Differences

This shows you the differences between two versions of the page.

--- services:immich [2024/08/08 06:56] – willy
+++ services:immich [2025/03/13 14:41] (current) – [Installation] willy
@@ Line 3: / Line 3: @@
 [[https://immich.app/|Immich]] is a modern photo management web application which aims to be similar to Google Photo. It can be uses to backup phone photos and also manage older collection of older photos.
-Immich is a fairly new player in the game but it's growing a lot and is gaining a lot of traction. It's heavily under development and very polished.
+Immich come along a long way in the past year, and even if i had initially tried it out but abandoned due to the lack of some basic (for my use case) features, i can say that as little as less than one year later it proved not only to be **the one** top photo management backup and gallery solution for self-hosting, but a damn good one too. The devs really rocks and work hard, and Immich itself is so flexible that there are little excuses not to use it!
-Overall it's probably the best solution **but**:
-  * Doesn't support folders as albums (sorry, long term solution **must** be stored in folders and not only in a database)
-  * Uses a database for metadata
-  * It's been a bit unclear since it was acquired by Futo's. Fut's stance on Open Source is unclear to me.
-  * After moving to Futo they added some controversial support system (on which they also backtracked)
-  * Devs don't seems to care too much on user needs and keep plowing ahead on their roadmap.
-Immich, at this time, does not support //base_url// out of the box. A lot of discussion is going on around the topic and somebody found a nice fix using a specific NGINX setup, which i will describe in this page.
+Immich, at this time, still does not support //base_url// out of the box. A lot of discussion is going on around the topic and somebody found a nice fix using a specific NGINX setup, but i think it's better to stick to subdomains for Immich, at least until it will __officially__ support sub-paths. Anyway, you should really use subdomains with something so complex as Immich to leverage cross-domain security.
+While installing Immich overall is not a huge task, you should really read carefully this page **and** all the very good documentation on Immich website itself.
-Overall, i stopped using it.
 ===== Installation =====
-I tried to install Immich on bare-metal and give up. The total lack of documentation is regretting and the only existing guide is obsolete. Sadly, using containers is the only viable way to install Immich. The devs clearly stated they do not intend to provide any bare-metal installation instructions and this frankly sucks, even more so that the default docker images provided run as root by default. Anyway, i will show you how to fix this by running Immich using Podman (see [[gentoo:containers|Using Containers on Gentoo]]) root-less. Better than nothing.
+I will assume you will store all Immich stuff under **/data/photos**. You will need two folders here:
+  * /data/photos/Library: will contain your photos and all additional Immich files (cache, thumbnails, encoded videos...). You want to backup the //library// (yes, lowercase!) and //backups// subfolders in here.
+  * /data/photos/immich_database: will contain PostgreSQL stuff, you do not want to backup this folder.
-I suggest you create a **photos** group on which add all users that will need to use/share/access/add photos, immich user included.
+Immich needs to be installed using a docker compose file. This is the official and only supported installation method. I will show you, of course, how to run it rootless with podman. Immich installation is detailed [[https://immich.app/docs/install/docker-compose|here]], and i suggest you take a look at.
-So, let's get going. Create an **immich** user:
+I assume you have already created the photo user and group (see [[selfhost:photomanagement|here]], but in case you didn't, here you go:
 <code bash>
-groupadd photos
+useradd -d /data/daemons/photos photos
-useradd -d /data/damons/immich -g photos immich
+mkdir /data/photos
+mkdir /data/photos/Library
+mkdir /data/photos/immich_database
 </code>
-And download the standard immich docker-compose and env files:
+And download the standard Immich docker-compose and env files:
 <code bash>
-su - immich
+su - photos
 wget https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
-wget https://github.com/immich-app/immich/releases/latest/download/hwaccel.transcoding.yml
+#optional: wget https://github.com/immich-app/immich/releases/latest/download/hwaccel.transcoding.yml
-wget https://github.com/immich-app/immich/releases/latest/download/hwaccel.ml.yml
+#optional: wget https://github.com/immich-app/immich/releases/latest/download/hwaccel.ml.yml
 wget -O .env https://github.com/immich-app/immich/releases/latest/download/example.env
 </code>
 (enabling hardware acceleration is optional and i will not cover it here, as it's not needed in my use-case)
-Since you are going to use podman instead of docker, you need to add a specific network to the docker compose file. Also, you want to add support for your external photo libraries.
