giteaadmin
/
HomeLabDocs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
HomeLabDocs/immich_complete.md

232 lines
7.4 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Immich - Container 109
## 📸 Overview
Immich is a self-hosted photo and video backup and management system, designed as a privacy-friendly and high-performance replacement for Google Photos.
- **Purpose**: Central photo archive and backup system
- **Migration**: In progress from Google Photos
- **Source of Truth**: Yes — Immich will become the authoritative media repository
---
## 🧾 Service Details
- **Container ID**: 109
- **Proxmox Host**: proxmox04
- **IP Address**: 192.168.1.48
- **Exposed Domain**: `photos.wtfsolutions.cc` (planned via Cloudflare Tunnel)
- **Authentication**:
- Immich internal login
- Cloudflare Access (planned)
- **Credentials**:
- Stored in Bitwarden under `homelab/immich` (planned)
---
## 🖥️ Hosting & Deployment
- **Environment**: LXC container on Proxmox
- **Provisioning Script**: [community-scripts/immich](https://github.com/community-scripts/ProxmoxVE/blob/main/ct/immich.sh)
- **Deployment Method**: Installed via Git and built from source
- **Service Manager**: systemd
### Systemd Services
- `immich-web.service` Web frontend
- `immich-ml.service` Machine learning (faces, labels)
- PostgreSQL and Redis run inside container
---
## 📂 Storage & Volumes
| Container Path | Host Mount Path | Purpose |
|---------------------------|------------------------------------------|----------------------|
| `/mnt/immich/library` | `/zfs_pool/immich/immich_library` | Photos and videos |
| `/mnt/immich/database` | `/zfs_pool/immich/immich_database` | PostgreSQL DB data |
---
## ⚙️ Configuration
### Environment File
Path: `/opt/immich/.env`
```env
TZ=America/New_York
IMMICH_VERSION=release
NODE_ENV=production
DB_HOSTNAME=127.0.0.1
DB_USERNAME=immich
DB_PASSWORD=REDACTED
DB_DATABASE_NAME=immich
DB_VECTOR_EXTENSION=vectorchord
REDIS_HOSTNAME=127.0.0.1
IMMICH_MACHINE_LEARNING_URL=http://127.0.0.1:3003
MACHINE_LEARNING_CACHE_FOLDER=/opt/immich/cache
IMMICH_MEDIA_LOCATION=/mnt/immich/library
```
Only the `immich` user has read access to this file. DB credentials are vaulted in Bitwarden.
---
## 🔄 Update Procedure
Immich is built from GitHub source. Updates require manual pulls and rebuilds:
```bash
# Inside the container
systemctl stop immich-web.service
systemctl stop immich-ml.service
cd /opt/immich
git pull
npm install --force
npm run build
systemctl start immich-ml.service
systemctl start immich-web.service
```
Optional: snapshot the container before updates (`pct snapshot 109`)
---
## 🔐 Security
- **Public Exposure**: Not yet live — planned behind Cloudflare Tunnel (LXC 111)
- **Access Control**: Will enforce Cloudflare Access for external logins
---
## 🔁 Backup & Recovery
| Data Location | Method | Frequency |
|--------------------------|------------------------|---------------|
| `/mnt/immich/library` | ZFS snapshot or rsync | 🔄 Planned |
| `/mnt/immich/database` | ZFS snapshot or `pg_dump` | 🔄 Planned |
Restore plan: rollback snapshot or import Postgres SQL dump.
---
## 📊 Logs & Monitoring
| Service | Log Path |
|---------------------|------------------------------|
| Web Frontend | `/var/log/immich/web.log` |
| Machine Learning | `/var/log/immich/ml.log` |
| Systemd | `journalctl -u immich-web.service` |
---
## 📝 Notes & To-Do
- [ ] Complete Google Photos migration
- [ ] Expose Immich at `photos.wtfsolutions.cc`
- [ ] Enforce Cloudflare Access
- [ ] Configure off-site backup or replication
- [ ] Enable monitoring (e.g., Healthchecks or Prometheus)
---
## 🌐 Network & Integration
- Immich runs in **LXC container 109** on `proxmox04`, with local IP `192.168.1.48`.
- Public access is planned through **Cloudflare Tunnel** using LXC 111 (`cloudflared`).
- Tunnel domain: `photos.wtfsolutions.cc` (not yet live)
- DNS and access control will be managed via **Cloudflare Zero Trust**.
- Immich will follow a pattern similar to existing services (Nextcloud, Collabora).
---
## 🔐 Security Practices
- **Credentials** (DB password, Immich admin login) are stored in **Bitwarden** under `homelab/immich`.
- Once public, Immich will be protected via:
- Cloudflare Access (email/domain-restricted auth)
- Immich internal login (admin account)
- `.env` and secrets are only readable by the `immich` system user.
---
## 📱 Mobile Sync Strategy
- Mobile apps (iOS and Android) will be configured to auto-upload once public access is enabled.
- Sync will occur through `photos.wtfsolutions.cc` without needing a VPN.
- Immich will fully replace Google Photos for ongoing uploads.
---
## 🗂️ Media Management
- All media is stored in `/mnt/immich/library`, backed by ZFS.
- Immich ML service provides face and object recognition.
- Map view and clustering will be enabled to support timeline and geo search.
- Immich is the **single source of truth** for all photo and video content going forward.
---
## 🛠️ Roadmap / To-Dos
- [ ] Finalize migration from Google Photos
- [ ] Set up Cloudflare DNS for `photos.wtfsolutions.cc`
- [ ] Enable Cloudflare Access policies
- [ ] Configure mobile app auto-uploads
- [ ] Enable map-based search and facial clustering
- [ ] Add ZFS snapshot + `pg_dump` automation
- [ ] Evaluate long-term off-site backup (e.g., S3, B2)
- [ ] Consider exposing read-only album for family/guests
---
## ⚙️ Container Configuration
Immich runs in LXC container `109` with the following Proxmox configuration:
| Setting | Value |
|------------------|------------------------------------------|
| Cores | 4 |
| Memory | 8192 MB |
| Swap | 512 MB |
| Arch | amd64 |
| Root Filesystem | `vm_data:subvol-109-disk-0` (64GB) |
| On Boot | ✅ Yes (`onboot: 1`) |
| Nesting Enabled | ✅ Yes (`nesting=1`) |
| Keyctl Enabled | ✅ Yes (`keyctl=1`) |
| Unprivileged | ✅ Yes |
| Hostname | `immich` |
| Bridge | `vmbr0` |
| IP Address | `192.168.1.48/24` |
| Gateway | `192.168.1.1` |
| Tags | `community-script;photos` |
---
## 🧠 Machine Learning & GPU Access
Immich ML service uses GPU acceleration inside the container:
- GPU Devices passed through:
- `/dev/dri/card1` (group ID 44)
- `/dev/dri/renderD128` (group ID 104)
- Facial recognition and object detection performance are enhanced by this setup
- ML service runs under `immich-ml.service` with logs at `/var/log/immich/ml.log`
---
## ⚙️ PostgreSQL Status
Although the container includes PostgreSQL as a dependency:
- `postgresql.service` is loaded but **inactive** (`ExecStart=/bin/true`)
- Immich may use a direct embedded instance, or external service
- DB volume is mounted at `/mnt/immich/database` — contains live data
---
## 👤 User Account Management
- Admin account created at setup; account recovery is **local only**
- No external auth (OIDC, SAML) is currently configured
- Self-registration is likely **disabled**; users must be manually added by admin
- Mobile apps will authenticate using internal credentials
Reference in New Issue View Git Blame Copy Permalink