Commit 1df7d1333786

Vincent Demeester <vincent@sbr.pm>
2026-01-02 11:22:40
feat(immich): Enable public access via kerkouane proxy
- Add DNS A record for immich.sbr.pm pointing to kerkouane - Configure Caddy reverse proxy to internal Immich instance - Enable external photo management access Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 254363a
Changed files (2)
systems
common
services
dns
sbr.pm-gandi.nix
kerkouane
extra.nix
systems/common/services/dns/sbr.pm-gandi.nix
@@ -3,8 +3,17 @@
 let
   dnsHelpers = import ../../../../lib/dns-helpers.nix { inherit globals; };
   inherit (dnsHelpers) getMachineIP;
+
+  # Import the common zone and override immich to point to kerkouane's public IP
+  baseZone = import ./sbr.pm-common.nix {
+    inherit dns globals;
+    getIPForMachine = getMachineIP;
+  };
 in
-import ./sbr.pm-common.nix {
-  inherit dns globals;
-  getIPForMachine = getMachineIP;
+baseZone
+// {
+  subdomains = baseZone.subdomains // {
+    # Override immich to point to kerkouane's public IP (reverse proxy entry point)
+    immich.A = [ "167.99.17.238" ];
+  };
 }
systems/kerkouane/extra.nix
@@ -133,6 +133,16 @@ in
         }
       '';
 
+      # Immich photo management (proxied to rhea)
+      "immich.sbr.pm".extraConfig = ''
+        reverse_proxy 10.100.0.50:2283 {
+          header_up Host {host}
+          header_up X-Forwarded-For {remote_host}
+          header_up X-Real-IP {remote_host}
+          header_up X-Forwarded-Proto {scheme}
+        }
+      '';
+
       # Webhook/gosmee service with SSE support
       "webhook.sbr.pm".extraConfig = ''
         reverse_proxy localhost:3333 {