From 11f7e95d950ab47cc7c8f5d3addad70a6ad7c4cc Mon Sep 17 00:00:00 2001 From: soraefir Date: Fri, 15 May 2026 02:26:48 +0200 Subject: [PATCH] Authentik immich --- modules/server/containers/apps/authentik.nix | 2 + modules/server/containers/apps/immich.nix | 2 +- .../containers/data/authentik/immich.yaml | 62 +++++++++++++++++++ modules/server/sops/server.yaml | 6 +- 4 files changed, 68 insertions(+), 4 deletions(-) diff --git a/modules/server/containers/apps/authentik.nix b/modules/server/containers/apps/authentik.nix index a4cdc00..bb2faf3 100644 --- a/modules/server/containers/apps/authentik.nix +++ b/modules/server/containers/apps/authentik.nix @@ -10,6 +10,7 @@ let } // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {}) // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {}) + // (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {}) // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {}); }; in { @@ -102,6 +103,7 @@ in { ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''} ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''} ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''} + ${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''} echo "Completed Authentik Setup" ''; diff --git a/modules/server/containers/apps/immich.nix b/modules/server/containers/apps/immich.nix index 7fd7c38..1882e1f 100644 --- a/modules/server/containers/apps/immich.nix +++ b/modules/server/containers/apps/immich.nix @@ -79,7 +79,7 @@ in { .oauth.autoLaunch = true | .oauth.signingAlgorithm = "RS256" | .oauth.profileSigningAlgorithm = "RS256" | - .oauth.clientId = "'"$IMMICH_OAUTH_ID"'" | + .oauth.clientId = "immich" | .oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" | .oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}" | .oauth.scope = "openid profile email" | diff --git a/modules/server/containers/data/authentik/immich.yaml b/modules/server/containers/data/authentik/immich.yaml index e69de29..b2f7691 100644 --- a/modules/server/containers/data/authentik/immich.yaml +++ b/modules/server/containers/data/authentik/immich.yaml @@ -0,0 +1,62 @@ +version: 1 +metadata: + name: "Immich OAuth2 Provisioning" + labels: + app: immich +entries: + - model: authentik_providers_oauth2.oauth2provider + identifiers: + name: "Immich Provider" + attrs: + authorization_flow: + !Find [ + authentik_flows.flow, + [slug, default-provider-authorization-implicit-consent], + ] + authentication_flow: + !Find [authentik_flows.flow, [slug, default-authentication-flow]] + invalidation_flow: + !