run immich-ml from ytnix and add tailscale0 to trustedInterfaces

home/yt/ytnix.nix

@@ -101,6 +101,7 @@
       wl-clipboard-rs
       pixelflasher
       element-desktop
+      freetube
     ];
 
   programs.feh.enable = true;

hosts/chunk/default.nix

@@ -79,6 +79,7 @@
     networkmanager.enable = true;
     firewall = {
       enable = true;
+      trustedInterfaces = [ "tailscale0" ];
       allowedTCPPorts = [
         22
         80
@@ -86,8 +87,6 @@
       ];
       allowedUDPPorts = [
         443
-        53
-        853
       ];
       extraCommands =
         let

hosts/chunk/immich.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  lib,
   ...
 }:
 let
@@ -67,21 +68,9 @@ in
       ];
       networks = [ "immich-net" ];
     };
-
-    # immich-ml = {
-    #   image = "ghcr.io/immich-app/immich-machine-learning:release";
-    #   autoStart = true;
-    #   pull = "newer";
-    #   environment = {
-    #     REDIS_HOSTNAME = "immich-redis";
-    #     DB_HOSTNAME = "immich-db";
-    #   };
-    #   volumes = [ "${modelCache}:/cache" ];
-    #   networks = [ "immich-net" ];
-    # };
   };
 
-  systemd.services.create-immich-net = {
+  systemd.services.create-immich-net = rec {
     serviceConfig.Type = "oneshot";
     requiredBy = with config.virtualisation.oci-containers; [
       "${backend}-immich.service"
@@ -89,10 +78,10 @@ in
       "${backend}-immich-redis.service"
       # "${backend}-immich-ml.service"
     ];
-    before = config.systemd.services.create-immich-net.requiredBy;
+    before = requiredBy;
     script = ''
-      ${pkgs.podman}/bin/podman network exists immich-net || \
-      ${pkgs.podman}/bin/podman network create immich-net
+      ${lib.getExe pkgs.podman} network exists immich-net || \
+      ${lib.getExe pkgs.podman} network create immich-net
     '';
   };
 

hosts/ytnix/containers.nix

@@ -0,0 +1,36 @@
+{ 
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  virtualisation.oci-containers.containers = {
+    immich-ml = let
+      modelCache = "/opt/immich-ml";
+    in {
+      image = "ghcr.io/immich-app/immich-machine-learning:release";
+      autoStart = true;
+      pull = "newer";
+      ports = [ "3003:3003" ];
+      environment = {
+        REDIS_HOSTNAME = "immich-redis";
+        DB_HOSTNAME = "immich-db";
+      };
+      volumes = [ "${modelCache}:/cache" ];
+      networks = [ "immich-net" ];
+    };
+  };
+
+  systemd.services.create-immich-net = rec {
+    serviceConfig.Type = "oneshot";
+    requiredBy = with config.virtualisation.oci-containers; [
+      "${backend}-immich-ml.service"
+    ];
+    before = requiredBy;
+    script = ''
+      ${lib.getExe pkgs.podman} network exists immich-net || \
+      ${lib.getExe pkgs.podman} network create immich-net
+    '';
+  };
+}

hosts/ytnix/default.nix

@@ -10,6 +10,7 @@
     ../common.nix
     ../zsh.nix
     ./tailscale.nix
+    ./containers.nix
   ];
 
   sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@@ -86,10 +87,12 @@
     resolvconf.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [
-        8080 # mitmproxy
-        22000 # syncthing
-      ];
+      trustedInterfaces = [ "tailscale0" ];
+      # allowedTCPPorts = [
+      #   8080 # mitmproxy
+      #   22000 # syncthing
+      #   3003 # immich-ml
+      # ];
     };
   };
   programs.nm-applet.enable = true;
@@ -252,7 +255,6 @@
   xdg.mime.defaultApplications = {
     "application/pdf" = "okular.desktop";
     "image/*" = "gwenview.desktop";
-    "*/html" = "chromium-browser.desktop";
   };
 
   virtualisation = {