immich: init at 1.115.0; nixos/immich: init module

[jvanbruegge]

Description of changes

This adds the package, nixos module and nixos test for immich

Closes #244803

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[h7x4]

Does this superseed #244803?

[jvanbruegge]

Yes, I was asked by @Atemu to open a new PR

[eclairevoyant]

Thank you greatly for your work on this! I had some feedback and questions below:

[jpds]

I occasionally see these messages in my logs:

server[36665]: [Nest] 36665  - 07/05/2024, 12:00:00 AM   ERROR [Microservices:JobService] Unable to run job handler (thumbnailGeneration/generate-preview): Error: Cannot find ffprobe
server[36665]: [Nest] 36665  - 07/05/2024, 12:00:00 AM   ERROR [Microservices:JobService] Error: Cannot find ffprobe

server[8610]: [Nest] 8610  - 07/02/2024, 10:35:52 PM    WARN [Api:ServerInfoRepository~dfqq7ca6] Failed to read build-lock.json

[Atemu]

ffprobe is provided by the ffmpeg the build already depends on. Perhaps it needs to be wrapped to have access to the binary at runtime.

[crertel]

Just wanted to say I'm psyched to see this getting added. Thanks for the work!

[jvanbruegge]

I have addressed most of the review comments now and rebased onto the current master. This broke albumentations, which I fixed in a seperate commit.
We will still need to wait for the upstream PR to get the geonames without downloading the full docker container

[jvanbruegge]

Yes, I also upgraded my deployment to the latest version of this PR and everything works

[dotlambda]

Suggested change

	cp "$sources_tmp" sources.json
	mv "$sources_tmp" sources.json

if you don't want to leave temporary files behind

[dotlambda]

Can you add a comment with the reason?

[dotlambda]

Is there a problem with our opencv4 package?

AttributeError: module 'cv2' has no attribute 'Mat'

[dotlambda]

I enable tests in #344237.

[dotlambda]

Why would this be needed?

[dotlambda]

removed in #344237

[dotlambda]

After understanding the PYTHONPATH thing my remaining comments shouldn't block the merge.

[jlbribeiro]

Given the huge popularity of Immich, I'd like to take a bit of time to really thank all the people involved in packaging this.

@jvanbruegge I'd like to thank you for bringing this to the finish line; I know it probably wasn't easy, given this PR was open almost 3 months ago. You started as a user requesting a package and ended up stepping up and sharing your work with the rest of the NixOS community, when it looked like the consensus was having a separate project. I'm sure the community will help you maintain both the package and the module up to date, given the frenetic rate at which Immich is being developed :)

There are a couple of unsung heroes I'd like to mention:

• @oddlama, for taking one of the first stabs at this more than a year ago!
• @diogotcorreia, for having packaged one of the blockers, pgvecto.rs! You also started by sharing your work in a comment, and ended up making it available to the whole nixpkgs and unblocking @oddlama / @jvanbruegge efforts! Thank you!

And a huge thanks to all the reviewers involved!

[Titaniumtown]

Amazing work! How can I properly integrate this into my nix config? Does anyone have a public server config I can take a look at.
Thanks!

[jvanbruegge]

https://github.com/jvanbruegge/server-config/blob/86d8f6ff4c9e576cdfd94410dd4e35e58c6e8e5d/caladan/services.nix#L10

[Titaniumtown]

Thank you @jvanbruegge, just trying to figure out how to integrate this with the differing directories I have things stored in. Thanks again for all your hard work! Very much appreciated!

[onny]

back then i wrote this wiki page but not sure if its still up-to date https://wiki.nixos.org/wiki/Immich

[ISibboI]

Thank you so much for finally bringing immich to nixos!

I have one question: does the default setup support external libraries? Because I tried to add my local picture library on my server to immich as external library, but it cannot access any path I specify. It always gives EACCESS, even though the whole path is readable and executable by everyone.

[oddlama]

@ISibboI This is probably because of the service hardening I did in the first version. You will have to add your directory to a ReadWritePaths directive for the relevant systemd units to make it work

[NyCodeGHG]

@oddlama

This is probably because of the service hardening I did in the first version. You will have to add your directory to a ReadWritePaths directive for the relevant systemd units to make it work

This should be done automatically if it's not the default state directory imo.

[jvanbruegge]

I don't think that's the issue, as I also do not use the standard path and have no issues

[PowerUser64]

Congratulations @jvanbruegge! This was one of the most through reviews I've seen, and you made it through! Thanks for all your hard work as well as the hard work of others to get this merged!

[Scrumplex]

I was able to migrate my Docker Compose deployment. An issue I ran into was that file paths in the database were relative to immich's working directory, meaning that everything was prefixed with upload/. I was able to remedy this by replacing upload/ with my mediaLocation (which is also what the UPLOAD_LOCATION variable from my Compose deployment pointed to).

