User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
services:immich [2025/02/23 19:30] willyservices:immich [2025/03/19 10:04] (current) – [SSO authentication setup] willy
Line 3: Line 3:
 [[https://immich.app/|Immich]] is a modern photo management web application which aims to be similar to Google Photo. It can be uses to backup phone photos and also manage older collection of older photos. [[https://immich.app/|Immich]] is a modern photo management web application which aims to be similar to Google Photo. It can be uses to backup phone photos and also manage older collection of older photos.
  
-Immich is fairly new player in the game but it's growing a lot and is gaining a lot of traction. It's heavily under development and very polished.  +Immich come along long way in the past year, and even if i had initially tried it out but abandoned due to the lack of some basic (for my use case) featuresi can say that as little as less than one year later it proved not only to be **the one** top photo management backup and gallery solution for self-hostingbut a damn good one tooThe devs really rocks and work hard, and Immich itself is so flexible that there are little excuses not to use it!
-Overall it's probably the best solution **but**: +
-  * Doesn't support folders as albums (sorrylong term solution **must** be stored in folders and not only in a database) +
-  * Uses a database for metadatawhich is not good again for long term solution. +
-  * It's been a bit unclear since it was acquired by Futo's. Futo's stance on Open Source is unclear to me. +
-  * After moving to Futo they added some controversial support system (on which they also backtracked), and it seemed not very well tought of. +
-  * Devs don't seems to care too much on user needs and keep plowing ahead on their roadmap.+
  
-Immich, at this time, does not support //base_url// out of the box. A lot of discussion is going on around the topic and somebody found a nice fix using a specific NGINX setup, which i will describe in this page.+Immich, at this time, still does not support //base_url// out of the box. A lot of discussion is going on around the topic and somebody found a nice fix using a specific NGINX setup, but think it's better to stick to subdomains for Immich, at least until it will __officially__ support sub-paths. Anyway, you should really use subdomains with something so complex as Immich to leverage cross-domain security.
  
-Overalli stopped using it.+While installing Immich overall is not a huge taskyou should really read carefully this page **and** all the very good documentation on Immich website itself.
  
-===== Installation ===== 
  
 +===== Installation =====
  
-Use **photos** user and groupsee [[services:photomanagement|Photos Management Server]].+I will assume you will store all Immich stuff under **/data/photos**. You will need two folders here: 
 +  * /data/photos/Library: will contain your photos and all additional Immich files (cachethumbnails, encoded videos...). You want to backup the //library// (yes, lowercase!) and //backups// subfolders in here. 
 +  * /data/photos/immich_databasewill contain PostgreSQL stuff, you do not want to backup this folder.
  
 Immich needs to be installed using a docker compose file. This is the official and only supported installation method. I will show you, of course, how to run it rootless with podman. Immich installation is detailed [[https://immich.app/docs/install/docker-compose|here]], and i suggest you take a look at. Immich needs to be installed using a docker compose file. This is the official and only supported installation method. I will show you, of course, how to run it rootless with podman. Immich installation is detailed [[https://immich.app/docs/install/docker-compose|here]], and i suggest you take a look at.
  
-I assume you have already created the photo user and group, but in case you didn't, here you go+I assume you have already created the photo user and group (see [[selfhost:photomanagement|here]], but in case you didn't, here you go:
-So, let's get going. Create an **immich** user:+
 <code bash> <code bash>
 useradd -d /data/daemons/photos photos useradd -d /data/daemons/photos photos
 +mkdir /data/photos
 +mkdir /data/photos/Library
 +mkdir /data/photos/immich_database
 </code> </code>
  
