numbus/numbus-server-module
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed indentation. Fixed Immich not working correctly behind Traefik (too restrictive headers).

Browse Source
This commit is contained in:
Raphaël Numbus
2026-02-27 14:49:25 +01:00
parent c2b49d7d67
commit bf753471ba
10 changed files with 64 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/services/immich.nix
+33 -4
View File
@@ -32,13 +32,15 @@ helper.mkPodmanService {
IMMICH_VERSION = "v2.5.6";
};
dirPermissions = [
"100999:100 ${cfg.configDir}/model-cache"
"100999:100 ${cfg.configDir}/machine-learning-config"
"100999:100 ${cfg.configDir}/machine-learning-cache"
"100999:100 ${cfg.configDir}/database"
"100999:100 ${cfg.configDir}"
"100999:100 ${cfg.configDir}/redis"
"100999:100 ${cfg.configDir}/model-cache"
"100999:100 ${cfg.configDir}/machine-learning-cache"
"100999:100 ${cfg.configDir}/machine-learning-config"
"100999:100 ${cfg.configDir}/database"
"100999:100 ${cfg.dataDir}"
];
middlewares = [ "immichSecureHeaders" ];
# Compose file good
composeText = ''
@@ -64,6 +66,7 @@ helper.mkPodmanService {
DB_DATABASE_NAME: $DB_DATABASE_NAME
DB_USERNAME: $DB_USERNAME
DB_PASSWORD: $DB_PASSWORD
IMMICH_TRUSTED_PROXIES: ${config.numbus.networking.ipAddress}
depends_on:
- immich-redis
- immich-database
@@ -133,4 +136,30 @@ helper.mkPodmanService {
name: immich
driver: bridge
'';
extraConfig = {
environment.etc."traefik/rules/immichSecureHeaders.yaml".text = ''
http:
middlewares:
immichSecureHeaders:
headers:
FrameDeny: true
AccessControlAllowMethods: 'GET,POST,PUT,DELETE,OPTIONS'
AccessControlAllowOriginList:
- https://${cfg.subdomain}.${config.numbus.services.domain}
- origin-list-or-null
AccessControlMaxAge: 100
AddVaryHeader: true
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSIncludeSubdomains: true
STSPreload: true
ContentSecurityPolicy: "default-src 'self'; base-uri 'self'; img-src 'self' https://static.immich.cloud https://tiles.immich.cloud data: blob:; connect-src 'self' https://${cfg.subdomain}.${config.numbus.services.domain} wss://${cfg.subdomain}.${config.numbus.services.domain} https://static.immich.cloud https://tiles.immich.cloud; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob: https://${cfg.subdomain}.${config.numbus.services.domain}; frame-ancestors 'self';"
CustomFrameOptionsValue: SAMEORIGIN
ReferrerPolicy: same-origin
PermissionsPolicy: vibrate 'self'
STSSeconds: 315360000
'';
};
}