feat(odin+immich+cloudflare): we have a photos solution

flake.lock

@@ -109,11 +109,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756415044,
-        "narHash": "sha256-Oj4Tvk1Za5CqGxZ43IoGWBySgfN0/JK+rfb1Tmk59QQ=",
+        "lastModified": 1756819550,
+        "narHash": "sha256-mEOVgPTK9rL4500U+KslZXyXQOD/v4iW0nu5oc0pbkc=",
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "c570189b38b549141179647da3ddde249ac50fec",
+        "rev": "f0a22d26a3c5f6f66249739a0e59ab828271ce72",
         "type": "github"
       },
       "original": {
@@ -129,11 +129,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756115622,
-        "narHash": "sha256-iv8xVtmLMNLWFcDM/HcAPLRGONyTRpzL9NS09RnryRM=",
+        "lastModified": 1756733629,
+        "narHash": "sha256-dwWGlDhcO5SMIvMSTB4mjQ5Pvo2vtxvpIknhVnSz2I8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "bafad29f89e83b2d861b493aa23034ea16595560",
+        "rev": "a5c4f2ab72e3d1ab43e3e65aa421c6f2bd2e12a1",
         "type": "github"
       },
       "original": {
@@ -295,11 +295,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756663325,
-        "narHash": "sha256-HQLfFrJ9OjGNix/driLs77Zhvzq9xUvFU6Af0eHgsPQ=",
+        "lastModified": 1756788591,
+        "narHash": "sha256-LOrOfPWpJU/ADWDyVwPv9XNuYPq5KJtmAmSzplpccmE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "71b57070771aac60ca949b47d6b2bd2afd5e49d8",
+        "rev": "f3d3b4592a73fb64b5423234c01985ea73976596",
         "type": "github"
       },
       "original": {
@@ -406,11 +406,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1756469547,
-        "narHash": "sha256-YvtD2E7MYsQ3r7K9K2G7nCslCKMPShoSEAtbjHLtH0k=",
+        "lastModified": 1756754095,
+        "narHash": "sha256-9Rsn9XEWINExosFkKEqdp8EI6Mujr1gmQiyrEcts2ls=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "41d292bfc37309790f70f4c120b79280ce40af16",
+        "rev": "7c815e513adbf03c9098b2bd230c1e0525c8a7f9",
         "type": "github"
       },
       "original": {
@@ -422,11 +422,11 @@
     },
     "nixpkgs-darwin": {
       "locked": {
-        "lastModified": 1756601055,
-        "narHash": "sha256-32FECkjKLrIG00XUP2dZw+G2NjyetVAQRdN6Jb4v1ng=",
+        "lastModified": 1756767162,
+        "narHash": "sha256-Qf7v44D1soMGDLJPAQECa89Xwlg58isNydQCVBhtQk0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "90fa096bc50648798f62d701eb5324a18702e8ee",
+        "rev": "cf39b1d1570b3e752c2b0e5dbac1260e7196c4ba",
         "type": "github"
       },
       "original": {
@@ -438,11 +438,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1756636162,
-        "narHash": "sha256-mBecwgUTWRgClJYqcF+y4O1bY8PQHqeDpB+zsAn+/zA=",
+        "lastModified": 1756696532,
+        "narHash": "sha256-6FWagzm0b7I/IGigOv9pr6LL7NQ86mextfE8g8Q6HBg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "37ff64b7108517f8b6ba5705ee5085eac636a249",
+        "rev": "58dcbf1ec551914c3756c267b8b9c8c86baa1b2f",
         "type": "github"
       },
       "original": {
@@ -517,11 +517,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1756665336,
-        "narHash": "sha256-w2mwy/ZxS+G/MDZOsZWgXTwTToyVENDBRFm3SYRdWXM=",
+        "lastModified": 1756834435,
+        "narHash": "sha256-oyuIk5XxOQbWuDzunmgX38JeuPsKJj7dHu8t2Hpy5Y8=",
         "ref": "refs/heads/master",
-        "rev": "23c105869b98b1653a371178e3c4c709c4591c53",
-        "revCount": 8,
+        "rev": "0e5cfca3392609e1c80a25c7a2d7e03538da3fd9",
+        "revCount": 10,
         "type": "git",
         "url": "ssh://[email protected]/control/secrets.git"
       },

hosts/odin/services/cloudflared.nix

@@ -0,0 +1,6 @@
+{ config, ... }:
+{
+  services.cloudflared.enable = true;
+  services.cloudflared.certificateFile =
+    config.age.secrets."odin/services/cloudflared".path;
+}

hosts/odin/services/default.nix

@@ -2,6 +2,8 @@
   imports = [
     ./adguard.nix
     ./caddy.nix
+    ./cloudflared.nix
+    ./immich.nix
     ./samba.nix
     ./snapraid.nix
     ./tailscale.nix

hosts/odin/services/immich.nix

@@ -0,0 +1,32 @@
+{ config, ... }:
+let
+  cfg = config.services.immich;
+  domain = "photos.t5.st";
+in
+{
+  services.immich = {
+    enable = true;
+    host = "127.0.0.1";
+    mediaLocation = "/mnt/storage/immich";
+    group = "storage";
+    accelerationDevices = [ "/dev/dri/renderD128" ];
+    settings = {
+      metadata.faces.import = true;
+      server.externalDomain = "https://${domain}";
+      notifications.smtp.enabled = true;
+      notifications.smtp.from = "Odin Photos <[email protected]>";
+    };
+  };
+
+  services.cloudflared.tunnels."71c89a7f-2467-444c-9fda-4864860dc8c4" = {
+    credentialsFile =
+      config.age.secrets."odin/services/cloudflared-tunnel".path;
+    default = "http_status:404";
+    ingress."${domain}".service =
+      "http://${cfg.host}:${toString cfg.port}";
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /mnt/storage/immich 0770 immich storage - -"
+  ];
+}

hosts/odin/system/age.nix

@@ -9,12 +9,19 @@
       owner = config.services.caddy.user;
       group = config.services.caddy.group;
     };
+    "odin/services/cloudflared".file =
+      inputs.secrets."odin/services/cloudflared.age";
+    "odin/services/cloudflared-tunnel".file =
+      inputs.secrets."odin/services/cloudflared-tunnel.age";
     "odin/services/nullmailer" = {
       file = inputs.secrets."odin/services/nullmailer.age";
       owner = config.services.nullmailer.user;
     };
-    "odin/services/samba".file = inputs.secrets."odin/services/samba.age";
-    "odin/services/tailscale".file = inputs.secrets."odin/services/tailscale.age";
-    "odin/users/thomas".file = inputs.secrets."odin/users/thomas.age";
+    "odin/services/samba".file =
+      inputs.secrets."odin/services/samba.age";
+    "odin/services/tailscale".file =
+      inputs.secrets."odin/services/tailscale.age";
+    "odin/users/thomas".file =
+      inputs.secrets."odin/users/thomas.age";
   };
 }