1 files changed, 66 insertions, 0 deletions
diff --git a/hosts/surtr/immich.nix b/hosts/surtr/immich.nix
new file mode 100644
index 00000000..61a55e77
--- /dev/null
+++ b/hosts/surtr/immich.nix
@@ -0,0 +1,66 @@
+{ config, ... }:
+{
+  config = {
+    security.acme.rfc2136Domains = {
+      "immich.yggdrasil.li" = {
+        restartUnits = ["nginx.service"];
+      };
+    };
+    services.nginx = {
+      upstreams."immich" = {
+        servers = {
+          "[2a03:4000:52:ada:4:1::]:2283" = {};
+        };
+        extraConfig = ''
+          keepalive 8;
+        '';
+      };
+      virtualHosts = {
+        "immich.yggdrasil.li" = {
+          kTLS = true;
+          http3 = true;
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/immich.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/immich.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/immich.yggdrasil.li.chain.pem";
+          extraConfig = ''
+            charset utf-8;
+          '';
+          locations = {
+            "/".extraConfig = ''
+              proxy_pass http://immich;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+              proxy_redirect off;
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Host $server_name;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              client_max_body_size 0;
+              proxy_request_buffering off;
+              proxy_buffering off;
+            '';
+          };
+        };
+      };
+    };
+    systemd.services.nginx = {
+      serviceConfig = {
+        LoadCredential = [
+          "immich.yggdrasil.li.key.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/key.pem"
+          "immich.yggdrasil.li.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/fullchain.pem"
+          "immich.yggdrasil.li.chain.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/chain.pem"
+        ];
+      };
+    };
+  };
+}

diff --git a/hosts/surtr/immich.nix b/hosts/surtr/immich.nix new file mode 100644 index 00000000..61a55e77 --- /dev/null +++ b/hosts/surtr/immich.nix
@@ -0,0 +1,66 @@
	1	{ config, ... }:
	2
	3	{
	4	config = {
	5	security.acme.rfc2136Domains = {
	6	"immich.yggdrasil.li" = {
	7	restartUnits = ["nginx.service"];
	8	};
	9	};
	10
	11	services.nginx = {
	12	upstreams."immich" = {
	13	servers = {
	14	"[2a03:4000:52:ada:4:1::]:2283" = {};
	15	};
	16	extraConfig = ''
	17	keepalive 8;
	18	'';
	19	};
	20	virtualHosts = {
	21	"immich.yggdrasil.li" = {
	22	kTLS = true;
	23	http3 = true;
	24	forceSSL = true;
	25	sslCertificate = "/run/credentials/nginx.service/immich.yggdrasil.li.pem";
	26	sslCertificateKey = "/run/credentials/nginx.service/immich.yggdrasil.li.key.pem";
	27	sslTrustedCertificate = "/run/credentials/nginx.service/immich.yggdrasil.li.chain.pem";
	28	extraConfig = ''
	29	charset utf-8;
	30	'';
	31
	32	locations = {
	33	"/".extraConfig = ''
	34	proxy_pass http://immich;
	35
	36	proxy_http_version 1.1;
	37	proxy_set_header Upgrade $http_upgrade;
	38	proxy_set_header Connection "upgrade";
	39
	40	proxy_redirect off;
	41	proxy_set_header Host $host;
	42	proxy_set_header X-Real-IP $remote_addr;
	43	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	44	proxy_set_header X-Forwarded-Host $server_name;
	45	proxy_set_header X-Forwarded-Proto $scheme;
	46
	47	client_max_body_size 0;
	48	proxy_request_buffering off;
	49	proxy_buffering off;
	50	'';
	51	};
	52	};
	53	};
	54	};
	55
	56	systemd.services.nginx = {
	57	serviceConfig = {
	58	LoadCredential = [
	59	"immich.yggdrasil.li.key.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/key.pem"
	60	"immich.yggdrasil.li.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/fullchain.pem"
	61	"immich.yggdrasil.li.chain.pem:${config.security.acme.certs."immich.yggdrasil.li".directory}/chain.pem"
	62	];
	63	};
	64	};
	65	};
	66	}