Note

This is what worked for my installation that is a few years old. I am not sure if newer installations behave differently. Some facts about my Docker Compose installation:

• The database is called immich
• The database user is called immich
• My UPLOAD_LOCATION (docker mount path) is set to /media/immich-library

0. Make a backup of your current library and save a copy of the following database dump
1. Enable NixOS Immich and switch. This will start an empty instance of Immich but will create the database and database user for us.¹ In my case it looked like this:

services.immich = {
  enable = true;
  mediaLocation = "/media/immich-library";
};

2. Stop NixOS Immich
   • systemctl stop immich-server.service immich-machine-learning.service
3. Stop Docker Immich. Leave your postgres container running
4. Dump your database. The following command is going to dump it into Postgres' data directory, so it will be easy to access from your host system.
   • docker compose exec database pg_dump --user immich -f /var/lib/postgresql/data/dump.sql immich
5. Fix unset search_path variable.²
   • sed -i "s#SELECT pg_catalog.set_config('search_path', '', false);#SELECT pg_catalog.set_config('search_path', 'public', false);#" </path/to/immich/compose>/postgres/dump.sql
6. Replace upload/ path prefix.³ In my case I replace it with /media/immich-library.
   • sed -i "s#upload/#/media/immich-library#g" </path/to/immich/compose>/postgres/dump.sql

Warning

In cases where a file is somehow stuck in your <library>/uploads/ folder, the previous sed command will create an invalid path (i.e. upload/upload/... -> /media/immich-library//media/immich-library/...). Make sure to catch these cases if present. In my case there was a single file that was referenced like this in the assets table and I was able to fix it manually after the fact.

7. Prepare NixOS database

sudo -u postgres psql immich
immich=# <paste following codeblock and exit>

DROP SCHEMA public CASCADE;
DROP SCHEMA vectors CASCADE;

CREATE SCHEMA public;

CREATE EXTENSION IF NOT EXISTS unaccent;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
CREATE EXTENSION IF NOT EXISTS vectors;
CREATE EXTENSION IF NOT EXISTS cube;
CREATE EXTENSION IF NOT EXISTS earthdistance;
CREATE EXTENSION IF NOT EXISTS pg_trgm;

ALTER SCHEMA public OWNER TO immich;
ALTER SCHEMA vectors OWNER TO immich;
GRANT SELECT ON TABLE pg_vector_index_stat TO immich;

ALTER EXTENSION vectors UPDATE;

8. Import your dump. Make sure the file is readable. I moved it to a location that is readable by the postgres user.
   • sudo -u postgres psql immich -f </path/to/immich/compose>/postgres/dump.sql
9. Start NixOS Immich
   • systemctl start immich-server.service immich-machine-learning.service
10. Make sure you can actually view images on the web app.

If any of these steps fail, you should have your original (unmodified!) database as well as a backup of your media location.

¹: As a precaution, you could make your existing Immich library read-only (i.e. chown -R root:root /media/immich-library) to avoid any modifications done by this empty installation of Immich.
²: Restoring a dump that uses Postgres earthdistance seems to fail if search_path isn't set to the target schema. See this StackOverflow comment
³: Perhaps you can inspect your database dump for this first. In my case every file reference started with upload/ (i.e. upload/thumbs/ instead of just thumbs/)

---

I hope this helps someone out there trying to get this working.

[Atemu]

@Scrumplex could you PR that into a migration doc and link it in the patch notes?

[Titaniumtown]

Thank you @Scrumplex, I've been working on migration now, luckily I had a backup of my sql because I've broken it hahaha

[Scrumplex]

I have written more in the last hour than I did on average per day for my bachelor's thesis. 😅

See #344300 for my proposed NixOS manual documentation.

It also includes a much better sed expression than I have commented here, that might be less prone to issues.

I'll keep "Allow edits and access to secrets by maintainers" on in case someone with commit access wants to commit changes into my PR. I will go to bed now! 💤

[rhoriguchi]

Found an issue with the module, when running immich and changing the group services.immich.group = "test"; the redis service will have the wrong group and fail to start. The issue is this line, so it would make sense to just create the group if the user is immich.

nixpkgs/nixos/modules/services/databases/redis.nix

Line 356 in 23cbb25

Group = conf.user;

> journalctl -r -u redis-immich.service
Sep 25 04:42:53 HOSTNAME systemd[1]: Failed to start Redis Server - redis-immich.
Sep 25 04:42:53 HOSTNAME systemd[1]: redis-immich.service: Failed with result 'exit-code'.
Sep 25 04:42:53 HOSTNAME systemd[1]: redis-immich.service: Control process exited, code=exited, status=216/GROUP
Sep 25 04:42:53 HOSTNAME (rep-conf)[13315]: redis-immich.service: Failed at step GROUP spawning /nix/store/338pjs37wgmhghid8wbai5qgyssihq2n-redis-immich-prep-conf: No such process
Sep 25 04:42:53 HOSTNAME (rep-conf)[13315]: redis-immich.service: Failed to determine group credentials: No such process
Sep 25 04:42:53 HOSTNAME systemd[1]: Starting Redis Server - redis-immich...

[gnull]

Anyone had success testing this on aarch64?

[bct]

If you use a non-socket postgres connection then services.immich.environment refers to cfg.database.port, but the module doesn't declare this option. Is this a bug, or am I missing something?

[Titaniumtown]

@bct i believe that is a bug, I can also reproduce.

[jvanbruegge]

Yes, that probably got lost somewhere during all of the rebasing for the reviews

[aciceri]

Anyone had success testing this on aarch64?

It tries to build python3Packages.insightface which is broken on aarch64-linux, don't know if it would work removing it (without face recognition obviously).

Moreover postgresqlPackages.pgvecto-rs too is broken on aarch64-linux and there may be even other broken dependencies.

[Atemu]

Sorry to interject but please create separate issues rather than commenting on this PR unless it is specifically something that requires the attention of the people who were involved in this PR.

A lot of people are subscribed and this code is in Nixpkgs now, so it should be treated like any other Nixpkgs code.