+I will __not__ give you a full docker-compose file, because Immich sometimes ships with backward incompatibilities, you **must** start from the one linked above and do the following modifications:
+  * Specify a network to all containers
+  * Add any specific volumes for specific external galleries
+  * Remove the //restart// and //healthcheck// sections
+This is the specific code for the network:
 <code>
-# Set the following locations to immich-server, immich-microservices;
+# Add these two lines to each one of the services (immich-server, immich-microservices, immich-machine-learning, redis, database, ...)
-    volumes:
-      - ${UPLOAD_LOCATION}:/usr/src/app/upload
-      - /etc/localtime:/etc/localtime:ro
-      - ${EXTERNAL_PATH}:/usr/src/app/external
-# Add these two lines to each one of the services (immich-server, immich-microservices, immich-machine-learning, redis, database)
     networks:
       - immich-net
@@ Line 54: / Line 52: @@
 </code>
-Please note that you can have more than one mount, ideally one for each folder tree that contains photos you want to add as external library to Immich.
+Please note that you can have more than one mount, ideally one for each folder tree that contains photos you want to add as //external library// to Immich.
 edit the **/data/daemons/immich/.env** file to adapt at least your //Uploads// and //external// folder:
 <code>
-UPLOAD_LOCATION=/data/Media/Photos/Uploads
+# The location where your uploaded files are stored
-EXTERNAL_PATH=/path/to/your/external/photos/trees
+UPLOAD_LOCATION=/data/photos/Library
-IMMICH_VERSION=release
+# The location where your database files are stored
+DB_DATA_LOCATION=/data/photos/immich_database
 </code>
-then fire up the containers:
+You can fine-tune the rest of the env file to your needs.
-<code bash>
-su - immich
-podman compose up -d
-</code>
-When you want to update Immich, just:
-<code bash>
+===== Configuration =====
-su - immich
-podman compose down
+You should follow all the steps below before starting using Immich for real, as they have some implications and it's better to sort out stuff before, than reorganize everything later. Immich does a pretty great job of ensuring it's consistent and changeable at a later point in time tough. Still better to dedicate a little time to think stuff out before than later.
-podman compose pull
-podman compose up -d
+==== External Library setup ====
+External libraries let you integrate into Immich existing and already sorted out image libraries. It's a very welcome feature that let's you use Immich in evary conceivable scenario.
+[[https://immich.app/docs/features/libraries|This]] page will give you more details on how to set up an external library.
+You have to perform two steps:
+  * Add the external library path as a volume in docker compose
+  * From Immich web GUI, create the external library pointing to that path
+So, in your docker-compose.yml ensure that you have mapped each external library like this example:
+<code>
+services:
+  immich-server:
+    volumes:
+      - /data/photos/ExistingGallery:/mnt/media/ExistingGallery:ro
 </code>
-Be aware that Immich is bleeding edge and sometimes there are **breaking** updates! Always check on Immich [[https://github.com/immich-app/immich/releases|Releases page]] the release notes and take actions accordingly. **YOU HAVE BEEN WARNED**.
+Then, you have to go to //Immich web gui -> administration -> external libraries// and add create a new library. Each library must belong to an user and shall have one or more paths, the ones mapped as above, inside.
-==== NGINX reverse proxy ====
+You can also setup a watcher to monitor for new files or period scans to ensure new added files get updated inside Immich as well.
-=== Immich on sub-path ===
+Keep in mind that Immich will **not touch** the files inthe external library at all, which means that any change to those files metadata will **not** be embedded in the external library files.
-If you do not want to use a specific sub-domain for Immich, the specific NGINX example here will include the base_url fix as described [[https://gist.github.com/aveexy/4b2b22b2198636b0a91c7c142ec11b37|here]]:
+==== Storage Template setup ====
+Storage templates let's you choose how Immich should store photos and videos on your filesystem. This is specially useful if you like to sort your photos for albums and/or year-month-day. I think this is a very powerful feature of Immich and a very welcome addition to it's features.