Line 54: Line 52:
 </code> </code>
  
- +Please note that you can have more than one mount, ideally one for each folder tree that contains photos you want to add as //external library// to Immich.
-Please note that you can have more than one mount, ideally one for each folder tree that contains photos you want to add as external library to Immich.+
  
 edit the **/data/daemons/immich/.env** file to adapt at least your //Uploads// and //external// folder: edit the **/data/daemons/immich/.env** file to adapt at least your //Uploads// and //external// folder:
 <code> <code>
-UPLOAD_LOCATION=/data/Media/Photos/Uploads +# The location where your uploaded files are stored 
-EXTERNAL_PATH=/path/to/your/external/photos/trees +UPLOAD_LOCATION=/data/photos/Library 
-IMMICH_VERSION=release+# The location where your database files are stored 
 +DB_DATA_LOCATION=/data/photos/immich_database
 </code> </code>
 +
 +You can fine-tune the rest of the env file to your needs.
 +
  
 ===== Configuration ===== ===== Configuration =====
 +
 +You should follow all the steps below before starting using Immich for real, as they have some implications and it's better to sort out stuff before, than reorganize everything later. Immich does a pretty great job of ensuring it's consistent and changeable at a later point in time tough. Still better to dedicate a little time to think stuff out before than later.
 +
  
 ==== External Library setup ==== ==== External Library setup ====
  
 +External libraries let you integrate into Immich existing and already sorted out image libraries. It's a very welcome feature that let's you use Immich in evary conceivable scenario.
  
-==== Storage Template setup ====+[[https://immich.app/docs/features/libraries|This]] page will give you more details on how to set up an external library.
  
 +You have to perform two steps:
 +  * Add the external library path as a volume in docker compose
 +  * From Immich web GUI, create the external library pointing to that path
  
 +So, in your docker-compose.yml ensure that you have mapped each external library like this example:
 +<code>
 +services:
 +  immich-server:
 +    volumes:
 +      - /data/photos/ExistingGallery:/mnt/media/ExistingGallery:ro
 +</code>
  
 +Then, you have to go to //Immich web gui -> administration -> external libraries// and add create a new library. Each library must belong to an user and shall have one or more paths, the ones mapped as above, inside.
  
 +You can also setup a watcher to monitor for new files or period scans to ensure new added files get updated inside Immich as well. 
  
 +Keep in mind that Immich will **not touch** the files inthe external library at all, which means that any change to those files metadata will **not** be embedded in the external library files.
  
  
-==== NGINX reverse proxy ==== 
  
-=== Immich on sub-path ===+==== Storage Template setup ====
  
-If you do not want to use a specific sub-domain for Immich, the specific NGINX example here will include the base_url fix as described [[https://gist.github.com/aveexy/4b2b22b2198636b0a91c7c142ec11b37|here]]:+Storage templates let'you choose how Immich should store photos and videos on your filesystem. This is specially useful if you like to sort your photos for albums and/or year-month-dayI think this is a very powerful feature of Immich and a very welcome addition to it's features. 
 + 
 +My template is
 <code> <code>
-location /immich { +{{y}}/{{#if album}}{{album}}{{else}}Others{{/if}}/{{filename}} 
-                        proxy_pass http://127.0.0.1:2283; +</code>
-                        rewrite /immich/(.*) /$1 break;+
  
-                        proxy_buffering        on;+this template will store folders by **year** and **album**. If the photo is not stored in an album, it will go into a folder called **Others**.
  
-                        sub_filter_once off; +That can be setup from //Immich web gui -> administration -> settings -> storage templates//.
-                        sub_filter_types text/html; +
-                        sub_filter ' href="/' ' href="/immich/'; +
-                        sub_filter ' src="/' ' src="/immich/'; +
-                        sub_filter ' action="/' ' action="/immich/'; +
-                        sub_filter 'import("/_app' 'import("/immich/_app'; +
-                        sub_filter 'base: ""' 'base: "/immich"';+
  
-                        location /immich/_app/immutable/chunks { +You also need to __enable__ it from the same setting areaRemember to run the update storage templates task if you change itAlso, remember to check that it's working as intended before you have thousand of photos stored the wrong way.
-                                proxy_pass http://127.0.0.1:2283; +
-                                rewrite /immich/(.*) /$1 break;+
  
