# Immich - Container 109

## 📸 Overview
Immich is a self-hosted photo and video backup and management system, designed as a privacy-friendly and high-performance replacement for Google Photos.

- **Purpose**: Central photo archive and backup system
- **Migration**: In progress from Google Photos
- **Source of Truth**: Yes — Immich will become the authoritative media repository

---

## 🧾 Service Details
- **Container ID**: 109
- **Proxmox Host**: proxmox04
- **IP Address**: 192.168.1.48
- **Exposed Domain**: `photos.wtfsolutions.cc` (planned via Cloudflare Tunnel)
- **Authentication**:
  - Immich internal login
  - Cloudflare Access (planned)
- **Credentials**:
  - Stored in Bitwarden under `homelab/immich` (planned)

---

## 🖥️ Hosting & Deployment
- **Environment**: LXC container on Proxmox
- **Provisioning Script**: [community-scripts/immich](https://github.com/community-scripts/ProxmoxVE/blob/main/ct/immich.sh)
- **Deployment Method**: Installed via Git and built from source
- **Service Manager**: systemd

### Systemd Services
- `immich-web.service` – Web frontend
- `immich-ml.service` – Machine learning (faces, labels)
- PostgreSQL and Redis run inside container

---

## 📂 Storage & Volumes

| Container Path            | Host Mount Path                         | Purpose              |
|---------------------------|------------------------------------------|----------------------|
| `/mnt/immich/library`     | `/zfs_pool/immich/immich_library`        | Photos and videos    |
| `/mnt/immich/database`    | `/zfs_pool/immich/immich_database`       | PostgreSQL DB data   |

---

## ⚙️ Configuration

### Environment File
Path: `/opt/immich/.env`

```env
TZ=America/New_York
IMMICH_VERSION=release
NODE_ENV=production

DB_HOSTNAME=127.0.0.1
DB_USERNAME=immich
DB_PASSWORD=REDACTED
DB_DATABASE_NAME=immich
DB_VECTOR_EXTENSION=vectorchord

REDIS_HOSTNAME=127.0.0.1
IMMICH_MACHINE_LEARNING_URL=http://127.0.0.1:3003
MACHINE_LEARNING_CACHE_FOLDER=/opt/immich/cache

IMMICH_MEDIA_LOCATION=/mnt/immich/library
```

Only the `immich` user has read access to this file. DB credentials are vaulted in Bitwarden.

---

## 🔄 Update Procedure

Immich is built from GitHub source. Updates require manual pulls and rebuilds:

```bash
# Inside the container
systemctl stop immich-web.service
systemctl stop immich-ml.service

cd /opt/immich
git pull
npm install --force
npm run build

systemctl start immich-ml.service
systemctl start immich-web.service
```

Optional: snapshot the container before updates (`pct snapshot 109`)

---

## 🔐 Security

- **Public Exposure**: Not yet live — planned behind Cloudflare Tunnel (LXC 111)
- **Access Control**: Will enforce Cloudflare Access for external logins

---

## 🔁 Backup & Recovery

| Data Location            | Method                 | Frequency     |
|--------------------------|------------------------|---------------|
| `/mnt/immich/library`    | ZFS snapshot or rsync  | 🔄 Planned    |
| `/mnt/immich/database`   | ZFS snapshot or `pg_dump` | 🔄 Planned    |

Restore plan: rollback snapshot or import Postgres SQL dump.

---

## 📊 Logs & Monitoring

| Service             | Log Path                     |
|---------------------|------------------------------|
| Web Frontend        | `/var/log/immich/web.log`    |
| Machine Learning    | `/var/log/immich/ml.log`     |
| Systemd             | `journalctl -u immich-web.service` |

---

## 📝 Notes & To-Do

- [ ] Complete Google Photos migration
- [ ] Expose Immich at `photos.wtfsolutions.cc`
- [ ] Enforce Cloudflare Access
- [ ] Configure off-site backup or replication
- [ ] Enable monitoring (e.g., Healthchecks or Prometheus)
---

## 🌐 Network & Integration

- Immich runs in **LXC container 109** on `proxmox04`, with local IP `192.168.1.48`.
- Public access is planned through **Cloudflare Tunnel** using LXC 111 (`cloudflared`).
- Tunnel domain: `photos.wtfsolutions.cc` (not yet live)
- DNS and access control will be managed via **Cloudflare Zero Trust**.
- Immich will follow a pattern similar to existing services (Nextcloud, Collabora).

---

## 🔐 Security Practices

- **Credentials** (DB password, Immich admin login) are stored in **Bitwarden** under `homelab/immich`.
- Once public, Immich will be protected via:
  - Cloudflare Access (email/domain-restricted auth)
  - Immich internal login (admin account)
- `.env` and secrets are only readable by the `immich` system user.

---

## 📱 Mobile Sync Strategy

- Mobile apps (iOS and Android) will be configured to auto-upload once public access is enabled.
- Sync will occur through `photos.wtfsolutions.cc` without needing a VPN.
- Immich will fully replace Google Photos for ongoing uploads.

---

## 🗂️ Media Management

- All media is stored in `/mnt/immich/library`, backed by ZFS.
- Immich ML service provides face and object recognition.
- Map view and clustering will be enabled to support timeline and geo search.
- Immich is the **single source of truth** for all photo and video content going forward.

---

## 🛠️ Roadmap / To-Dos

- [ ] Finalize migration from Google Photos
- [ ] Set up Cloudflare DNS for `photos.wtfsolutions.cc`
- [ ] Enable Cloudflare Access policies
- [ ] Configure mobile app auto-uploads
- [ ] Enable map-based search and facial clustering
- [ ] Add ZFS snapshot + `pg_dump` automation
- [ ] Evaluate long-term off-site backup (e.g., S3, B2)
- [ ] Consider exposing read-only album for family/guests
---

## ⚙️ Container Configuration

Immich runs in LXC container `109` with the following Proxmox configuration:

| Setting           | Value                                   |
|------------------|------------------------------------------|
| Cores            | 4                                        |
| Memory           | 8192 MB                                  |
| Swap             | 512 MB                                   |
| Arch             | amd64                                    |
| Root Filesystem  | `vm_data:subvol-109-disk-0` (64GB)       |
| On Boot          | ✅ Yes (`onboot: 1`)                     |
| Nesting Enabled  | ✅ Yes (`nesting=1`)                     |
| Keyctl Enabled   | ✅ Yes (`keyctl=1`)                      |
| Unprivileged     | ✅ Yes                                    |
| Hostname         | `immich`                                 |
| Bridge           | `vmbr0`                                  |
| IP Address       | `192.168.1.48/24`                        |
| Gateway          | `192.168.1.1`                            |
| Tags             | `community-script;photos`                |

---

## 🧠 Machine Learning & GPU Access

Immich ML service uses GPU acceleration inside the container:

- GPU Devices passed through:
  - `/dev/dri/card1` (group ID 44)
  - `/dev/dri/renderD128` (group ID 104)
- Facial recognition and object detection performance are enhanced by this setup
- ML service runs under `immich-ml.service` with logs at `/var/log/immich/ml.log`

---

## ⚙️ PostgreSQL Status

Although the container includes PostgreSQL as a dependency:

- `postgresql.service` is loaded but **inactive** (`ExecStart=/bin/true`)
- Immich may use a direct embedded instance, or external service
- DB volume is mounted at `/mnt/immich/database` — contains live data

---

## 👤 User Account Management

- Admin account created at setup; account recovery is **local only**
- No external auth (OIDC, SAML) is currently configured
- Self-registration is likely **disabled**; users must be manually added by admin
- Mobile apps will authenticate using internal credentials