Table of Contents

Immich

https://immich.app/

URL https://pics.garlondindustries.com
Host bay-21.lan
Authentication OAuth (Authelia)
Backup TO DO

Setup

OAuth

external library

Configured dedicated NFS share as external library. This share is also configured as global external storage in Nextcloud, accessibhle to all authenticated users .

The external library can only be owned by one user - there is no direct way to share external libraries between users (yet). As a workaround, can add other users as sharing partners (they will see sharing user's timeline including external libraries, excluding locked folders, archive and deleted), and/or photos from external library can be put (scripted?) into shared albums. Difference is users can edit shared albums, while they only have read-only access to partner-shared photos.

Unraid NFS share:

External library owned by admin user. Cron-based scans running every 15 minutes.

Setup

docker-compose: 







OAuth






Authelia 
create client secret:
https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret

$ docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
Random Password: [...]
Digest: $pbkdf2-sha512$[...]




Add client config (/mnt/docker/custom_config/authelia/configuration.yml) - skipping schema extension for immich_quota and immich_role for now. To add those see https://immich.app/docs/administration/oauth/:

      - id: 'immich'
        secret: $pbkdf2-sha512$$pbkdf2-sha512$[...]
        public: false
        require_pkce: false
        redirect_uris:
          - 'https://pics.garlondindustries.com/auth/login'
          - 'https://pics.garlondindustries.com/user-settings'
          - 'pics.garlondindustries.com:///oauth-callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          #- 'immich_scope'
        #claims_policy: 'immich_policy'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        id_token_signed_response_alg: 'RS256'
        userinfo_signed_response_alg: 'RS256'
        token_endpoint_auth_method: 'client_secret_post'






Reverse Proxy






Defined proxy host https://pics.garlondindustries.com.





Needed to enable WebSocket support - otherwise, immich would show “Server Offline” and “unknown” for version info as it seems to check against public URL via WebSocket.