giteaadmin
/
HomeLabDocs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
HomeLabDocs/immich_complete.md

7.4 KiB
Raw Permalink Blame History

Immich - Container 109

📸 Overview

Immich is a self-hosted photo and video backup and management system, designed as a privacy-friendly and high-performance replacement for Google Photos.

  • Purpose: Central photo archive and backup system
  • Migration: In progress from Google Photos
  • Source of Truth: Yes — Immich will become the authoritative media repository

🧾 Service Details

  • Container ID: 109
  • Proxmox Host: proxmox04
  • IP Address: 192.168.1.48
  • Exposed Domain: photos.wtfsolutions.cc (planned via Cloudflare Tunnel)
  • Authentication:
    • Immich internal login
    • Cloudflare Access (planned)
  • Credentials:
    • Stored in Bitwarden under homelab/immich (planned)

🖥️ Hosting & Deployment

  • Environment: LXC container on Proxmox
  • Provisioning Script: community-scripts/immich
  • Deployment Method: Installed via Git and built from source
  • Service Manager: systemd

Systemd Services

  • immich-web.service Web frontend
  • immich-ml.service Machine learning (faces, labels)
  • PostgreSQL and Redis run inside container

📂 Storage & Volumes

Container Path Host Mount Path Purpose
/mnt/immich/library /zfs_pool/immich/immich_library Photos and videos
/mnt/immich/database /zfs_pool/immich/immich_database PostgreSQL DB data

⚙️ Configuration

Environment File

Path: /opt/immich/.env

TZ=America/New_York
IMMICH_VERSION=release
NODE_ENV=production

DB_HOSTNAME=127.0.0.1
DB_USERNAME=immich
DB_PASSWORD=REDACTED
DB_DATABASE_NAME=immich
DB_VECTOR_EXTENSION=vectorchord

REDIS_HOSTNAME=127.0.0.1
IMMICH_MACHINE_LEARNING_URL=http://127.0.0.1:3003
MACHINE_LEARNING_CACHE_FOLDER=/opt/immich/cache

IMMICH_MEDIA_LOCATION=/mnt/immich/library

Only the immich user has read access to this file. DB credentials are vaulted in Bitwarden.

🔄 Update Procedure

Immich is built from GitHub source. Updates require manual pulls and rebuilds:

# Inside the container
systemctl stop immich-web.service
systemctl stop immich-ml.service

cd /opt/immich
git pull
npm install --force
npm run build

systemctl start immich-ml.service
systemctl start immich-web.service

Optional: snapshot the container before updates (pct snapshot 109)

🔐 Security

  • Public Exposure: Not yet live — planned behind Cloudflare Tunnel (LXC 111)
  • Access Control: Will enforce Cloudflare Access for external logins

🔁 Backup & Recovery

Data Location Method Frequency
/mnt/immich/library ZFS snapshot or rsync 🔄 Planned
/mnt/immich/database ZFS snapshot or pg_dump 🔄 Planned

Restore plan: rollback snapshot or import Postgres SQL dump.

📊 Logs & Monitoring

Service Log Path
Web Frontend /var/log/immich/web.log
Machine Learning /var/log/immich/ml.log
Systemd journalctl -u immich-web.service

📝 Notes & To-Do

  • Complete Google Photos migration
  • Expose Immich at photos.wtfsolutions.cc
  • Enforce Cloudflare Access
  • Configure off-site backup or replication
  • Enable monitoring (e.g., Healthchecks or Prometheus)

🌐 Network & Integration

  • Immich runs in LXC container 109 on proxmox04, with local IP 192.168.1.48.
  • Public access is planned through Cloudflare Tunnel using LXC 111 (cloudflared).
  • Tunnel domain: photos.wtfsolutions.cc (not yet live)
  • DNS and access control will be managed via Cloudflare Zero Trust.
  • Immich will follow a pattern similar to existing services (Nextcloud, Collabora).

🔐 Security Practices

  • Credentials (DB password, Immich admin login) are stored in Bitwarden under homelab/immich.
  • Once public, Immich will be protected via:
    • Cloudflare Access (email/domain-restricted auth)
    • Immich internal login (admin account)
  • .env and secrets are only readable by the immich system user.

📱 Mobile Sync Strategy

  • Mobile apps (iOS and Android) will be configured to auto-upload once public access is enabled.
  • Sync will occur through photos.wtfsolutions.cc without needing a VPN.
  • Immich will fully replace Google Photos for ongoing uploads.

🗂️ Media Management

  • All media is stored in /mnt/immich/library, backed by ZFS.
  • Immich ML service provides face and object recognition.
  • Map view and clustering will be enabled to support timeline and geo search.
  • Immich is the single source of truth for all photo and video content going forward.

🛠️ Roadmap / To-Dos

  • Finalize migration from Google Photos
  • Set up Cloudflare DNS for photos.wtfsolutions.cc
  • Enable Cloudflare Access policies
  • Configure mobile app auto-uploads
  • Enable map-based search and facial clustering
  • Add ZFS snapshot + pg_dump automation
  • Evaluate long-term off-site backup (e.g., S3, B2)
  • Consider exposing read-only album for family/guests

⚙️ Container Configuration

Immich runs in LXC container 109 with the following Proxmox configuration:

Setting Value
Cores 4
Memory 8192 MB
Swap 512 MB
Arch amd64
Root Filesystem vm_data:subvol-109-disk-0 (64GB)
On Boot Yes (onboot: 1)
Nesting Enabled Yes (nesting=1)
Keyctl Enabled Yes (keyctl=1)
Unprivileged Yes
Hostname immich
Bridge vmbr0
IP Address 192.168.1.48/24
Gateway 192.168.1.1
Tags community-script;photos

🧠 Machine Learning & GPU Access

Immich ML service uses GPU acceleration inside the container:

  • GPU Devices passed through:
    • /dev/dri/card1 (group ID 44)
    • /dev/dri/renderD128 (group ID 104)
  • Facial recognition and object detection performance are enhanced by this setup
  • ML service runs under immich-ml.service with logs at /var/log/immich/ml.log

⚙️ PostgreSQL Status

Although the container includes PostgreSQL as a dependency:

  • postgresql.service is loaded but inactive (ExecStart=/bin/true)
  • Immich may use a direct embedded instance, or external service
  • DB volume is mounted at /mnt/immich/database — contains live data

👤 User Account Management

  • Admin account created at setup; account recovery is local only
  • No external auth (OIDC, SAML) is currently configured
  • Self-registration is likely disabled; users must be manually added by admin
  • Mobile apps will authenticate using internal credentials