====== Immich ======

[[https://immich.app/]]

^ URL | [[https://pics.garlondindustries.com]] |
^ Host | bay-21.lan |
^ Authentication | OAuth (Authelia) |
^ Backup ^ TO DO |

===== Setup =====

=== OAuth ===

=== external library ===

Configured dedicated NFS share as external library. This share is also configured as global external storage in Nextcloud, accessibhle to all authenticated users .

The external library can only be owned by one user - there is no direct way to share external libraries between users (yet).
As a workaround, can add other users as sharing partners (they will see sharing user's timeline including external libraries, excluding locked folders, archive and deleted), and/or photos from external library can be put (scripted?) into shared albums. Difference is users can edit shared albums, while they only have read-only access to partner-shared photos.

Unraid NFS share:
  * nc-immich
  * private
    * 10.0.0.55(rw,sync,all_squash,anonuid=5010,anongid=5010)
    * 10.0.0.44(rw,sync,all_squash,anonuid=5010,anongid=5010)

External library owned by admin user. Cron-based scans running every 15 minutes.

===== Setup =====

docker-compose:
<cli>
</cli>

==== OAuth ====

Authelia 
create client secret:
https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
<cli>
$ docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
Random Password: [...]
Digest: $pbkdf2-sha512$[...]
</cli>

Add client config (/mnt/docker/custom_config/authelia/configuration.yml) - skipping schema extension for immich_quota and immich_role for now. To add those see https://immich.app/docs/administration/oauth/:
<cli>
      - id: 'immich'
        secret: $pbkdf2-sha512$$pbkdf2-sha512$[...]
        public: false
        require_pkce: false
        redirect_uris:
          - 'https://pics.garlondindustries.com/auth/login'
          - 'https://pics.garlondindustries.com/user-settings'
          - 'pics.garlondindustries.com:///oauth-callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          #- 'immich_scope'
        #claims_policy: 'immich_policy'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        id_token_signed_response_alg: 'RS256'
        userinfo_signed_response_alg: 'RS256'
        token_endpoint_auth_method: 'client_secret_post'
</cli>
==== Reverse Proxy ====

Defined proxy host https://pics.garlondindustries.com.

Needed to enable WebSocket support - otherwise, immich would show "Server Offline" and "unknown" for version info as it seems to check against public URL via WebSocket.