run immich-ml from ytnix and add tailscale0 to trustedInterfaces

2025-03-09 22:23:58 -04:00 · 2025-03-09 22:23:58 -04:00 · 553a07f0a9
commit 553a07f0a9
parent 59de12e892
5 changed files with 50 additions and 23 deletions
--- a/home/yt/ytnix.nix
+++ b/home/yt/ytnix.nix
@ -101,6 +101,7 @@
      wl-clipboard-rs
      pixelflasher
      element-desktop
+      freetube
    ];

  programs.feh.enable = true;
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@ -79,6 +79,7 @@
    networkmanager.enable = true;
    firewall = {
      enable = true;
+      trustedInterfaces = [ "tailscale0" ];
      allowedTCPPorts = [
        22
        80
@ -86,8 +87,6 @@
      ];
      allowedUDPPorts = [
        443
-        53
-        853
      ];
      extraCommands =
        let
--- a/hosts/chunk/immich.nix
+++ b/hosts/chunk/immich.nix
@ -1,6 +1,7 @@
 {
  pkgs,
  config,
+  lib,
  ...
 }:
 let
@ -67,21 +68,9 @@ in
      ];
      networks = [ "immich-net" ];
    };
-
-    # immich-ml = {
-    #   image = "ghcr.io/immich-app/immich-machine-learning:release";
-    #   autoStart = true;
-    #   pull = "newer";
-    #   environment = {
-    #     REDIS_HOSTNAME = "immich-redis";
-    #     DB_HOSTNAME = "immich-db";
-    #   };
-    #   volumes = [ "${modelCache}:/cache" ];
-    #   networks = [ "immich-net" ];
-    # };
  };

-  systemd.services.create-immich-net = {
+  systemd.services.create-immich-net = rec {
    serviceConfig.Type = "oneshot";
    requiredBy = with config.virtualisation.oci-containers; [
      "${backend}-immich.service"
@ -89,10 +78,10 @@ in
      "${backend}-immich-redis.service"
      # "${backend}-immich-ml.service"
    ];
-    before = config.systemd.services.create-immich-net.requiredBy;
+    before = requiredBy;
    script = ''
-      ${pkgs.podman}/bin/podman network exists immich-net || \
-      ${pkgs.podman}/bin/podman network create immich-net
+      ${lib.getExe pkgs.podman} network exists immich-net || \
+      ${lib.getExe pkgs.podman} network create immich-net
    '';
  };

--- a/hosts/ytnix/containers.nix
+++ b/hosts/ytnix/containers.nix
@ -0,0 +1,36 @@
+{ 
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  virtualisation.oci-containers.containers = {
+    immich-ml = let
+      modelCache = "/opt/immich-ml";
+    in {
+      image = "ghcr.io/immich-app/immich-machine-learning:release";
+      autoStart = true;
+      pull = "newer";
+      ports = [ "3003:3003" ];
+      environment = {
+        REDIS_HOSTNAME = "immich-redis";
+        DB_HOSTNAME = "immich-db";
+      };
+      volumes = [ "${modelCache}:/cache" ];
+      networks = [ "immich-net" ];
+    };
+  };
+
+  systemd.services.create-immich-net = rec {
+    serviceConfig.Type = "oneshot";
+    requiredBy = with config.virtualisation.oci-containers; [
+      "${backend}-immich-ml.service"
+    ];
+    before = requiredBy;
+    script = ''
+      ${lib.getExe pkgs.podman} network exists immich-net || \
+      ${lib.getExe pkgs.podman} network create immich-net
+    '';
+  };
+}
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@ -10,6 +10,7 @@
    ../common.nix
    ../zsh.nix
    ./tailscale.nix
+    ./containers.nix
  ];

  sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@ -86,10 +87,12 @@
    resolvconf.enable = true;
    firewall = {
      enable = true;
-      allowedTCPPorts = [
-        8080 # mitmproxy
-        22000 # syncthing
-      ];
+      trustedInterfaces = [ "tailscale0" ];
+      # allowedTCPPorts = [
+      #   8080 # mitmproxy
+      #   22000 # syncthing
+      #   3003 # immich-ml
+      # ];
    };
  };
  programs.nm-applet.enable = true;
@ -252,7 +255,6 @@
  xdg.mime.defaultApplications = {
    "application/pdf" = "okular.desktop";
    "image/*" = "gwenview.desktop";
-    "*/html" = "chromium-browser.desktop";
  };

  virtualisation = {