Add immich to the set of programs we have configured

nix/deployments/hive.nix

@@ -61,6 +61,7 @@ in
         ../home/programs/jellyfin
         ../home/programs/calibre-web
         ../home/programs/forgejo/webserver.nix
+        ../home/programs/immich
       ];
 
       fileSystems."/storage" = {

nix/home/programs/immich/default.nix

@@ -0,0 +1,62 @@
+{ lib, config, ... }:
+
+let
+  immichDomain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/immichdomain;
+in
+{
+  services.immich = {
+    enable = true;
+  port = 2283;
+  mediaLocation = "/storage/organized/photos";
+
+  ## Enable hardware acceleration for video
+  # `null` will give access to all devices.
+# You may want to restrict this by using something like `[ "/dev/dri/renderD128" ]`
+  accelerationDevices = null;
+
+  settings.server.externalDomain = "https://${immichDomain}";
+};
+
+  hardware.graphics = {
+    enable = true;
+    # Maybe we need more here, hard to say...
+  };
+
+  users.users.immich.extraGroups = [ "video" "render" "multimedia"
+  # something strange here about remote file-system groups...
+  "jellyfin" ];
+
+  ## Expose immich to "the world"
+  networking.firewall = {
+    allowedTCPPorts = [
+      #nginx
+      80
+      443
+    ];
+  };
+
+  services.nginx = {
+
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."${immichDomain}" = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 50000M;
+        proxy_read_timeout   600s;
+        proxy_send_timeout   600s;
+        send_timeout         600s;
+      '';
+
+      locations."/" = {
+        proxyPass = "http://[::1]:${toString config.services.immich.port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
+