Thanks, yeah maybe not quite what I was asking for, but it does give me some stuff I didn’t know about that I could consider.
Comment on Using Immich in combination with NAS permissions
PeriodicallyPedantic@lemmy.ca 1 day ago
Yes, except for the NAS user ownership of those files.
I think there might be a way to do the file ownership too, which I’ll get to at the end, but I don’t think its necessary. for now here is my setup:
First off, you need to be using Storage Templates.
Second, you need to have either a fresh install, or users need to be set up with storage labels that aren’t their intended final storage labels.
In docker, you’ll need to set up an external NFS volume for every user. I use portainer to manage my docker stacks, and its pretty easy to set up. I’m not sure how to do it with raw docker, but I dont think its complicated.
in your docker compose files, include something like this
services: immich-server: # ... volumes: - ${UPLOAD_LOCATION}:/data - /etc/localtime:/etc/localtime:ro - type: volume source: user1-share target: /data/library/user1-storage-label volume: subpath: path/to/photos/in/user1/share - type: volume source: user2-share target: /data/library/user2-storage-label volume: subpath: path/to/photos/in/user2/share # and so on for every user # ... volumes: model-cache: user1-share: external: true user2-share: external: true # and so on for every user
There are 2 things about this setup:
- it does not scale automatically. this is fine as long as you don’t intend to be adding/removing users often.
- it is only saving the photos and videos. all thumbnails and transcoded videos, etc, get saved to
${UPLOAD_LOCATION}. For me this is fine, I dont want to pollute my NAS with a bunch of transient data, but if you want that info then for every user, in addition to thetarget: /data/library/user1target you’ll also need atarget: /data/thumbs/user1,target: /data/encoded-video/user1, etc.
finally, redeploy, and add your users (making sure that the user’s storage labels match the target directories) or change your user storage labels (to match the target directories, and run the migration job). the storage label must not have existed before you deployed, otherwise it’ll get masked by the mount and you wont see the existing data.
You may also want to add similar volumes for external libraries (I gave every user an external “archive” library for their old photos) like this:
- type: volume source: user1-share target: /archive/user1-storage-label volume: subpath: path/to/photo/archive
and once immich allows sharing external libraries (or turning external libraries into sharable albums) I’ll also include a volume for a shared archive.
To address the file ownership:\n
I honestly don’t think its important, as long as your user has full access to the files, its fine. But if you insist then you have a separate share for every user and set up the NFS server for that share to squash all to that share’s user. Its a little less secure, but you’ll only be allowing requests from that single IP, and there will only be a request from a single user from that server anyways.
Synology unfortunately doesn’t support this, they only allow squashing to admin or guest (or disable squashing).
teawrecks@sopuli.xyz 1 day ago
non_burglar@lemmy.world 1 day ago
Squashing per-user is a blanket measure intended to default “public” users into a default access permission.
It is usable according to your layout, but this is effectively logical control preventing users from affecting files that aren’t their own.
And if that is the goal, you might as well set this up as library access through immich.
PeriodicallyPedantic@lemmy.ca 1 day ago
Library access won’t allow upload, this will.
My knowledge here isn’t super deep, but it seems like you can do mapping per-share-per-ip, which means you can say “all file access coming from the immich host to this share will act as this user” which I think is fine if that share belongs to that user, and you don’t have anything else coming from that host to that share which you want to act as a different user. Which are very big caveats.
non_burglar@lemmy.world 1 day ago
This isn’t right. docs.immich.app/administration/user-management/
I understand following op’s pattern of wanting to set controls on underlying storage together with a share, but simply using immich’s built-in storage labels is much easier.
Plus, each user can be assigned an NFS share to their individual files separate from immich’s access requirements for storage. There is no need to make this a worse hodge-podge than op has already made it.
PeriodicallyPedantic@lemmy.ca 1 day ago
Sorry I misread when you said “library” for some reason I thought you meant “external library”
The problem that I’m trying to solve and I think OP is also trying to solve, is that they want the files to be on their NAS because it is high capacity, redundant, and backed up, but many users have access to the NAS, so they cannot rely on immich alone to provide access permissions, they need access permissions on the files themselves.
I solved this by having a separate share for every user, and then mounting that user’s share on their library (storage label).
It sounds like OP wants a single share, so having correct file ownership is important to restrict file access to the correct users who are viewing the filesystem outside of immich.
Not sure what you mean by your last paragraph, how do you assign a share to individual files (assume you mean directories) outside of immich’s need for storage?