-                                sub_filter_types *; 
-                                sub_filter '"/api/socket.io"' '"/immich/api/socket.io"'; 
-                        } 
  
-                        location ~ /immich/_app/immutable/chunks/index\\. { +==== SSO authentication setup ====
-                                proxy_pass http://127.0.0.1:2283; +
-                                rewrite /immich/(.*) /$1 break;+
  
-                                sub_filter_types *; +Immich support direct integration with [[selfhost:sso|Authelia SSO]], specific instructions can be found [[https://www.authelia.com/integration/openid-connect/immich/|on this page]].
-                                sub_filter '"/' '"/immich/'; +
-                        }+
  
-                        location ~ /immich/_app/immutable/chunks/api\\{ +First of all, you need to configure Authelia with a new client: 
-                                proxy_pass http://127.0.0.1:2283; +<code> 
-                                rewrite /immich/(.*) /$1 break;+identity_providers: 
 +  oidc: 
 +    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. 
 +    ## See: https://www.authelia.com/c/oidc 
 +    clients: 
 +      - client_id: << see below to generate ClientID >> 
 +        client_name: 'immich' 
 +        client_secret: << see below to generale ClientSecret, put the digest here >> 
 +        public: false 
 +        authorization_policy: 'one_factor' 
 +        redirect_uris: 
 +          - 'https://immich.mydomain.com/auth/login' 
 +          - 'https://immich.mydomain.com/user-settings' 
 +          - 'app.immich:///oauth-callback' 
 +        scopes: 
 +          - 'openid' 
 +          - 'profile' 
 +          - 'email' 
 +        userinfo_signed_response_alg: 'none' 
 +</code>
  
-                                sub_filter_types *; +To generate a ClientID: 
-                                sub_filter '="/api"' '="/immich/api"'; +<code bash> 
-                                sub_filter 'basePath:"/api"' 'basePath:"/immich/api"'; +authelia crypto rand --length 72 --charset rfc3986 
-                        }+</code> 
 +This information will need to copied to both authelia config and immich settings.
  
-                        location ~ /immich/api { +To generate a Client Secret: 
-                                proxy_pass http://127.0.0.1:2283; +<code bash> 
-                                rewrite /immich/(.*) /$1 break;+authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 
 +</code> 
 +Please note **both** the hash and the password itself! You will need the password itself in the next step.
  
-                                proxy_cache off; +Then you need to configure Immich to use Authelia SSO, so go to //Immich web gui → administration → settings → Authentication settings// and enter the following information: 
-                                 +  Issuer URLhttps://auth.example.com/.well-known/openid-configuration. 
-                                sub_filter_types *+  * Client ID: << the generated ClientID >>. 
-                                sub_filter '"redirectUri":"/' '"redirectUri":"/immich/'; +  * Client Secret: << the random password generated above, not the digest >>. 
-                        } +  * Scope: openid profile email
-                                                proxy_pass_request_headers on; +  * Button Text: Login with Authelia. 
-                proxy_http_version 1.1; +  * Auto Register: Enable if desired.
-                proxy_set_header Upgrade $http_upgrade;+
  
-                proxy_set_header   X-Real-IP $remote_addr; 
-                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for; 
-                proxy_set_header   X-Forwarded-Proto $scheme; 
-                proxy_set_header   X-Forwarded-Host $host; 
-                proxy_set_header   X-Forwarded-Server $host; 
  
-                proxy_cache_use_stale  error timeout invalid_header updating 
-                http_500 http_502 http_503 http_504; 
  
-                proxy_redirect     off; 
  
-                } +==== Bakcup setup ====
-    </code>+
  
-you need also to disable authenticationsince Immich cannot work with Proxy Auth and you would end up with double-authentication.+I assume you have setup a backup schedule like described [[selfhost:backup|here]], with restic.
  
