Authentik immich

modules/server/containers/apps/authentik.nix

@@ -10,6 +10,7 @@ let
     } 
     // (if serverCfg.containers?jellyfin then { JELLYFIN_DOMAIN = "${serverCfg.containers.jellyfin.subdomain}.${serverCfg.domain}";} else {})
     // (if serverCfg.containers?gitea then { GITEA_DOMAIN = "${serverCfg.containers.gitea.subdomain}.${serverCfg.domain}";} else {})
+    // (if serverCfg.containers?immich then { IMMICH_DOMAIN = "${serverCfg.containers.immich.subdomain}.${serverCfg.domain}";} else {})
     // (if serverCfg.containers?nextcloud then { NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain}.${serverCfg.domain}";} else {});
   };
 in {
@@ -102,6 +103,7 @@ in {
       ${lib.optionalString (serverCfg.containers ? gitea) ''$AK apply_blueprint /blueprints/custom/gitea.yaml''}
       ${lib.optionalString (serverCfg.containers ? jellyfin) ''$AK apply_blueprint /blueprints/custom/jellyfin.yaml''}
       ${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
+      ${lib.optionalString (serverCfg.containers ? immich) ''$AK apply_blueprint /blueprints/custom/immich.yaml''}
 
       echo "Completed Authentik Setup"
       '';

modules/server/containers/apps/immich.nix

@@ -79,7 +79,7 @@ in {
                           .oauth.autoLaunch = true |
                           .oauth.signingAlgorithm = "RS256" |
                           .oauth.profileSigningAlgorithm = "RS256" |
-                          .oauth.clientId = "'"$IMMICH_OAUTH_ID"'" | 
+                          .oauth.clientId = "immich" | 
                           .oauth.clientSecret = "'"$IMMICH_OAUTH_SECRET"'" | 
                           .oauth.issuerUrl = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.domain}" | 
                           .oauth.scope = "openid profile email" |

modules/server/containers/data/authentik/immich.yaml

@@ -0,0 +1,62 @@
+version: 1
+metadata:
+  name: "Immich OAuth2 Provisioning"
+  labels:
+    app: immich
+entries:
+  - model: authentik_providers_oauth2.oauth2provider
+    identifiers:
+      name: "Immich Provider"
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-implicit-consent],
+        ]
+      authentication_flow:
+        !Find [authentik_flows.flow, [slug, default-authentication-flow]]
+      invalidation_flow:
+        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      client_type: "confidential"
+      client_id: "immich"
+
+      client_secret: !Env IMMICH_OAUTH_SECRET
+      access_code_validity: "minutes=5"
+      token_validity: "days=30"
+      signing_key:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, "authentik Self-signed Certificate"],
+        ]
+      redirect_uris:
+        - url: "app.immich:///oauth-callback"
+          matching_mode: "strict"
+        - url: "https://@IMMICH_DOMAIN@/auth/login"
+          matching_mode: "regex"
+        - url: "https://@IMMICH_DOMAIN@/user-settings"
+          matching_mode: "regex"
+      property_mappings:
+        - !Find [
+            authentik_providers_oauth2.scope_mapping,
+            [scope_name, "openid"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scope_mapping,
+            [scope_name, "email"],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scope_mapping,
+            [scope_name, "profile"],
+          ]
+
+  - model: authentik_core.application
+    identifiers:
+      slug: "immich"
+    attrs:
+      name: "Immich"
+      launch_url: "@IMMICH_DOMAIN@"
+      provider:
+        !Find [
+          authentik_providers_oauth2.oauth2provider,
+          [name, "Immich Provider"],
+        ]

