lib: add mkCaddyReverseProxy, mkFail2banJail, mkGrafanaAnnotationService, extractArrApiKey

2026-04-09 19:00:47 -04:00
parent c74d356595
commit 75319256f3
23 changed files with 221 additions and 180 deletions
--- a/services/immich.nix
+++ b/services/immich.nix
@@ -16,6 +16,15 @@
    (lib.serviceFilePerms "immich-server" [
      "Z ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}"
    ])
+    (lib.mkCaddyReverseProxy {
+      subdomain = "immich";
+      port = service_configs.ports.private.immich.port;
+    })
+    (lib.mkFail2banJail {
+      name = "immich";
+      unitName = "immich-server.service";
+      failregex = "^.*Failed login attempt for user .* from ip address <HOST>.*$";
+    })
  ];

  services.immich = {
@@ -29,10 +38,6 @@
    };
  };

-  services.caddy.virtualHosts."immich.${service_configs.https.domain}".extraConfig = ''
-    reverse_proxy :${builtins.toString config.services.immich.port}
-  '';
-
  environment.systemPackages = with pkgs; [
    immich-go
  ];
@@ -42,18 +47,4 @@
    "render"
  ];

-  # Protect Immich login from brute force attacks
-  services.fail2ban.jails.immich = {
-    enabled = true;
-    settings = {
-      backend = "systemd";
-      port = "http,https";
-      # defaults: maxretry=5, findtime=10m, bantime=10m
-    };
-    filter.Definition = {
-      failregex = "^.*Failed login attempt for user .* from ip address <HOST>.*$";
-      ignoreregex = "";
-      journalmatch = "_SYSTEMD_UNIT=immich-server.service";
-    };
-  };
 }