Don't Let Apple & Google Harvest Your Photos, Use Immich to Self-Host Your Own Cloud!
Вставка
- Опубліковано 3 лип 2024
- Your photos are precious and personal. Why not protect your privacy by safeguarding them with your own private cloud? Immich is the perfect replacement for iCloud and Google Photos. It has 'close' feature parity, is mobile native, and is really simple to configure.
Let me talk you through it's features and show you how to deploy it, including a walkthrough of the mobile app. We'll use Docker with GPU passthrough to accelerate transcoding in Proxmox.
Docker-Compose: github.com/JamesTurland/JimsG...
Find me on:
Discord: / discord
Twitter: / jimsgarage_
Reddit: / jims-garage
GitHub: github.com/JamesTurland/JimsG...
00:00 - Introduction to Immich
03:06 - Immich Installation Overview
04:30 - Docker Compose Walkthrough
09:44 - GPU Hardware Acceleration
10:40 - Docker Deployment & Portainer Log Review
12:52 - Immich Web GUI Configuration
14:00 - GPU Transcoding
16:30 - Testing GPU Transcoding is Working
18:50 - Mobile Application and Testing
22:36 - Outro - Наука та технологія
Well done, Jim! I will be setting up Immich in an incus container for self hosting.
Awesome 😎
Very cool Jim, thanks a lot! I have now seen almost all of your videos because those are exactly my interests. I hope you keep it up 🙂
Thanks 👍
This was an amazing guide. Thank you so much!
Glad you enjoyed it, thanks 👍
Thanks a lot for these videos. Have been following your channel for quite some time. Respect!
Really appreciate that, thank you
Thanks, so far Im able to follow.
Jim! This is brilliant! I've been wanting to move away from Google Photos for some time now and see about hosting it myself as video takes up so much space so damn fast. Going to see if I can get a bunch of colleagues/friends together to host something like this together and have backups in the system, data but also a backup of people who can manage it. Don't want things to go down when I'm sick or something.
Again, fantastic that you are sharing this and all the rest of the stuff on your channel. :)
Thanks for the kind feedback. I need to update this video as there's no requirement for a web server. Check their docker repository for the latest compose, the rest of the video should still be valid.
Interesting, I definitely will have a look at it.
Thanks, you should. It's pretty awesome!
Thanks for this video. I've just set up Immich based on this, and am in two minds about whether to expose it externally or not. I've got it working on my LAN and via Wireguard VPN, thinking of exposing it via HAProxy but not sure that's a good idea security-wise.
Also doing so would necessitate moving Immich into my DMZ, which then means my photos would be in the DMZ too, and vulnerable to anything else in there that gets compromised. Hmm.
🤔
A split tunnel VPN with WireGuard is likely the best option.
Hi, have been using immich for quite some time now. Original Setup:
Wait until go home for syncup.
This had obvious major drawbacks.
Moved to zerotier as I didn't have public IP available to run wg.
Didn't like the hassles and speed.
Finally, bit the bullet and got a VPS.
Anyways, was doing shared hosting multiple domains.
As you tightly highlighted, security was the most important concern.
Hardened the VPS, added restrictive firewall rules, added crowdsec and relevant collections / scenarios.
Now was the time to add wg and establish tunnel from home & other devices to the VPS.
Note, home server doesn't trust anything in home either. Most services (even librespeed) were already protected by Authelia & 2FA.
Ended up creating reverse proxies from publicly available FQDN VPS to home server via that tunnel. Authelia / crowdsec / sensible iptables rules in place.
Even with two hop WG tunnel (device -> VPS -> home server), it fared way better than ZT.
All of these services are on HTTPS (TLS 1.3) anyways. So, you know the tunneling overhead.
Allowed my home server to get directed requests from VPS WG tunnel. VPS proxies configured to verify from WG tunneled Authelia.
Got another speed boost. Moving from two hop to single hop VPN was such a boon. ZT didn't beat two hop WG, single hop WG did drown ZT by atleast 3.9x at its worst.
Still protected (kind of), from known attacks , MITM, signatures etc by DMZ in the wild + untrusting server at home.
But, this new setup is mostly hassle free. Either home or otherwise, you meet the same servers (split DNS, as James replied elsewhere).
Now, to attempt to answer your original question:
You don't need to expose immich or any other app. They can live in their own userland isolated from each other.
Your DMZ is your DNS. As, you can control it, have it to be the published private IP. Let it be your first line of defence.
I may edit or reply more, later.
Hi Jim, thank you for this very nice and descriptive video. I have tried to follow your tutorial on my new Asustor, but was unsuccessful. I had to modify and combine some scripts and then run it through ChatGPT to get Immich running. The logs of Immich-Microservices and Immich-Server show some errors, so I'm not sure that hardware acceleration and transcoding are working correctly. Can you please suggest how to correct these faults?
Hey Jim thanks for this and all the tutorials you do!
I finally was able to get this up and running. Looks like there are some changes from your install, the immich devs simplified the install but I imagine you already know that.
