Images are something I like to share, and keep close at hand, but don’t want to indefinitely keep on my device (at least.. storage wise it is at some point hard).

Basic setup details

Having docker is not something I like, especially when the hosts have access to the internet. So they don’t. This leads to some issues. Not easy to find, maybe to check for code. But if installed by default, docker volume is used.

You can check this via: docker volume inspect immich_model-cache

Should point to: /var/lib/docker/volumes/immich_model-cache/_data

Internet-less facial-recognition

One of the issues I hit, was with facial-recognition, as this requires, well, some data model/basis to allow the recognition to work. Fortunately, reverse engineering some slight code details, one can:

ensure “git-lfs” is installed, git lfs install is run inside _data folder, create facial-recognition, and download your configured module via: git clone https://huggingface.co/immich-app/buffalo_l --depth=1
Note: depth is used to reduce overhead (as we only want the very last model, not the history, but still keep nice capability to update).

Security aka. more Immich fail2ban stuff

I got some insights from a discussion on github.

For the images you need to add add logging to your (Immich) docker compose file:

services:
  immich-server:
    [...]
    logging:
     driver: "journald"
     options:
       tag: "immich-server"

This allows fail2ban to actually pick up on anything unusual going on inside the container:

# cat /etc/fail2ban/jail.d/immich.conf 
[immich]
enabled  = true
filter   = immich
backend  = systemd
maxretry = 5
bantime  = 60s

And react accordingly:

# cat /etc/fail2ban/filter.d/immich.conf 
[Definition]
failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
journalmatch = CONTAINER_TAG=immich-server

Maybe more coming. Immich so far seems like a very nice project.