Set up Immich

config.yml

@@ -63,6 +63,11 @@ storage:
       size: 100G
       fs: ext4
 
+    photos:
+      mount: /nas/Photos
+      size: 50G
+      fs: ext4
+
 
 ####################
 # DDNS options #
@@ -359,3 +364,23 @@ monitoring_scrape_traefik: yes
 
 healthchecksio_enabled: yes
 healthchecksio_uuid: "{{ secret_healthchecksio_uuid }}"
+
+
+###################
+# Immich settings #
+###################
+
+immich_enabled: yes
+
+immich_routing:
+  enabled: true
+  subdomain: photos
+
+immich_postgres_password: "{{ secret_immich_postgres_password }}"
+
+immich_sso:
+  enabled: true
+  issuer_url: "https://{{ authentik_routing.subdomain }}.{{ general.domain }}/application/o/immich/"
+  client_id: "{{ secret_immich_oidc_client_id }}"
+  client_secret: "{{ secret_immich_oidc_client_secret }}"
+  button_text: "Log in via Kasad auth portal"

main.yml

@@ -97,3 +97,7 @@
     - role: monitoring
       tags:
         - monitoring
+
+    - role: immich
+      tags:
+        - immich

roles/immich/defaults/main.yml

@@ -0,0 +1,20 @@
+---
+immich_enabled: false
+
+immich_data_dir: "{{ storage.data_dir }}/immich"
+immich_photos_dir: "{{ storage.nas_dir }}/Photos"
+
+immich_tag: release
+
+immich_routing:
+  enabled: true
+  subdomain: immich
+
+immich_postgres_password: '{{ undef(hint="You must specify a password for Immich''s PostgreSQL database") }}'
+
+immich_sso:
+  enabled: false
+  issuer_url: '{{ undef(hint="See Immich issuerUrl option") }}'
+  client_id: '{{ undef(hint="See Immich clientId option") }}'
+  client_secret: '{{ undef(hint="See Immich clientSecret option") }}'
+  button_text: '{{ undef(hint="See Immich buttonText option") }}'

roles/immich/tasks/main.yml

@@ -0,0 +1,60 @@
+---
+- name: Set up Immich
+  when: immich_enabled is true
+  block:
+
+    # Use ACLs to allow Immich to access media files. This allows us to use
+    # one of the NAS shares as the media directory, and have Immich access
+    # the files without having to change the owner or run as root.
+    # - name: Set permissions on Immich media directory
+    #   ansible.posix.acl:
+    #     path: "{{ immich_photos_dir }}"
+    #     entity: "{{ users.worker  }}}"
+    #     etype: user
+    #     permissions: rwX
+    #     default: true
+    #     recurse: true
+    #     recalculate_mask: mask
+    #     state: present
+
+    - name: Create Immich data directories
+      ansible.builtin.file:
+        path: "{{ immich_data_dir }}{{ item }}"
+        state: directory
+        owner: "{{ users.worker }}"
+        group: "{{ users.worker }}"
+        mode: '700'
+        recurse: false
+      loop:
+        - ""
+        - "/db"
+        - "/model_cache"
+
+    - name: Render template files
+      ansible.builtin.template:
+        src: templates/{{ item.src }}
+        dest: "{{ immich_data_dir }}/{{ item.dst }}"
+        owner: "{{ users.worker }}"
+        group: "{{ users.worker }}"
+        mode: '0600'
+      loop:
+        - src: docker-compose.yml
+          dst: docker-compose.yml
+        - src: env
+          dst: .env
+        - src: config.json
+          dst: config.json
+
+    - name: Start Immich stack
+      community.docker.docker_compose_v2:
+        project_src: "{{ immich_data_dir }}"
+        wait: true
+        pull: always
+
+- name: Disable Immich
+  when: immich_enabled is false
+  block:
+    - name: Stop Immich
+      community.docker.docker_compose_v2:
+        project_src: "{{ immich_data_dir }}"
+        state: absent

