cmonroe/proxmox-immich
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
proxmox-immich/setup_immich.sh
root 5b3c70666a works with authelia
2025-12-25 00:34:26 -08:00

110 lines
4.5 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
set -e
# --- Configuration ---
MAIN_ADMIN_EMAIL="camonroe@poppyglen.cc"
PHOTO_ROOT="/mnt/photos"
BASE="http://localhost:2283/api"
# --- Helper: Hard Delete ---
hard_delete_user() {
sudo -u postgres psql -d immich -c "DELETE FROM \"user\" WHERE email = '$1';" >/dev/null 2>&1
}
echo "🔐 Loading secrets..."
[ -f "/root/secrets/immich.env" ] && { set -a; source "/root/secrets/immich.env"; set +a; }
[ -f "/root/secrets/authelia.env" ] && { set -a; source "/root/secrets/authelia.env"; set +a; }
# --- 1. Login ---
echo "🔑 Logging in..."
TOKEN=$(curl -fsS -X POST "$BASE/auth/login" \
-H "Content-Type: application/json" \
-d "$(jq -n --arg e "$IMMICH_INIT_ADMIN_EMAIL" --arg p "$IMMICH_INIT_ADMIN_PASSWORD" '{email: $e, password: $p}')" \
| jq -r '.accessToken')
# --- 2. Configure System (Hybrid Mode) ---
echo "⚙️ Enabling OAuth Hybrid Mode..."
CURRENT_CONFIG=$(curl -fsS -H "Authorization: Bearer $TOKEN" "$BASE/system-config")
UPDATED_CONFIG=$(echo "$CURRENT_CONFIG" | jq \
--arg host "${MAIL_SMTPHOST}" \
--arg port "${SMTP_PORT:-587}" \
--arg user "${MAIL_ADMIN_EMAIL:-}" \
--arg pass "${MAIL_ADMIN_PASSWORD:-}" \
--arg from "${MAIL_SENDER_EMAIL:-notify@poppyglen.cc}" \
--arg issuer "$OAUTH_ISSUER_URL" \
--arg secret "$IMMICH_CLIENT_SECRET" \
--argjson secure false \
'
# 1. SMTP
.notifications.smtp.enabled = true |
.notifications.smtp.from = $from |
.notifications.smtp.transport.host = $host |
.notifications.smtp.transport.port = ($port | tonumber) |
.notifications.smtp.transport.username = $user |
.notifications.smtp.transport.password = $pass |
.notifications.smtp.transport.secure = $secure |
# 2. OAuth Configuration
.oauth.enabled = true |
.oauth.issuerUrl = $issuer |
.oauth.clientId = "immich" |
.oauth.clientSecret = $secret |
.oauth.scope = "openid profile email groups" |
.oauth.buttonText = "Login with Authelia" |
.oauth.autoRegister = false |
.oauth.autoLaunch = false |
.oauth.storageLabelClaim = "preferred_username" |
# 3. Password Login (Fallback)
.passwordLogin.enabled = true
')
curl -fsS -X PUT "$BASE/system-config" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "$UPDATED_CONFIG" > /dev/null
echo " ✅ OAuth Enabled (Hybrid Mode)."
# --- 3. Provision Users ---
# (Using the same logic as the last successful run)
if [ -n "${USERS_JSON:-}" ]; then
echo "👥 Processing Users..."
echo "$USERS_JSON" | jq -c '.[]' | while read -r u; do
u_email=$(echo "$u" | jq -r '.email')
u_pass=$(echo "$u" | jq -r '.password')
u_name=$(echo "$u" | jq -r '.name')
short_name="${u_email%%@*}"
echo "➡️ Processing: $short_name"
if [ "$u_email" != "${IMMICH_INIT_ADMIN_EMAIL}" ]; then
hard_delete_user "$u_email"
CREATE_PAYLOAD=$(jq -n --arg e "$u_email" --arg p "$u_pass" --arg n "$u_name" '{email: $e, password: $p, name: $n, shouldChangePassword: false}')
USER_DATA=$(curl -s -X POST "$BASE/admin/users" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "$CREATE_PAYLOAD")
USER_ID=$(echo "$USER_DATA" | jq -r '.id // empty')
if [ -n "$USER_ID" ] && [ "$USER_ID" != "null" ]; then
IS_ADMIN="false"
[ "$u_email" == "$MAIN_ADMIN_EMAIL" ] && IS_ADMIN="true"
# Update without oauthId to keep local passwords alive
UPDATE_PAYLOAD=$(jq -n --arg e "$u_email" --arg n "$u_name" --arg sl "$short_name" --argjson admin "$IS_ADMIN" \
'{email: $e, name: $n, storageLabel: $sl, isAdmin: $admin, shouldChangePassword: false}')
curl -s -o /dev/null -X PUT "$BASE/admin/users/$USER_ID" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "$UPDATE_PAYLOAD"
# Library Mapping
lib_path="$PHOTO_ROOT/$short_name"
if [ -d "$lib_path" ]; then
LIB_ID=$(curl -fsS -X POST "$BASE/libraries" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d "{\"name\":\"External-$short_name\",\"ownerId\":\"$USER_ID\",\"importPaths\":[\"$lib_path\"]}" | jq -r '.id // empty')
[ -n "$LIB_ID" ] && curl -s -X POST "$BASE/libraries/$LIB_ID/scan" -H "Authorization: Bearer $TOKEN" -d "{}" > /dev/null
fi
fi
fi
done
fi
echo "🚀 Hybrid Mode Active. Test the Authelia button now!"
Reference in New Issue View Git Blame Copy Permalink