Few questions:
1. Do you have plans to deploy this on k3s/helm?
2. How would you tackle making the upload folder a truenas nfs share vs local storage on the docker host? (I am new to linux world, old windows admin and tryinig to figure this out as I write this).
3. Did you get this up and running with traefik after the update? (I know you have been super busy with other content!)
Hey, thanks for the feedback. I am aware of the changes, and the need to re-record. I'm hoping that the simpler installation helps many people.
I might do the next video on deployment in Kubernetes with Traefik.
@@Jims-Garage that would be sweet looking forward to seeing/deploying it
@@Jims-GarageWas also going to ask that this be re uploaded, the changes they made with your guide kind of make it a mixed bag for someone new to linux like myself and trying to follow along. lastly when you said the 500 error would be resolved by removing some variables please demonstrate that being done, dont just say it and move on. I hope this does not come off as rude or a demand it is only a request.
@@jonathandoe7490 I'll put it on the list to cover again.
Hi Jim, thanks a lot for this video. Just one more question; How do I backup photos of Immich? Can I just try backup upload folder? Or photos are into db?
You're welcome 😁 checkout my restic and rClone videos, that's how I do it.
Hi, thanks for the guide, I have two questions for you, I am currently using Photoprism, the performance is comparable with this, do you have any idea what it is like? I have the photos in a directory, separated by subdirectories where I have them organized, is Immich able to read them?
No experience with photo prism but chose immich as it doesn't have weird paywalls. You can easily mount directories.
can't get over " 500 ECONNREFUSED " error, even after removing the env variable
What are the possibilities for places to store your backup photo files? NAS? - USB external drive? other computer on your LAN? i have been looking at many intro (maybe intro) videos and no one seems to answer this question. Thanks for your help.
It's docker, you can choose any of those storage options if you want. A NAS or locally makes the most sense. Simply change the left hand side of the : in the volumes section. It'll be stored there.
Great video! How does Immich compare to Photoprism? Commented, liked and subscribed 👏😄
I've no first hand experience, but I've heard it's more open source without a pay wall
Hi Jim, thanks for all the great tutorials!! I'm having trouble creating the API key, I keep getting an error {"message": "Forbidden - a valid `x-typesense-api-key` header must be sent."} when I run the curl script in their documentation through the shell. Can you help with this part of it, please?
I'll try to look this evening, you can go ahead and use it without.
@@Jims-Garage oh, every time I try without it, it says I need it. Thank you
Here's the error I get in the server container....
RequestUnauthorized: Request failed with HTTP code 401 | Server said: Forbidden - a valid `x-typesense-api-key` header must be sent.
at RequestUnauthorized.TypesenseError [as constructor] (/usr/src/app/node_modules/typesense/lib/Typesense/Errors/TypesenseError.js:23:28)
at new RequestUnauthorized (/usr/src/app/node_modules/typesense/lib/Typesense/Errors/RequestUnauthorized.js:25:42)
at ApiCall.customErrorForResponse (/usr/src/app/node_modules/typesense/lib/Typesense/ApiCall.js:364:21)
at /usr/src/app/node_modules/typesense/lib/Typesense/ApiCall.js:220:98
at step (/usr/src/app/node_modules/typesense/lib/Typesense/ApiCall.js:33:23)
at Object.next (/usr/src/app/node_modules/typesense/lib/Typesense/ApiCall.js:14:53)
at step (/usr/src/app/node_modules/typesense/lib/Typesense/ApiCall.js:18:139)
at Object.next (/usr/src/app/node_modules/typesense/lib/Typesense/ApiCall.js:14:53)
at fulfilled (/usr/src/app/node_modules/typesense/lib/Typesense/ApiCall.js:5:58)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
httpStatus: 401
}
Node.js v20.8.0
Thanks for the video... any idea as to whether it support SSO?
I don't believe so. You'd have to use something like Authelia or Authentik as a web proxy.
Okay, let me try out Authentik - thanks again! @@Jims-Garage
do you use this along side your nextcloud setup ?
Yes, I prefer this to Nextcloud for storing photos. You could technically combine the two ...
How does this compare to Open Media Vault and Photoprism?
I have no direct experience of Photoprism but what I hear is that it's fully opensource and more feature rich for base users (no paywall).
Is there any similar tool which can group photos by face also?
Perhaps photopsrim but I'm not sure
Does Apple M1/M2 supported for HW trascoding?
Good question, I'm not sure.
Is there a way to limit it's RAM usage? Approx 1 minute after start, it consumes 100% of RAM and VM just dies.
Yes, you can by adding the following to the compose file:
deploy:
resources:
limits:
cpus: '0.001'
memory: 50M
Hello. Thanks for the video. I have Immich installed but I can't figure out how to import a whole folder into Immich. My folder contains many other folders and is about 5TB in size. I have to manually go into each folder, select all the files, and drag and drop them into Immich. Is there a way to import everything all at once? Also, is there a way to index it or create a trigger where new items get imported automatically? Thank you!