roles/immich/templates/config.json

@@ -0,0 +1,187 @@
+{
+    "ffmpeg": {
+        "crf": 23,
+        "threads": 0,
+        "preset": "ultrafast",
+        "targetVideoCodec": "h264",
+        "acceptedVideoCodecs": [
+            "h264"
+        ],
+        "targetAudioCodec": "aac",
+        "acceptedAudioCodecs": [
+            "aac",
+            "mp3",
+            "libopus",
+            "pcm_s16le"
+        ],
+        "acceptedContainers": [
+            "mov",
+            "ogg",
+            "webm"
+        ],
+        "targetResolution": "720",
+        "maxBitrate": "0",
+        "bframes": -1,
+        "refs": 0,
+        "gopSize": 0,
+        "npl": 0,
+        "temporalAQ": false,
+        "cqMode": "auto",
+        "twoPass": false,
+        "preferredHwDevice": "auto",
+        "transcode": "required",
+        "tonemap": "hable",
+        "accel": "disabled",
+        "accelDecode": false
+    },
+    "job": {
+        "backgroundTask": {
+            "concurrency": 5
+        },
+        "smartSearch": {
+            "concurrency": 2
+        },
+        "metadataExtraction": {
+            "concurrency": 5
+        },
+        "faceDetection": {
+            "concurrency": 2
+        },
+        "search": {
+            "concurrency": 5
+        },
+        "sidecar": {
+            "concurrency": 5
+        },
+        "library": {
+            "concurrency": 5
+        },
+        "migration": {
+            "concurrency": 5
+        },
+        "thumbnailGeneration": {
+            "concurrency": 3
+        },
+        "videoConversion": {
+            "concurrency": 1
+        },
+        "notifications": {
+            "concurrency": 5
+        }
+    },
+    "logging": {
+        "enabled": true,
+        "level": "log"
+    },
+    "machineLearning": {
+        "enabled": true,
+        "url": "http://immich-machine-learning:3003",
+        "clip": {
+            "enabled": true,
+            "modelName": "ViT-B-32__openai"
+        },
+        "duplicateDetection": {
+            "enabled": true,
+            "maxDistance": 0.01
+        },
+        "facialRecognition": {
+            "enabled": true,
+            "modelName": "buffalo_l",
+            "minScore": 0.7,
+            "maxDistance": 0.5,
+            "minFaces": 3
+        }
+    },
+    "map": {
+        "enabled": true,
+        "lightStyle": "https://tiles.immich.cloud/v1/style/light.json",
+        "darkStyle": "https://tiles.immich.cloud/v1/style/dark.json"
+    },
+    "reverseGeocoding": {
+        "enabled": true
+    },
+    "metadata": {
+        "faces": {
+            "import": false
+        }
+    },
+    "oauth": {
+        "autoLaunch": true,
+        "autoRegister": true,
+        "buttonText": "{{ immich_sso.button_text | default('Login with OAuth2') }}",
+        "clientId": "{{ immich_sso.client_id }}",
+        "clientSecret": "{{ immich_sso.client_secret }}",
+        "defaultStorageQuota": 0,
+        "enabled": {{ immich_sso.enabled | ternary('true', 'false') }},
+        "issuerUrl": "{{ immich_sso.issuer_url }}",
+        "mobileOverrideEnabled": false,
+        "mobileRedirectUri": "",
+        "scope": "openid email profile",
+        "signingAlgorithm": "RS256",
+        "profileSigningAlgorithm": "none",
+        "storageLabelClaim": "preferred_username",
+        "storageQuotaClaim": "immich_quota"
+    },
+    "passwordLogin": {
+        "enabled": true
+    },
+    "storageTemplate": {
+        "enabled": false,
+        "hashVerificationEnabled": true,
+        "template": "{{ '{{y}}/{{y}}-{{MM}}-{{dd}}/{{filename}}' }}"
+    },
+    "image": {
+        "thumbnail": {
+            "format": "webp",
+            "size": 250,
+            "quality": 80
+        },
+        "preview": {
+            "format": "jpeg",
+            "size": 1440,
+            "quality": 80
+        },
+        "colorspace": "p3",
+        "extractEmbedded": false
+    },
+    "newVersionCheck": {
+        "enabled": true
+    },
+    "trash": {
+        "enabled": true,
+        "days": 30
+    },
+    "theme": {
+        "customCss": ""
+    },
+    "library": {
+        "scan": {
+            "enabled": true,
+            "cronExpression": "0 0 * * *"
+        },
+        "watch": {
+            "enabled": false
+        }
+    },
+    "server": {
+        "externalDomain": "https://{{ immich_routing.subdomain }}.{{ general.domain }}",
+        "loginPageMessage": ""
+    },
+    "notifications": {
+        "smtp": {
+            "enabled": false,
+            "from": "",
+            "replyTo": "",
+            "transport": {
+                "ignoreCert": false,
+                "host": "",
+                "port": 587,
+                "username": "",
+                "password": ""
+            }
+        }
+    },
+    "user": {
+        "deleteDelay": 7
+    }
+}