chore:update immich

fix: agenix keygrip
2024-06-30 22:27:19 +02:00 · 2024-06-30 22:27:19 +02:00 · 7167acf43d
parent bb6e22da48
commit 7167acf43d
8 changed files with 28 additions and 55 deletions
--- a/config/optional/graphical.nix
+++ b/config/optional/graphical.nix
@ -36,6 +36,7 @@ in {
      config = {
        common.default = [
          "gtk"
+          "hyprland"
        ];
        sway.default = [
          "wlr"
--- a/config/optional/wayland.nix
+++ b/config/optional/wayland.nix
@ -14,7 +14,6 @@ lib.optionalAttrs (!minimal) {
    enable = true;
    xdgOpenUsePortal = true;
    config.common = {
-      default = ["gtk" "hyprland"];
      "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
      "org.freedesktop.impl.portal.ScreenCast" = ["hyprland"];
      "org.freedesktop.impl.portal.Screenshot" = ["hyprland"];
--- a/config/services/immich.nix
+++ b/config/services/immich.nix
@ -5,11 +5,10 @@
  config,
  ...
 }: let
-  version = "v1.105.1";
+  version = "v1.106.4";
  immichDomain = "immich.${config.secrets.secrets.global.domains.web}";

  ipImmichMachineLearning = "10.89.0.10";
-  ipImmichMicroservices = "10.89.0.11";
  ipImmichPostgres = "10.89.0.12";
  ipImmichRedis = "10.89.0.13";
  ipImmichServer = "10.89.0.14";
@ -70,9 +69,7 @@
        };
        url = "http://${ipImmichMachineLearning}:3003";
      };
-      # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run:
-      # kanidm system oauth2 warning-insecure-client-disable-pkce immich
-      # kanidm system oauth2 warning-enable-legacy-crypto immich
+      # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to enable legacy crypto
      oauth = rec {
        enabled = true;
        autoLaunch = false;
@ -160,6 +157,12 @@ in {
  age.secrets.immichHetznerSsh = {
    generator.script = "ssh-ed25519";
  };
+  environment.persistence."/state".directories = [
+    {
+      directory = "/var/lib/containers";
+      mode = "0755";
+    }
+  ];
  services.restic.backups = {
    main = {
      user = "root";
@ -272,36 +275,6 @@ in {
  };
  systemd.services."podman-immich_machine_learning" = serviceConfig;

-  virtualisation.oci-containers.containers."immich_microservices" = {
-    image = "ghcr.io/immich-app/immich-server:${version}";
-    inherit environment;
-    volumes = [
-      "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro"
-      "/etc/localtime:/etc/localtime:ro"
-      "${upload_folder}:/usr/src/app/upload:rw"
-      "${environment.DB_PASSWORD_FILE}:${environment.DB_PASSWORD_FILE}:ro"
-    ];
-    cmd = ["start.sh" "microservices"];
-    dependsOn = [
-      "immich_postgres"
-      "immich_redis"
-    ];
-    log-driver = "journald";
-    extraOptions = [
-      "--network-alias=immich-microservices"
-      "--network=immich-default"
-      "--ip=${ipImmichMicroservices}"
-    ];
-  };
-  systemd.services."podman-immich_microservices" =
-    serviceConfig
-    // {
-      unitConfig.UpheldBy = [
-        "podman-immich_postgres.service"
-        "podman-immich_redis.service"
-      ];
-    };
-
  virtualisation.oci-containers.containers."immich_postgres" = {
    image = "tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0";
    environment = {
@ -343,7 +316,6 @@ in {
    ports = [
      "3000:3001/tcp"
    ];
-    cmd = ["start.sh" "immich"];
    dependsOn = [
      "immich_postgres"
      "immich_redis"
--- a/config/services/kanidm.nix
+++ b/config/services/kanidm.nix
@ -116,6 +116,7 @@ in {
        originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/";
        basicSecretFile = config.age.secrets.oauth2-immich.path;
        allowInsecureClientDisablePkce = true;
+        enableLegacyCrypto = true;
        scopeMaps."immich.access" = ["openid" "email" "profile"];
        preferShortUsername = true;
      };
--- a/users/common/programs/gpg.nix
+++ b/users/common/programs/gpg.nix
@ -1,9 +1,4 @@
-{
-  pkgs,
-  lib,
-  nixosConfig,
-  ...
-}: {
+{pkgs, ...}: {
  services.gpg-agent = {
    enable = true;
    enableSshSupport = true;
@ -76,10 +71,4 @@
      #list-options show-unusable-subkeys
    };
  };
-  # Make sure the keygrips exist, otherwise we'd need to run `gpg --card-status`
-  # before being able to use the yubikey.
-  home.activation.installKeygrips = lib.hm.dag.entryAfter ["writeBoundary"] ''
-    run mkdir -p "$HOME/.gnupg/private-keys-v1.d"
-    run ${lib.getExe pkgs.gnutar} xvf ${lib.escapeShellArg nixosConfig.age.secrets."my-gpg-yubikey-keygrip.tar".path} -C "$HOME/.gnupg/private-keys-v1.d/"
-  '';
 }
--- a/users/patrick/default.nix
+++ b/users/patrick/default.nix
@ -48,6 +48,11 @@ lib.optionalAttrs (!minimal) {
  };

  programs.dconf.enable = true;
+  age.secrets."my-gpg-yubikey-keygrip.tar" = {
+    rekeyFile = ./secrets/gpg-keygrip.tar.age;
+    group = "patrick";
+    mode = "640";
+  };

  home-manager.users.patrick = {
    imports =
--- a/users/patrick/patrick.nix
+++ b/users/patrick/patrick.nix
@ -1,4 +1,9 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  lib,
+  nixosConfig,
+  ...
+}: {
  images.enable = true;
  home = {
    packages = with pkgs; [
@ -31,4 +36,10 @@
      via
    ];
  };
+  # Make sure the keygrips exist, otherwise we'd need to run `gpg --card-status`
+  # before being able to use the yubikey.
+  home.activation.installKeygrips = lib.hm.dag.entryAfter ["writeBoundary"] ''
+    run mkdir -p "$HOME/.gnupg/private-keys-v1.d"
+    run ${lib.getExe pkgs.gnutar} xvf ${lib.escapeShellArg nixosConfig.age.secrets."my-gpg-yubikey-keygrip.tar".path} -C "$HOME/.gnupg/private-keys-v1.d/"
+  '';
 }
--- a/users/root/default.nix
+++ b/users/root/default.nix
@ -19,9 +19,4 @@
  home-manager.users.root.imports = lib.lists.optionals (!minimal) [
    ../common
  ];
-  age.secrets."my-gpg-yubikey-keygrip.tar" = {
-    rekeyFile = ./secrets/gpg-keygrip.tar.age;
-    group = "patrick";
-    mode = "640";
-  };
 }