refactor: moved nixos modules to dendrite pattern

2026-04-07 15:39:45 -05:00 · 2026-04-07 15:39:45 -05:00 · 0ea11e0236
commit 0ea11e0236
parent df8dd110ad
219 changed files with 4802 additions and 4820 deletions
--- a/modules/nixos/programs/immich/database.nix
+++ b/modules/nixos/programs/immich/database.nix
@ -0,0 +1,32 @@
+{...}: {
+  flake.nixosModules.immich-database = {
+    lib,
+    config,
+    ...
+  }: {
+    config = lib.mkIf config.services.immich.enable {
+      assertions = [
+        {
+          assertion = !config.services.immich.database.enable || config.services.postgresql.enable;
+          message = "PostgreSQL must be enabled when using postgres database for Immich";
+        }
+        {
+          assertion = !(config.services.immich.database.enable && config.services.immich.database.createDB) || (builtins.any (db: db == "immich") config.services.postgresql.ensureDatabases);
+          message = "Immich built-in database creation failed - expected 'immich' in ensureDatabases but got: ${builtins.toString config.services.postgresql.ensureDatabases}";
+        }
+        {
+          assertion = !(config.services.immich.database.enable && config.services.immich.database.createDB) || (builtins.any (user: user.name == "immich") config.services.postgresql.ensureUsers);
+          message = "Immich built-in user creation failed - expected user 'immich' in ensureUsers but got: ${builtins.toString (builtins.map (u: u.name) config.services.postgresql.ensureUsers)}";
+        }
+      ];
+
+      # Note: Immich has built-in database creation via services.immich.database.createDB we only add the systemd dependency
+
+      systemd.services.immich-server = lib.mkIf config.services.immich.database.enable {
+        requires = [
+          config.systemd.services.postgresql.name
+        ];
+      };
+    };
+  };
+}
--- a/modules/nixos/programs/immich/default.nix
+++ b/modules/nixos/programs/immich/default.nix
@ -0,0 +1,12 @@
+{config, ...}: let
+  mod = config.flake.nixosModules;
+in {
+  flake.nixosModules.immich = {
+    imports = [
+      mod.immich-proxy
+      mod.immich-database
+      mod.immich-fail2ban
+      mod.immich-storage
+    ];
+  };
+}
--- a/modules/nixos/programs/immich/fail2ban.nix
+++ b/modules/nixos/programs/immich/fail2ban.nix
@ -0,0 +1,37 @@
+{...}: {
+  flake.nixosModules.immich-fail2ban = {
+    lib,
+    config,
+    pkgs,
+    ...
+  }: {
+    options.services.immich = {
+      fail2ban = {
+        enable = lib.mkOption {
+          type = lib.types.bool;
+          default = config.services.fail2ban.enable && config.services.immich.enable;
+        };
+      };
+    };
+
+    config = lib.mkIf config.services.immich.fail2ban.enable {
+      environment.etc = {
+        "fail2ban/filter.d/immich.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+          [Definition]
+          failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
+          journalmatch = CONTAINER_TAG=immich-server
+        '');
+      };
+
+      services.fail2ban = {
+        jails = {
+          immich-iptables.settings = {
+            enabled = true;
+            filter = "immich";
+            backend = "systemd";
+          };
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/programs/immich/proxy.nix
+++ b/modules/nixos/programs/immich/proxy.nix
@ -0,0 +1,46 @@
+{...}: {
+  flake.nixosModules.immich-proxy = {
+    lib,
+    config,
+    ...
+  }: {
+    options.services.immich = {
+      domain = lib.mkOption {
+        type = lib.types.str;
+        description = "domain that immich will be hosted at";
+        default = "immich.arpa";
+      };
+      extraDomains = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "extra domains that should be configured for immich";
+        default = [];
+      };
+      reverseProxy = {
+        enable = lib.mkOption {
+          type = lib.types.bool;
+          default = config.services.immich.enable && config.services.reverseProxy.enable;
+        };
+      };
+    };
+
+    config = lib.mkIf config.services.immich.reverseProxy.enable {
+      services.reverseProxy.services.immich = {
+        target = "http://localhost:${toString config.services.immich.port}";
+        domain = config.services.immich.domain;
+        extraDomains = config.services.immich.extraDomains;
+
+        settings = {
+          proxyWebsockets.enable = true;
+          forwardHeaders.enable = true;
+          maxBodySize = 50000;
+
+          # Custom timeout settings
+          proxyHeaders = {
+            enable = true;
+            timeout = 600;
+          };
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/programs/immich/storage.nix
+++ b/modules/nixos/programs/immich/storage.nix
@ -0,0 +1,23 @@
+{...}: {
+  flake.nixosModules.immich-storage = {
+    lib,
+    config,
+    ...
+  }: let
+    mediaLocation = "/var/lib/immich";
+  in {
+    options.services.immich.impermanence.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = config.services.immich.enable && config.storage.impermanence.enable;
+    };
+
+    config = lib.mkIf config.services.immich.enable {
+      storage.datasets.replicate."system/root" = {
+        directories."${mediaLocation}" = lib.mkIf config.services.immich.impermanence.enable {
+          owner.name = "immich";
+          group.name = "immich";
+        };
+      };
+    };
+  };
+}