chore:update immich

fix: agenix keygrip

config/optional/graphical.nix

@@ -36,6 +36,7 @@ in {
       config = {
         common.default = [
           "gtk"
+          "hyprland"
         ];
         sway.default = [
           "wlr"

config/optional/wayland.nix

@@ -14,7 +14,6 @@ lib.optionalAttrs (!minimal) {
     enable = true;
     xdgOpenUsePortal = true;
     config.common = {
-      default = ["gtk" "hyprland"];
       "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
       "org.freedesktop.impl.portal.ScreenCast" = ["hyprland"];
       "org.freedesktop.impl.portal.Screenshot" = ["hyprland"];

config/services/immich.nix

@@ -5,11 +5,10 @@
   config,
   ...
 }: let
-  version = "v1.105.1";
+  version = "v1.106.4";
   immichDomain = "immich.${config.secrets.secrets.global.domains.web}";
 
   ipImmichMachineLearning = "10.89.0.10";
-  ipImmichMicroservices = "10.89.0.11";
   ipImmichPostgres = "10.89.0.12";
   ipImmichRedis = "10.89.0.13";
   ipImmichServer = "10.89.0.14";
@@ -70,9 +69,7 @@
         };
         url = "http://${ipImmichMachineLearning}:3003";
       };
-      # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run:
+      # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to enable legacy crypto
-      # kanidm system oauth2 warning-insecure-client-disable-pkce immich
-      # kanidm system oauth2 warning-enable-legacy-crypto immich
       oauth = rec {
         enabled = true;
         autoLaunch = false;
@@ -160,6 +157,12 @@ in {
   age.secrets.immichHetznerSsh = {
     generator.script = "ssh-ed25519";
   };
+  environment.persistence."/state".directories = [
+    {
+      directory = "/var/lib/containers";
+      mode = "0755";
+    }
+  ];
   services.restic.backups = {
     main = {
       user = "root";
@@ -272,36 +275,6 @@ in {
   };
   systemd.services."podman-immich_machine_learning" = serviceConfig;
 
-  virtualisation.oci-containers.containers."immich_microservices" = {
-    image = "ghcr.io/immich-app/immich-server:${version}";
-    inherit environment;
-    volumes = [
-      "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
-      "/etc/localtime:/etc/localtime:ro"
-      "${upload_folder}:/usr/src/app/upload:rw"
-      "${environment.DB_PASSWORD_FILE}:${environment.DB_PASSWORD_FILE}:ro"
-    ];
-    cmd = ["start.sh" "microservices"];
-    dependsOn = [
-      "immich_postgres"
-      "immich_redis"
-    ];
-    log-driver = "journald";
-    extraOptions = [
-      "--network-alias=immich-microservices"
-      "--network=immich-default"
-      "--ip=${ipImmichMicroservices}"
-    ];
-  };
-  systemd.services."podman-immich_microservices" =
-    serviceConfig
-    // {
-      unitConfig.UpheldBy = [
-        "podman-immich_postgres.service"
-        "podman-immich_redis.service"
-      ];
-    };
-
   virtualisation.oci-containers.containers."immich_postgres" = {
     image = "tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0";
     environment = {
@@ -343,7 +316,6 @@ in {
     ports = [
       "3000:3001/tcp"
     ];
-    cmd = ["start.sh" "immich"];
     dependsOn = [
       "immich_postgres"
       "immich_redis"

config/services/kanidm.nix

@@ -116,6 +116,7 @@ in {
         originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/";
         basicSecretFile = config.age.secrets.oauth2-immich.path;
         allowInsecureClientDisablePkce = true;
+        enableLegacyCrypto = true;
         scopeMaps."immich.access" = ["openid" "email" "profile"];
         preferShortUsername = true;
       };

users/common/programs/gpg.nix

@@ -1,9 +1,4 @@
-{
+{pkgs, ...}: {
-  pkgs,
-  lib,
-  nixosConfig,
-  ...
-}: {
   services.gpg-agent = {
     enable = true;
     enableSshSupport = true;
@@ -76,10 +71,4 @@
       #list-options show-unusable-subkeys
     };
   };
-  # Make sure the keygrips exist, otherwise we'd need to run `gpg --card-status`
-  # before being able to use the yubikey.
-  home.activation.installKeygrips = lib.hm.dag.entryAfter ["writeBoundary"] ''
-    run mkdir -p "$HOME/.gnupg/private-keys-v1.d"
-    run ${lib.getExe pkgs.gnutar} xvf ${lib.escapeShellArg nixosConfig.age.secrets."my-gpg-yubikey-keygrip.tar".path} -C "$HOME/.gnupg/private-keys-v1.d/"
-  '';
 }

users/patrick/default.nix

@@ -48,6 +48,11 @@ lib.optionalAttrs (!minimal) {
   };
 
   programs.dconf.enable = true;
+  age.secrets."my-gpg-yubikey-keygrip.tar" = {
+    rekeyFile = ./secrets/gpg-keygrip.tar.age;
+    group = "patrick";
+    mode = "640";
+  };
 
   home-manager.users.patrick = {
     imports =

users/patrick/patrick.nix

@@ -1,4 +1,9 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  nixosConfig,
+  ...
+}: {
   images.enable = true;
   home = {
     packages = with pkgs; [
@@ -31,4 +36,10 @@
       via
     ];
   };
+  # Make sure the keygrips exist, otherwise we'd need to run `gpg --card-status`
+  # before being able to use the yubikey.
+  home.activation.installKeygrips = lib.hm.dag.entryAfter ["writeBoundary"] ''
+    run mkdir -p "$HOME/.gnupg/private-keys-v1.d"
+    run ${lib.getExe pkgs.gnutar} xvf ${lib.escapeShellArg nixosConfig.age.secrets."my-gpg-yubikey-keygrip.tar".path} -C "$HOME/.gnupg/private-keys-v1.d/"
+  '';
 }

users/root/default.nix

@@ -19,9 +19,4 @@
   home-manager.users.root.imports = lib.lists.optionals (!minimal) [
     ../common
   ];
-  age.secrets."my-gpg-yubikey-keygrip.tar" = {
-    rekeyFile = ./secrets/gpg-keygrip.tar.age;
-    group = "patrick";
-    mode = "640";
-  };
 }