Unverified Commit 64e0c305 authored by Robert Schütz's avatar Robert Schütz Committed by GitHub
Browse files

immich-public-proxy: init at 1.5.4, nixos/immich-public-proxy: init module (#362907)

parents f6b0b922 62780717

maintainers/maintainer-list.nix

+6 −0
Original line number Diff line number Diff line
@@ -10152,6 +10152,12 @@ 
    githubId = 45084216;

    keys = [ { fingerprint = "1BF9 8D10 E0D0 0B41 5723  5836 4C13 3A84 E646 9228"; } ];

  };

  jaculabilis = {

    name = "Tim Van Baak";

    email = "tim.vanbaak@gmail.com";

    github = "Jaculabilis";

    githubId = 10787844;

  };

  jaduff = {

    email = "jdduffpublic@proton.me";

    github = "jaduff";

nixos/doc/manual/release-notes/rl-2505.section.md

+2 −0
Original line number Diff line number Diff line
@@ -81,6 +81,8 @@ 


- [Actual Budget](https://actualbudget.org/), a local-first personal finance app. Available as [services.actual](#opt-services.actual.enable).



- [immich-public-proxy](https://github.com/alangrainger/immich-public-proxy), a proxy for sharing Immich albums without exposing the Immich API. Available as [services.immich-public-proxy](#opt-services.immich-public-proxy.enable).



- [mqtt-exporter](https://github.com/kpetremann/mqtt-exporter/), a Prometheus exporter for exposing messages from MQTT. Available as [services.prometheus.exporters.mqtt](#opt-services.prometheus.exporters.mqtt.enable).



- [nvidia-gpu](https://github.com/utkuozdemir/nvidia_gpu_exporter), a Prometheus exporter that scrapes `nvidia-smi` for GPU metrics. Available as [services.prometheus.exporters.nvidia-gpu](#opt-services.prometheus.exporters.nvidia-gpu.enable).

nixos/modules/module-list.nix

+1 −0
Original line number Diff line number Diff line
@@ -1486,6 +1486,7 @@ 
  ./services/web-apps/icingaweb2/module-monitoring.nix

  ./services/web-apps/ifm.nix

  ./services/web-apps/immich.nix

  ./services/web-apps/immich-public-proxy.nix

  ./services/web-apps/invidious.nix

  ./services/web-apps/invoiceplane.nix

  ./services/web-apps/isso.nix

nixos/modules/services/web-apps/immich-public-proxy.nix

0 → 100644
+98 −0
Original line number Diff line number Diff line 
{

  config,

  lib,

  pkgs,

  ...

}:

let

  cfg = config.services.immich-public-proxy;

  format = pkgs.formats.json { };

  inherit (lib)

    types

    mkIf

    mkOption

    mkEnableOption

    ;

in

{

  options.services.immich-public-proxy = {

    enable = mkEnableOption "Immich Public Proxy";

    package = lib.mkPackageOption pkgs "immich-public-proxy" { };



    immichUrl = mkOption {

      type = types.str;

      description = "URL of the Immich instance";

    };



    port = mkOption {

      type = types.port;

      default = 3000;

      description = "The port that IPP will listen on.";

    };

    openFirewall = mkOption {

      type = types.bool;

      default = false;

      description = "Whether to open the IPP port in the firewall";

    };



    settings = mkOption {

      type = types.submodule {

        freeformType = format.type;

      };

      default = { };

      description = ''

        Configuration for IPP. See <https://github.com/alangrainger/immich-public-proxy/blob/main/README.md#additional-configuration> for options and defaults.

      '';

    };

  };



  config = mkIf cfg.enable {

    systemd.services.immich-public-proxy = {

      description = "Immich public proxy for sharing albums publicly without exposing your Immich instance";

      after = [ "network.target" ];

      wantedBy = [ "multi-user.target" ];

      environment = {

        IMMICH_URL = cfg.immichUrl;

        IPP_PORT = builtins.toString cfg.port;

        IPP_CONFIG = "${format.generate "config.json" cfg.settings}";

      };

      serviceConfig = {

        ExecStart = lib.getExe cfg.package;

        SyslogIdentifier = "ipp";

        User = "ipp";

        Group = "ipp";

        DynamicUser = true;

        Type = "simple";

        Restart = "on-failure";

        RestartSec = 3;



        # Hardening

        CapabilityBoundingSet = "";

        NoNewPrivileges = true;

        PrivateUsers = true;

        PrivateTmp = true;

        PrivateDevices = true;

        PrivateMounts = true;

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        RestrictAddressFamilies = [

          "AF_INET"

          "AF_INET6"

          "AF_UNIX"

        ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

      };

    };



    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];



    meta.maintainers = with lib.maintainers; [ jaculabilis ];

  };

}

nixos/tests/all-tests.nix

+1 −0
Original line number Diff line number Diff line
@@ -468,6 +468,7 @@ in { 
  ifm = handleTest ./ifm.nix {};

  iftop = handleTest ./iftop.nix {};

  immich = handleTest ./web-apps/immich.nix {};

  immich-public-proxy = handleTest ./web-apps/immich-public-proxy.nix {};

  incron = handleTest ./incron.nix {};

  incus = pkgs.recurseIntoAttrs (handleTest ./incus { lts = false; inherit system pkgs; });

  incus-lts = pkgs.recurseIntoAttrs (handleTest ./incus { inherit system pkgs; });