-(note: YMMV, at this time this seems broken by an Immich upgrade) +For Immich you should backup: 
-    +  * **/data/photos/Library/library**: where actual photos are stored 
 +  * **/data/photos/Library/backups**: where postgres backups are stored
  
-=== Immich on sub-domain ===+You should also go to //Immich web gui -> administration -> settings -> backups// and reduce the retain to 1 or 2 backups, since you will be backing them up with restic.
  
-In case you do not care for sub_path and you want to use a dedicated subdomain, go ahead and use this much simpler NGINX configuration. I will assume your subdomain is called **immich.mydomain.com**: 
  
-<file txt immich.conf> +==== NGINX reverse proxy ==== 
 + 
 +Immich officially **only** support subdomain and not subpath deployment. Use the following NGINX configuration, i will assume your subdomain is called **immich.mydomain.com**. See [[selfhost:nginx|here]] for more details. 
 + 
 +<file immich.conf> 
     server {     server {
         server_name immich.mydomain.com;         server_name immich.mydomain.com;
-        listen 8443 ssl; # managed by Certbot +        listen 8443 ssl;  
-        listen 443 ssl; # managed by Certbot +        listen 443 ssl;  
-        client_max_body_size 50000M;+        client_max_body_size 5000M;
         large_client_header_buffers 4 32k;         large_client_header_buffers 4 32k;
  
Line 170: Line 189:
  
         location / {         location / {
-                proxy_pass http://127.0.0.1:2283/;+        location / { 
 +                proxy_pass http://127.0.0.1:2283
 +                #proxy_pass http://127.0.0.1:8009; 
 +                proxy_redirect    default; 
 +                proxy_set_header  Host $host; 
 +                proxy_set_header  X-Real-IP $remote_addr; 
 +                proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for; 
 +                proxy_set_header  X-Forwarded-Host $server_name; 
 +                proxy_set_header  X-Forwarded-Proto $scheme;
         }         }
- 
         include com.mydomain/certbot.conf;         include com.mydomain/certbot.conf;
 } }
 </file> </file>
  
-you need also to disable authentication, since Immich cannot work with Proxy Auth and you would end up with double-authentication.+===== Autostart =====
  
 +To start it, and set it up on boot, as usual follow my indications [[gentoo:containers|Using Containers on Gentoo]], so link the **user-containers** init script:
 +<code>
 +ln -s /etc/init.d/user-containers /etc/init.d/user-containers.immich
 +</code>
  
-     +and create the following config file: 
-     +<file - /etc/conf.d/user-containers.immich> 
-==== First usage ====+USER=immich 
 +DESCRIPTION="The photo gallery and backup solution" 
 +</file>
  
-Fire up your browser at https://yourdomain.com/immich (or https://immich.yourdomain.com) and follow instructions. +Add the service to the default runlevel and start it now
- +<code bash> 
-To add //external libraries//, it's currently (Immich 1.92.1) a bit convoluted.  +rc-update add user-containers.immich default 
- +rc-service user-containers.immich start 
-First you need, as administrator, to go to each user settings (under administration panel) and add the external path as specified in the docker compose (ex: **/usr/src/app/external**) then, as specific user, you also need to add an external library and repeat the same path in your user settings.  +</code>
- +
-It's confusing, i think this will be improved in future releases.+
  
 +    
 ==== Command line CLI ==== ==== Command line CLI ====
  
Line 211: Line 242:
  
  
 +===== Update =====
  
 +When you want to update Immich, just:
 +<code bash>
 +su - immich
 +podman compose down
 +podman compose pull
 +podman compose up -d
 +</code>
  
 +Be aware that Immich is bleeding edge and sometimes there are **breaking** updates! Always check on Immich [[https://github.com/immich-app/immich/releases|Releases page]] the release notes and take actions accordingly. **YOU HAVE BEEN WARNED**.
  
  

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information