applications/myimmich
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

readytouse

Browse source
This commit is contained in:
Rypeur33 2026-06-05 14:53:29 +02:00
parent 91063c1a0c
commit 9281354f2e
16 changed files with 690 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

20
immich-ansible/roles/nginx/README.md Normal file
View file

@ -0,0 +1,20 @@
# Rôle Nginx Immich
Ce rôle configure Nginx comme reverse proxy HTTPS pour Immich.
Variables obligatoires :
```yaml
immich_domain: "immich.esfs.fr"
immich_host_http_port: "32283"
letsencrypt_email: "admin@esfs.fr"
```
Variable optionnelle :
```yaml
immich_nginx_client_max_body_size: "10G"
immich_nginx_site_filename: "immich.esfs.fr.conf"
```
Le rôle obtient automatiquement un certificat Let's Encrypt avec `certbot --nginx`.

7
immich-ansible/roles/nginx/defaults/main.yml Normal file
View file

@ -0,0 +1,7 @@
---
# Nom du fichier dans /etc/nginx/sites-available et sites-enabled.
# Par défaut : "{{ immich_domain }}.conf"
# immich_nginx_site_filename: "{{ immich_domain }}.conf"
# Uploads photos/vidéos : taille élevée par défaut.
immich_nginx_client_max_body_size: "10G"

10
immich-ansible/roles/nginx/handlers/main.yml Normal file
View file

@ -0,0 +1,10 @@
---
- name: reload nginx
ansible.builtin.command: nginx -t
changed_when: true
notify: do reload nginx
- name: do reload nginx
ansible.builtin.service:
name: nginx
state: reloaded

63
immich-ansible/roles/nginx/tasks/config.yml Normal file
View file

@ -0,0 +1,63 @@
---
- name: Vérifier les variables obligatoires du rôle Nginx Immich
ansible.builtin.assert:
that:
- immich_domain is defined
- immich_domain | length > 0
- immich_host_http_port is defined
- immich_host_http_port | string | length > 0
- letsencrypt_email is defined
- letsencrypt_email | length > 0
fail_msg: >-
Variables obligatoires manquantes pour le rôle nginx :
immich_domain, immich_host_http_port, letsencrypt_email.
- name: Définir le nom du fichier de site Nginx Immich
ansible.builtin.set_fact:
immich_nginx_site_filename_resolved: "{{ immich_nginx_site_filename | default(immich_domain ~ '.conf') }}"
- name: Supprimer le site Nginx par défaut si présent
ansible.builtin.file:
path: /etc/nginx/sites-enabled/default
state: absent
notify: reload nginx
- name: Déployer la configuration HTTP temporaire Immich
ansible.builtin.template:
src: immich.http-only.conf.j2
dest: "/etc/nginx/sites-available/{{ immich_nginx_site_filename_resolved }}"
owner: root
group: root
mode: "0644"
notify: reload nginx
- name: Activer le site Nginx Immich
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ immich_nginx_site_filename_resolved }}"
dest: "/etc/nginx/sites-enabled/{{ immich_nginx_site_filename_resolved }}"
state: link
force: true
notify: reload nginx
- name: Appliquer la configuration HTTP temporaire
ansible.builtin.meta: flush_handlers
- name: Obtenir le certificat Let's Encrypt pour Immich
ansible.builtin.command: >-
certbot certonly --non-interactive --agree-tos
--email {{ letsencrypt_email }}
--nginx -d {{ immich_domain }}
args:
creates: "/etc/letsencrypt/live/{{ immich_domain }}/fullchain.pem"
- name: Déployer la configuration HTTPS finale Immich
ansible.builtin.template:
src: immich.https.conf.j2
dest: "/etc/nginx/sites-available/{{ immich_nginx_site_filename_resolved }}"
owner: root
group: root
mode: "0644"
notify: reload nginx
- name: Appliquer la configuration HTTPS finale
ansible.builtin.meta: flush_handlers

15
immich-ansible/roles/nginx/tasks/install.yml Normal file
View file

@ -0,0 +1,15 @@
---
- name: Installer Nginx et Certbot
ansible.builtin.apt:
update_cache: true
name:
- nginx
- certbot
- python3-certbot-nginx
state: present
- name: Activer et démarrer Nginx
ansible.builtin.service:
name: nginx
state: started
enabled: true

14
immich-ansible/roles/nginx/tasks/main.yml Normal file
View file

@ -0,0 +1,14 @@
---
- name: Installer / mettre à jour Nginx et Certbot
ansible.builtin.include_tasks:
file: install.yml
apply:
tags: [nginx_update, nginx_config]
tags: [nginx_update, nginx_config]
- name: Configurer Nginx pour Immich
ansible.builtin.include_tasks:
file: config.yml
apply:
tags: [nginx_config]
tags: [nginx_config]

25
immich-ansible/roles/nginx/templates/immich.http-only.conf.j2 Normal file
View file

@ -0,0 +1,25 @@
# Configuration HTTP temporaire pour obtenir le certificat Let's Encrypt
server {
listen 80;
server_name {{ immich_domain }};
client_max_body_size {{ immich_nginx_client_max_body_size | default('10G') }};
location / {
proxy_pass http://127.0.0.1:{{ immich_host_http_port }};
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_request_buffering off;
proxy_buffering off;
}
}

41
immich-ansible/roles/nginx/templates/immich.https.conf.j2 Normal file
View file

@ -0,0 +1,41 @@
# HTTP -> HTTPS
server {
listen 80;
server_name {{ immich_domain }};
return 301 https://$host$request_uri;
}
# Immich HTTPS reverse proxy
server {
listen 443 ssl http2;
server_name {{ immich_domain }};
client_max_body_size {{ immich_nginx_client_max_body_size | default('10G') }};
ssl_certificate /etc/letsencrypt/live/{{ immich_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ immich_domain }}/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
location / {
proxy_pass http://127.0.0.1:{{ immich_host_http_port }};
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_request_buffering off;
proxy_buffering off;
}
}