You should be able to set the bind mount to your existing store. That's the left side of : in the mounts section
Oh I see it now. Thanks@@Jims-Garage
@@volodyashulga2614 Would it be possible to create a video to demo bulk importing?
Can i get working source code ?
Can I access this online from another location if I self host it"?
Absolutely, check out my videos on Traefik, or I recommend WireGuard or headscale to put it behind a VPN.
Just curious as to why everyone assumes you have to use a reverse proxy? Is there some security benefit?
You don't have to, but yes there is an obvious security benefit due to SSL certs. This is basically mandatory for exposing (unless you use a VPN).
@@Jims-Garage Currently that is route I am going, VPN (ovpn or wiregaurd, still deciding), and setup my photo and storage just internally for the lan. It seems more secure than going the reverse proxy php, domain, dns, ssl cert route. Less points of failure for me.
Is geo location preserved in videos à as well?
Good question. I believe it is but depends on the device that records it.
@@Jims-Garage thanks for the answer. The only reason I asked is because I tried nextcloud photos on my server and by default it preserves photos location, but for videos it doesn't and not sure if it can be done. Hopefully Immich will be a good self hosted Google photos replacement
@@LifeWithSeb99 it's certainly more fully featured than nextcloud
Why build out on Docker when Podman is the more secure replacement? It doesn't make sense to do a new deployment of an EoL system.
You raise a valid point, it's something I will address in an upcoming video and ultimately resolve when I move onto kubernetes.
Their website doesn't have a tutorial for podman
@@phizlip it's practically the exact same syntax as Docker :/
I've been using containerd in k3s for a couple of years now (with a few containers in separate VMs running docker and podman for experimentation).
@@phizlipThat's a valid point that illustrates the frustrating state of Podman migration. People have a tendency to treat security as an afterthought.
@@Jims-Garagei might run this in a vm.
How do you add the existing photo folders to Immich?
You can do this by using your volume bind mounts. Put the files in the folder that is mounted, or change the mounted volume to the one you are already using. Worth testing first with some dummy images.
@@Jims-Garage Thanks for replying! My problem was that I didn't know I have to set for a root path of stored images that affects the setting of users. As you have to use that as a reference for each relative library paths. I wrongly added the docker side absolute paths only to each user without knowing that it needed a root defined first somewhere else.
@@Jims-Garage Oh, yes, and of course for safety, I mounted these folders as read-only (:ro) in the volumes section.
Hey can anyone tell me online or on yt what my options are for the hardware to run this? I have no clue what my best low power or best low cost barebones home server would be. Also I don’t know if I would only be able to run my photos on the same router or how to access them outside the home with an IP that changes. I can’t wait to set this up, just need the hardware end taken care of. Thx!
What hardware do you have? It doesn't need anything powerful, an iGPU would be useful. I'd run it on docker, even bare metal. Use dynamic DNS if you have an IP that changes like I do. Also recommend a reverse proxy, SSL and a Cloudflare proxy.
@@Jims-Garage well I have an old iPad, I could use an old MacBook Pro 10.3 I think. Here’s maybe my best option: I’m about to host a joomla website for my biz and I’ll have a hosting company. Couldn’t I host Immich on that, and if so, are there any tips/things I should look out for in a runof the mill hosting server company? Do you guys rep a server hosting company? Thx
@@Jims-Garage I also had one other question: I need to have simple share files/photos ala Google photos create a link or group share, does Immich do that? I have things, not a lot, but some files I share with clients and that would make my life easier if I could do that via my job La website or Immich.
Hi, I have a question regarding the hardware acceleration. Let's say I want to run Immich and Jellyfin with docker in an Intel NUC, is it possible to have Immich and Jellyfin both have hardware acceleration?
Thanks.
It certainly is, just pass the device in the compose file exactly the same way.
how would i access my photos when not on the same home network as the server?
You can either expose it to the internet (which I don't recommend), or access it via a VPN (you can configure this to only route traffic to your home network - I have a few VPN videos so choose one that suits). Happy to help
@@Jims-Garage whats the issue of exposing it to the internet if the public ip wont be indexed by search engines or others? Also, would a VPN solution work on both ios and android? Can I have the vpn connection only specific to the immich app on mobile?
@@Jims-Garage Would you recommend I watch your wireguard video or watch the headscale video for a personal vpn?
@@phizlip if you can port forward I recommend WireGuard (using wg-easy)
@@Jims-Garage thanks so much! The rest of my components for my first server are coming on Wednesday, so I'll be sure to set up wireguard for it instead of reverse proxy with something likr nginx
I'm already lost at Step 1 (installing Immich). On what kind of machine would you recommend installing Immich? My personal PC? My Raspberry PI? My home server? My fileserver? My VPS?
The video is describing how to install on Docker using docker compose. This is my recommendation. I have a whole series on how to do this setup (check earlier videos)
@@Jims-GarageCould you recc some videos? I have an old PC laying around and a full Google photos storage so I'd like my first venturing into server stuff to be photo storage
On your refrigirator.