massicot,fix: switch to fix drive

2024-09-14 16:33:01 +08:00 · 2024-09-14 16:33:01 +08:00 · 5104c5943e
commit 5104c5943e
parent 37f59db944
16 changed files with 512 additions and 248 deletions
--- a/modules/nixos/immich.nix
+++ b/modules/nixos/immich.nix
@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  pkgs,
+  utils,
+  ...
+}:
+let
+  cfg = config.custom.immich;
+  upstreamCfg = config.services.immich;
+  settingsFormat = pkgs.formats.json { };
+  user = config.systemd.services.immich-server.serviceConfig.User;
+  group = config.systemd.services.immich-server.serviceConfig.Group;
+in
+{
+  options = {
+    custom.immich.jsonSettings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = settingsFormat.type;
+      };
+      default = { };
+    };
+  };
+  config = {
+    /*
+      LoadCredential happens before preStart. We need to ensure the
+      configuration file exist, otherwise LoadCredential will fail.
+    */
+    systemd.tmpfiles.settings = lib.mkIf upstreamCfg.enable {
+      "10-etc-immich" = {
+        "/etc/immich" = {
+          d = {
+            inherit user group;
+            mode = "0600";
+          };
+        };
+        "/etc/immich/config.json" = {
+          "f+" = {
+            inherit user group;
+            mode = "0600";
+          };
+        };
+      };
+    };
+
+    systemd.services.immich-server = {
+      preStart = ''
+        umask 0077
+        ${utils.genJqSecretsReplacementSnippet cfg.jsonSettings "/etc/immich/config.json"}
+      '';
+      serviceConfig = {
+        LoadCredential = "config:/etc/immich/config.json";
+        Environment = "IMMICH_CONFIG_FILE=%d/config";
+      };
+    };
+  };
+}