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] + client_type: "confidential" + client_id: "immich" + + client_secret: !Env IMMICH_OAUTH_SECRET + access_code_validity: "minutes=5" + token_validity: "days=30" + signing_key: + !Find [ + authentik_crypto.certificatekeypair, + [name, "authentik Self-signed Certificate"], + ] + redirect_uris: + - url: "app.immich:///oauth-callback" + matching_mode: "strict" + - url: "https://@IMMICH_DOMAIN@/auth/login" + matching_mode: "regex" + - url: "https://@IMMICH_DOMAIN@/user-settings" + matching_mode: "regex" + property_mappings: + - !Find [ + authentik_providers_oauth2.scope_mapping, + [scope_name, "openid"], + ] + - !Find [ + authentik_providers_oauth2.scope_mapping, + [scope_name, "email"], + ] + - !Find [ + authentik_providers_oauth2.scope_mapping, + [scope_name, "profile"], + ] + + - model: authentik_core.application + identifiers: + slug: "immich" + attrs: + name: "Immich" + launch_url: "@IMMICH_DOMAIN@" + provider: + !Find [ + authentik_providers_oauth2.oauth2provider, + [name, "Immich Provider"], + ] diff --git a/modules/server/sops/server.yaml b/modules/server/sops/server.yaml index 16cbd54..7b37ee4 100644 --- a/modules/server/sops/server.yaml +++ b/modules/server/sops/server.yaml @@ -1,4 +1,4 @@ -CUSTOM: ENC[AES256_GCM,data:zdcXDQmPriSoddWmqly1jEZ+dZ3rRyUrfdJMuyn8gJ3I7l9SJE6viiPIVkyTIIl4pqgogjY+RuauGpSK2kH0rtW2WCZSIXnqJj4sQQG39GoODxTUIa4xged7hCyhSnqwkJrfdBsOdjuGAt9cTUPh2vGr9ELrFgmPPFDhNuLOt5I6tcUkdh8YtZBFxi2h2TmGNaf11GRaVuH8q3jbNURDZTSR2SmCmNMt0jDnN6WScVOqhFR0ffSTHhyLFSgz6ChSKyzGOu6DAJuNmSNLWfdUz05tX6GeWvvArxcxUBVKVViWLxFSIsOunVUf+PlA36nbAJL1k0DDYvIerSNkN+4OXSuMKGgYsbMo5AEUACN2yrPoSNsAAknvpoFZ5XvmWk0ADUdbeg2YlyMrYcNWuhjQqZXekZi8ATH564At8OIalDCugGcC+Gw4BUyFdQtoiVuIL9Pmc63z3qoAxdYwF48b9QPsR/n9/Gh3YIb5yOKnfxBtltlgnQwDO6BHOWzpSDBMB/FzcS1dNCYMbUa5hsQ7Fw0SHA==,iv:sLnuiBpqIBhwByfJrc6haD7WnL65UcLJCR6fXTDHIgE=,tag:MDBV+1BBrsDz3spiR/C3Tw==,type:str] +CUSTOM: ENC[AES256_GCM,data:8+973kGKWFbxGHTSnc+UDKC1Q5KKiTeESY68XHX2e2BVw7zpl2oYLPYv7wQ3JA2u6q5rFXrokNvh3ti6JcvQ/302APloPrw6YfC8RofjX7h+WVS9cBaND+AlliQqf+vGWI0VQoEFmJKogxbliIN9nGiL9FLa1QJHRJb1X4P76daakh1+P1eJlE4pgPvblPygDezabC/Pa2k3qCaGAvyOOyZYFNj5ttufmB0FlNQZMVLLuyA3xe92z6I/zbFPBY9RNa10v1+Wm5GRdD8JZHsJfPD1bLqH61mt/ZtczVY7fXnX9n3vbYYGaHiF/ylunydXgmAsDXjSWKwq5r7TCDnQR5lPqDpNtbLpnD+aY22e8AOSRlKLOhVUH2CU3B3Ry8pIYbVZz983DHgMoymd8ZISoHE+,iv:8/DRKfCYp+IG/UgxxxN2PgFjdd24Rc4wNpcVHP9KsAo=,tag:/ikcKONeiE5BWVLYoaWaCw==,type:str] TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str] AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str] NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str] @@ -30,8 +30,8 @@ sops: S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-15T00:11:31Z" - mac: ENC[AES256_GCM,data:CijimdAqB/4m7jH05l7YVYmFHjEkT2dsAe8yyFh3GRjkfpIr73KDiNYwigYMVtHOT63J0IU45cUUWRBgg2PHnWV3RQsHHsFLmWvsyLC/PyMSXF/DOm1aQMi8Dy473TyLi8L+UNelE4SIj4yqjC4lmwHLXNrF3iwtTktrCaGW42k=,iv:xNdJHyDPw/gGC0P0r+sUKYVXgmV1ObMZXQapABGaL40=,tag:F7eu1NwEqCEqi78/5MvCKw==,type:str] + lastmodified: "2026-05-15T00:19:30Z" + mac: ENC[AES256_GCM,data:1O2Eh2X0cflggl9CHzOS3HuCXMZnpUps9NA1kZBm0tqsPSBPqw66z+K05TbeNXCa0ctWcDM0RuCSIsmxUAsJRu89VyAQhnzdQcC/udIi47ETkwo2uHaiI6jgDIyD2pALz8drpnnSsYTVX3loS8yqh7gE4qCEGzM/GYFJqDRoba4=,iv:jl5SzOGOu3z79VzSpRiEy8yeU9E+C2NZXfKqPtcl7qE=,tag:Q6YCTJZuxWHFoAapuLJoaw==,type:str] pgp: - created_at: "2026-05-05T23:46:27Z" enc: |-