From f54b895602857606f776c87a23791c6a5c652f3b Mon Sep 17 00:00:00 2001
From: Haak Saxberg <haak.erling@gmail.com>
Date: Thu, 2 Oct 2025 21:00:17 -0700
Subject: [PATCH] Add immich to the set of programs we have configured

---
 nix/deployments/hive.nix             |  1 +
 nix/home/programs/immich/default.nix | 62 ++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 nix/home/programs/immich/default.nix

diff --git a/nix/deployments/hive.nix b/nix/deployments/hive.nix
index fcf64a6..622710a 100644
--- a/nix/deployments/hive.nix
+++ b/nix/deployments/hive.nix
@@ -61,6 +61,7 @@ in
         ../home/programs/jellyfin
         ../home/programs/calibre-web
         ../home/programs/forgejo/webserver.nix
+        ../home/programs/immich
       ];
 
       fileSystems."/storage" = {
diff --git a/nix/home/programs/immich/default.nix b/nix/home/programs/immich/default.nix
new file mode 100644
index 0000000..c2c8ccc
--- /dev/null
+++ b/nix/home/programs/immich/default.nix
@@ -0,0 +1,62 @@
+{ lib, config, ... }:
+
+let
+  immichDomain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/immichdomain;
+in
+{
+  services.immich = {
+    enable = true;
+  port = 2283;
+  mediaLocation = "/storage/organized/photos";
+
+  ## Enable hardware acceleration for video
+  # `null` will give access to all devices.
+# You may want to restrict this by using something like `[ "/dev/dri/renderD128" ]`
+  accelerationDevices = null;
+
+  settings.server.externalDomain = "https://${immichDomain}";
+};
+
+  hardware.graphics = {
+    enable = true;
+    # Maybe we need more here, hard to say...
+  };
+
+  users.users.immich.extraGroups = [ "video" "render" "multimedia"
+  # something strange here about remote file-system groups...
+  "jellyfin" ];
+
+  ## Expose immich to "the world"
+  networking.firewall = {
+    allowedTCPPorts = [
+      #nginx
+      80
+      443
+    ];
+  };
+
+  services.nginx = {
+
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."${immichDomain}" = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 50000M;
+        proxy_read_timeout   600s;
+        proxy_send_timeout   600s;
+        send_timeout         600s;
+      '';
+
+      locations."/" = {
+        proxyPass = "http://[::1]:${toString config.services.immich.port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
+