modules/server/sops/server.yaml

@@ -1,4 +1,4 @@
-CUSTOM: ENC[AES256_GCM,data:zdcXDQmPriSoddWmqly1jEZ+dZ3rRyUrfdJMuyn8gJ3I7l9SJE6viiPIVkyTIIl4pqgogjY+RuauGpSK2kH0rtW2WCZSIXnqJj4sQQG39GoODxTUIa4xged7hCyhSnqwkJrfdBsOdjuGAt9cTUPh2vGr9ELrFgmPPFDhNuLOt5I6tcUkdh8YtZBFxi2h2TmGNaf11GRaVuH8q3jbNURDZTSR2SmCmNMt0jDnN6WScVOqhFR0ffSTHhyLFSgz6ChSKyzGOu6DAJuNmSNLWfdUz05tX6GeWvvArxcxUBVKVViWLxFSIsOunVUf+PlA36nbAJL1k0DDYvIerSNkN+4OXSuMKGgYsbMo5AEUACN2yrPoSNsAAknvpoFZ5XvmWk0ADUdbeg2YlyMrYcNWuhjQqZXekZi8ATH564At8OIalDCugGcC+Gw4BUyFdQtoiVuIL9Pmc63z3qoAxdYwF48b9QPsR/n9/Gh3YIb5yOKnfxBtltlgnQwDO6BHOWzpSDBMB/FzcS1dNCYMbUa5hsQ7Fw0SHA==,iv:sLnuiBpqIBhwByfJrc6haD7WnL65UcLJCR6fXTDHIgE=,tag:MDBV+1BBrsDz3spiR/C3Tw==,type:str]
+CUSTOM: ENC[AES256_GCM,data:8+973kGKWFbxGHTSnc+UDKC1Q5KKiTeESY68XHX2e2BVw7zpl2oYLPYv7wQ3JA2u6q5rFXrokNvh3ti6JcvQ/302APloPrw6YfC8RofjX7h+WVS9cBaND+AlliQqf+vGWI0VQoEFmJKogxbliIN9nGiL9FLa1QJHRJb1X4P76daakh1+P1eJlE4pgPvblPygDezabC/Pa2k3qCaGAvyOOyZYFNj5ttufmB0FlNQZMVLLuyA3xe92z6I/zbFPBY9RNa10v1+Wm5GRdD8JZHsJfPD1bLqH61mt/ZtczVY7fXnX9n3vbYYGaHiF/ylunydXgmAsDXjSWKwq5r7TCDnQR5lPqDpNtbLpnD+aY22e8AOSRlKLOhVUH2CU3B3Ry8pIYbVZz983DHgMoymd8ZISoHE+,iv:8/DRKfCYp+IG/UgxxxN2PgFjdd24Rc4wNpcVHP9KsAo=,tag:/ikcKONeiE5BWVLYoaWaCw==,type:str]
 TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
 AUTHENTIK: ENC[AES256_GCM,data:HlUFb7JjzSMTM345miSLlUE4SEXgaRAx7SkDDQzaJzs9VuifJKtOE2M4PCKc35VjVt9xIFH+YoIE93re10Rwbe+QEaUphPOgb/G7jRhaaPV/roBYuv6uO5xy68jaVJZpobxajOSVUmJa1JANCh1qrX0+Imr6udYULvK6wQzAnu2tEDkElQ3eZtezUa4E5ia1j7RCYTTPW9oie+YEVJl5Aws2HzPK5q0wKojZOmHanbnKzij3KnSgtsMc3ftL1Fam3wlSk2n3Tw0nz8aBag9IPwYje5zdBkDJY6qiBwYKcBPQUIW+Na0xX2JHymwJSzMdKmW8cEV9b1fXCPsnYVXulb4VMVkTk4MibZ3YT57wlFhqhSy7D39ZTySllIZg8sOrj8cKhpJ3HlSbceD1GnPJatVzZkDkDeyICLu9sYX3B+KrCDlL5sUMPagUFc3g3HUAPxLVPltoP69ro69acUoz5w8gkAwHlE45I3biC/jLz4telEcW8GkF868j3gsHiayE3f87T5MOPvuvhAFdSMl3SF1ND3mWjJq7+FmA6BhxgESg4m+vPnYyVumcbXJnbgfW69BgPYcL1CWZcA+SP6OWg9GOYT5SuWixkaGn2TgRAUj3nlCcAja8,iv:uXAyOIBl9lGYBvALMdvp2hf6cj6QGWRcyUvEsjIDr1I=,tag:iLxO/qYT2zafXhFGVVUYkA==,type:str]
 NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
@@ -30,8 +30,8 @@ sops:
             S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
             d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-15T00:11:31Z"
+    lastmodified: "2026-05-15T00:19:30Z"
-    mac: ENC[AES256_GCM,data:CijimdAqB/4m7jH05l7YVYmFHjEkT2dsAe8yyFh3GRjkfpIr73KDiNYwigYMVtHOT63J0IU45cUUWRBgg2PHnWV3RQsHHsFLmWvsyLC/PyMSXF/DOm1aQMi8Dy473TyLi8L+UNelE4SIj4yqjC4lmwHLXNrF3iwtTktrCaGW42k=,iv:xNdJHyDPw/gGC0P0r+sUKYVXgmV1ObMZXQapABGaL40=,tag:F7eu1NwEqCEqi78/5MvCKw==,type:str]
+    mac: ENC[AES256_GCM,data:1O2Eh2X0cflggl9CHzOS3HuCXMZnpUps9NA1kZBm0tqsPSBPqw66z+K05TbeNXCa0ctWcDM0RuCSIsmxUAsJRu89VyAQhnzdQcC/udIi47ETkwo2uHaiI6jgDIyD2pALz8drpnnSsYTVX3loS8yqh7gE4qCEGzM/GYFJqDRoba4=,iv:jl5SzOGOu3z79VzSpRiEy8yeU9E+C2NZXfKqPtcl7qE=,tag:Q6YCTJZuxWHFoAapuLJoaw==,type:str]
     pgp:
         - created_at: "2026-05-05T23:46:27Z"
           enc: |-