+My template is:
 <code>
-location /immich {
+{{y}}/{{#if album}}{{album}}{{else}}Others{{/if}}/{{filename}}
-                        proxy_pass http://127.0.0.1:2283;
+</code>
-                        rewrite /immich/(.*) /$1 break;
-                        proxy_buffering        on;
+this template will store folders by **year** and **album**. If the photo is not stored in an album, it will go into a folder called **Others**.
-                        sub_filter_once off;
+That can be setup from //Immich web gui -> administration -> settings -> storage templates//.
-                        sub_filter_types text/html;
-                        sub_filter ' href="/' ' href="/immich/';
-                        sub_filter ' src="/' ' src="/immich/';
-                        sub_filter ' action="/' ' action="/immich/';
-                        sub_filter 'import("/_app' 'import("/immich/_app';
-                        sub_filter 'base: ""' 'base: "/immich"';
-                        location /immich/_app/immutable/chunks {
+You also need to __enable__ it from the same setting area. Remember to run the update storage templates task if you change it. Also, remember to check that it's working as intended before you have thousand of photos stored the wrong way.
-                                proxy_pass http://127.0.0.1:2283;
-                                rewrite /immich/(.*) /$1 break;
-                                sub_filter_types *;
-                                sub_filter '"/api/socket.io"' '"/immich/api/socket.io"';
-                        }
-                        location ~ /immich/_app/immutable/chunks/index\\. {
+==== SSO authentication setup ====
-                                proxy_pass http://127.0.0.1:2283;
-                                rewrite /immich/(.*) /$1 break;
-                                sub_filter_types *;
+Immich support direct integration with [[selfhost:sso|Authelia SSO]], specific instructions can be found [[https://www.authelia.com/integration/openid-connect/immich/|on this page]].
-                                sub_filter '"/' '"/immich/';
-                        }
-                        location ~ /immich/_app/immutable/chunks/api\\. {
+First of all, you need to configure Authelia with a new client:
-                                proxy_pass http://127.0.0.1:2283;
+<code>
-                                rewrite /immich/(.*) /$1 break;
+identity_providers:
+  oidc:
+    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
+    ## See: https://www.authelia.com/c/oidc
+    clients:
+      - client_id: << see below to generate ClientID >>
+        client_name: 'immich'
+        client_secret: << see below to generale ClientSecret >>
+        public: false
+        authorization_policy: 'one_factor'
+        redirect_uris:
+          - 'https://immich.mydomain.com/auth/login'
+          - 'https://immich.mydomain.com/user-settings'
+          - 'app.immich:///oauth-callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
+        userinfo_signed_response_alg: 'none'
+</code>
-                                sub_filter_types *;
+To generate a ClientID:
-                                sub_filter '="/api"' '="/immich/api"';
+<code bash>
-                                sub_filter 'basePath:"/api"' 'basePath:"/immich/api"';
+authelia crypto rand --length 72 --charset rfc3986
-                        }
+</code>
+This information will need to copied to both authelia config and immich settings.
-                        location ~ /immich/api {
+To generate a Client Secret:
-                                proxy_pass http://127.0.0.1:2283;
+<code bash>
-                                rewrite /immich/(.*) /$1 break;
+authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+</code>
+Please note **both** the hash and the password itself! You will need the password itself in the next step.
-                                proxy_cache off;
+Then you need to configure Immich to use Authelia SSO, so go to //Immich web gui → administration → settings → Authentication settings// and enter the following information:
+  * Issuer URL: https://auth.example.com/.well-known/openid-configuration.
-                                sub_filter_types *;
+  * Client ID: << the generated ClientID >>.
-                                sub_filter '"redirectUri":"/' '"redirectUri":"/immich/';
+  * Client Secret: insecure_secret.
-                        }
+  * Scope: openid profile email.
-                                                proxy_pass_request_headers on;
+  * Button Text: Login with Authelia.
-                proxy_http_version 1.1;
+  * Auto Register: Enable if desired.
