Immich
Immich is a self-hosted photo and video management platform. It runs in a NixOS container with private networking and user namespace isolation.
Source: server/containers/immich.nix
Network
| Property | Value |
|---|---|
| Private network | Yes |
| Host address | 10.10.10.4 |
| Container address | 10.10.10.5 |
| Port | 2283 |
| Subdomain | photos.nemnix.site |
| Authelia middleware | Yes |
| User namespace | privateUsers = "pick" |
Configuration
The Immich configuration is minimal, relying on NixOS module defaults:
services.immich = {
enable = true;
port = 2283;
host = config.containers.immich.localAddress; # 10.10.10.5
};The NixOS Immich module handles PostgreSQL, Redis, and machine learning services automatically.
Authentication
Immich uses OIDC authentication via Authelia. The OIDC client is configured in the Authelia service:
{
client_id = "immich";
redirect_uris = [
"app.immich:///oauth-callback" # Mobile app
"https://photos.nemnix.site/auth/login"
"https://photos.nemnix.site/user-settings"
];
}The app.immich:/// URI scheme enables OIDC login from the Immich mobile app.
Traefik Route
routers.immich = {
rule = "Host(`photos.nemnix.site`)";
service = "immich";
entrypoints = [ "websecure" ];
middlewares = [ "authelia" ];
};Traffic to photos.nemnix.site is authenticated by Authelia before reaching Immich.
Data Persistence
Immich data is stored in the container's filesystem under /var/lib/immich and /var/lib/postgresql. Because the container root lives under /var/lib/nixos-containers/immich/, and that path is persisted via impermanence, data survives host reboots.
Backups
Immich data is included in the Restic backup set:
paths = [
"/persist/var/lib/nixos-containers/immich/var/lib/immich"
"/persist/var/lib/nixos-containers/immich/var/lib/postgresql"
];Both the photo library and the PostgreSQL database are backed up daily. See Backups & Recovery.