3x6Ej0tG0auDx1Ui8=,iv:pYGNnFy+EotN5a/ODnlmYu0lqVY29IVl1KGiwoldJ5M=,tag:hwh4XjO7T650WsLBP0QptA==,type:str]
        jwks: ENC[AES256_GCM,data:1efhdlYmiD/y4kzK0hFfLAmY6rXK0hvZez/tu1cb2hfUhIM/DzNNthKQjH8Cu2TlZwDQpUIrCO7Tr0BbkiREC+VNK4vYgi+GWswnG7VCZS40xRAZhSArNO2uQ4dpf/KAHRSSJa3i7gGOqSG/Pnrl3TRhzkhkfWSRk+7koPWKpYJOKLem+ZLN75yssCsEbYIOHjcXyizNHt6SE2ylqqCjyWnlhlnRQStYaFPWAAABcm96MkSThSyRd6hTAifC/aZiM1IMlLw7wJJk01uwjJytlxBxDiFrdr4Grg0PzOsOAocex9Siw5fzcr7dFpVBoaS7e7nD/sccGSyEysw/t+wvkMou1Ewr5U2Pnew8lPjSrEiiGxuPwmK9kHxD3L6cADxF6xs4bn+Iqa/yy9FWbtGZfBYOxJiRvXgxBPiO7CH4tJyVIbnLfi8K/zCJC9u5vO+WFXiVIzXxAPVUL7VKQQZGxV7989LMdcjzck+B1zFHVQz25siwbpu0FxMxiJsVtBxu1U+QBRfQrwLacX2NAJvqYNZxr+9l43Fh0x8dS5CBheVEy39sXge9jLyS7kIW0FfvgJaHuLL2/GhDGsvfi7zFPOc8Thg+8LP58L8wzPT+LvVoidq/j3K2Ct6udn9JsOnbZT3Gs1RiY+E77H09GbdwIrP0sGVi4ZJe++w+sKNjyzLzceEYGkfa1EiMQhYPHzqUAwqtgmJZo9tY+2jOBJb9ZU+Kj0xtqZsjFpHaGWsRj8XGkPrAFEh6Z6/Ak9/BpYaapPeAO3Wa6tzNVlTCtaX786nSTjfGC7v9O4Uz8XQr0HV3A7wj36Fw3dqERZFKea7BJbiiAiEZtnOsbWVqQXpIUVfCvPhfwuFcOU/ClyM1fGyZXaCIeB62Tkqa+ZlqRQgzzf3bSFUK0PgxE3Ny5pIPzNEINqse+6DeFuF91uY1dLQB4Vizyzv1H+X/OecO9K8kECM1wUy3Fbbyh4tYYxt4VvqFQZ1o4A7Jd04WCIf3hdAHmwvOQW+/8dfnyLa8kqTcQYeI3jfjtRvD6TaZl21K9kFY2VJAexdno9bbozDOus1Ep92ublwonVjfvzbyDURHGF6Cw2OL7xcbHQIMz/ZmkVHMra49NHgWlI6X0slgYDxKKDszHhZ9SHkEXF8pJf+uogbwSwz1glRkEdn1oprbs8GsFoc7HGVvSHRgOWKHwvhZD2tMiSE4cEFZ9/2nSPISQMNGuS7wgnVkalKPW+gF1EWVXczanzKsrpcDtpMdFufMRVusaJBV5Jw62I++cx1AMW2dRTseQyWLchRWtOba6dd9gbNzGi39+njHClHIEUxaxXzxIQLhSgCA9loXRc26ZA6DpwHQR+gtH2OybeFEiH390YoSfFeZuU+f0E2awMdpiEsBL/AniUcboDaBEaDQYpwUawNL+II7rmSn4rTJM64n5z3B88U/vAQh9BQFhf7SDKb05n/ArCibkdy3gbo8rTVH1gGbmW53DTxzuW+AEpFcuueiP3yz1vGzEwKSX+LMkCwFwk6Y/VcqHXW+PdZ88SFUr5WELGPkZxT3AvmduBCifE0KDzKWrN3yy1xwEQDGrYiqeHqeqHpEuk/KpxeAwepqWayGMq6iT4BWUBojNo6quoXkPPodSsotbBFLjyRHoDGm0NZSbgluOUyERrN6M+ELdHqQjeNTS046KB6QnG5s+uTA+uxyonvmPCPBgFAd0q0qfq4T/SISHrPe13Y7nHnATxoMBszvIfKznqFthTBsc3V9C5+g/kcOzcEQpAC6baGe+eq23m/Go3uDa7O84Euxhj9C5NBcidvgmYmRZuY6l2ehnxf1oGoGwHBJEaYEuCk7sc3Wac6u2OvqCIKPxRdi2tUiZ9FwCGLqd8qcLEPtsSaBNk2CVlK9ZkgPzSYH794qpNQDWkyv5SJ4V9zy2LL+s9MHtHNQu6QxALZ8c0GfQetTI5ArkC3cBz/3mRdDMy9k7HpO7b6USoxqGAZ+H4kzJhus9QwjaqJnnB+fJI5O2ek5TVLY9RWXo+W2pCBDjt925BVoChkvkUEg4GtvR+8/yChgYEgYWUPqRV4vMEwQiRoaJamL/E+lRaUx+c0f9ga8+k0JdfxfzoIPUA3/rBGcfO8Y12RF8Ool4hreP409KjdPP0PeeOVKg58MPYNO5O0BdT62nyL+fSvJkw7uPGcOwtOtcxjcBsNhoFv0twrCp8S3cLX45GTNaTw+JHcxsTzG9ibL3bFtVkAAiZHZGMisEjTSGElSGIDk+MoPt68hq4BRioab,iv:gGKyTUigpnqg3Fgd76INrESRT27hJRzYQ3xk8heNkWk=,tag:fVc8rg1Or63X/14neG+8Cw==,type:str]
 lldap:
    jwt: ENC[AES256_GCM,data:61dwC1ElOOGaf0CmalzXZnxImEyufKjUUWcNaEcOuv3TEODhQyHK7g==,iv:CVEJVuaCc2gDmSYWHS3fPL8FjbvblF6IladAzGoGb0o=,tag:OMm/OdKjliHjsGqJripLbg==,type:str]
@@ -60,7 +60,7 @@ sops:
            VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
            ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-28T22:24:11Z"
+    lastmodified: "2025-07-28T23:58:36Z"
-    mac: ENC[AES256_GCM,data:k7nnnBg4/5i0JdRXIvQK/zM9Xm6Ex14UTu9ZjZntal6IJuccNvMvbNLIDa4+cnjVjwaOHAXCzmCP5xQZ2R5k7b8EJ853lahMYy4ORbg0Ve5nCIZOVc0A43CfErPz4SdK+NMALP7s7z5aeb1grJ6U3RBRBTrKib//1oo5u44ozNw=,iv:6UiMxysglG0CeSUWXAPlL7qjXR876JS4yUGwBqlwcyU=,tag:mCFw+UU+7SOjw1k+A6jAqQ==,type:str]
+    mac: ENC[AES256_GCM,data:7JGT769FVxF8SRs3CeXXzAo1arSST95bnzx6QIsFfifF4nI/xy+bGkDr+Iq4wL83AgEuL2DtJ+ZCUaCLYlfNiMgfEft/s5+fhOvJ9gB6O5YHwLOjwn2CKhqjQ38v/34URMG3P9N9GLR5nuqRpVKrjf95P5cLr9FQDMr6pe9GmPw=,iv:Pzrt44nn0Bxj8xZLi6G3bGl8nMwGHCcBFsV0b8YsJZw=,tag:tNljFnq1rb3lUBuAjQfcZA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2