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header   X-Real-IP $remote_addr;
-                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header   X-Forwarded-Proto $scheme;
-                proxy_set_header   X-Forwarded-Host $host;
-                proxy_set_header   X-Forwarded-Server $host;
-                proxy_cache_use_stale  error timeout invalid_header updating
-                http_500 http_502 http_503 http_504;
-                proxy_redirect     off;
-                }
+==== Bakcup setup ====
-    </code>
-you need also to disable authentication, since Immich cannot work with Proxy Auth and you would end up with double-authentication.
+I assume you have setup a backup schedule like described [[selfhost:backup|here]], with restic.
-(note: YMMV, at this time this seems broken by an Immich upgrade)
+For Immich you should backup:
+  * **/data/photos/Library/library**: where actual photos are stored
+  * **/data/photos/Library/backups**: where postgres backups are stored
-=== Immich on sub-domain ===
+You should also go to //Immich web gui -> administration -> settings -> backups// and reduce the retain to 1 or 2 backups, since you will be backing them up with restic.
-In case you do not care for sub_path and you want to use a dedicated subdomain, go ahead and use this much simpler NGINX configuration. I will assume your subdomain is called **immich.mydomain.com**:
-<file txt immich.conf>
+==== NGINX reverse proxy ====
+Immich officially **only** support subdomain and not subpath deployment. Use the following NGINX configuration, i will assume your subdomain is called **immich.mydomain.com**. See [[selfhost:nginx|here]] for more details.
+<file - immich.conf>
     server {
         server_name immich.mydomain.com;
-        listen 8443 ssl; # managed by Certbot
+        listen 8443 ssl;
-        listen 443 ssl; # managed by Certbot
+        listen 443 ssl;
-        client_max_body_size 50000M;
+        client_max_body_size 5000M;
         large_client_header_buffers 4 32k;
@@ Line 172: / Line 189: @@
         location / {
-                proxy_pass http://127.0.0.1:2283/;
+        location / {
+                proxy_pass http://127.0.0.1:2283;
+                #proxy_pass http://127.0.0.1:8009;
+                proxy_redirect    default;
+                proxy_set_header  Host $host;
+                proxy_set_header  X-Real-IP $remote_addr;
+                proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header  X-Forwarded-Host $server_name;
+                proxy_set_header  X-Forwarded-Proto $scheme;
         }
         include com.mydomain/certbot.conf;
 }
 </file>
-you need also to disable authentication, since Immich cannot work with Proxy Auth and you would end up with double-authentication.
+===== Autostart =====
+To start it, and set it up on boot, as usual follow my indications [[gentoo:containers|Using Containers on Gentoo]], so link the **user-containers** init script:
+<code>
+ln -s /etc/init.d/user-containers /etc/init.d/user-containers.immich
+</code>
+and create the following config file:
+<file - /etc/conf.d/user-containers.immich>
-==== First usage ====
+USER=immich
+DESCRIPTION="The photo gallery and backup solution"
+</file>
-Fire up your browser at https://yourdomain.com/immich (or https://immich.yourdomain.com) and follow instructions.
+Add the service to the default runlevel and start it now:
+<code bash>
-To add //external libraries//, it's currently (Immich 1.92.1) a bit convoluted.
+rc-update add user-containers.immich default
+rc-service user-containers.immich start
-First you need, as administrator, to go to each user settings (under administration panel) and add the external path as specified in the docker compose (ex: **/usr/src/app/external**) then, as specific user, you also need to add an external library and repeat the same path in your user settings.
+</code>
-It's confusing, i think this will be improved in future releases.
 ==== Command line CLI ====
@@ Line 211: / Line 240: @@
 immich upload --recursive directory/
 </code>
+===== Update =====
+When you want to update Immich, just:
+<code bash>
+su - immich
+podman compose down
+podman compose pull
+podman compose up -d
+</code>
+Be aware that Immich is bleeding edge and sometimes there are **breaking** updates! Always check on Immich [[https://github.com/immich-app/immich/releases|Releases page]] the release notes and take actions accordingly. **YOU HAVE BEEN WARNED**.

Willy's Wiki

User Tools

Differences