I recently setup a immich server on a mini PC, and can access it through cloudflare etc.
It works pretty smoothly except for files bigger than 100mb (cloudflare limitation)
I have a few questions, if you can answer some please do.
- What’s your setup like? Do you have any tips/tricks for a newbie I should know about?
- What’s your backups like? Is your data safe if your house burns down?
- Is there a cloudflare alternative I can use that will handle any file size from anywhere in the world without needing to tun on/off a vpn like tailscale?
(i would like to also set it up for my family, but for that is needs to work VERY smoothly, no needing to turn on and off VPN’s to sync)
You don’t say what you’re using Cloudflare for, so suggesting an alternative is a bit tough.
Assuming that you’re using a CF tunnel to get through CGNAT, tailscale would be one alternative (no need to turn it off/on, though). The other alternative would be renting a cheap VPS and tunneling through that instead.
On the other hand, if you’re primarily using CF as a reverse proxy, you can run any number of them on your own server instead, like Nginx, Zoraxy, etc.
On the other other hand, if you’re using their WAF, that can also be run locally. Crowdsec offers a WAF component in addition to their usual protections, for example.
On the other other other hand… There are alternatives to most, if not all, of their other services, too.
Currently I’m just using CF as a tunnel so that I can reach my server through eg. immich.mydomain.com anywhere in the world. The issue I’m running into is Large files fail (they have file size limits)
If you’re using it as a GCNAT tunnel and you don’t want to use tailscale, then your best bet will likely be either a VPS or asking your ISP for a public IP address. Some ISPs will just say no, but others might provide one for an additional fee.
You can also look into your IPV6 situation. You might actually already have a public IPv6 address you can use.
VM is backed up daily to PBS then synced to an external and off-site.
All the photos are on the NAS and backed up to an external and off-site.
Check my wiki where I tried to detail all the steps
https://wiki.gardiol.org/doku.php?id=services%3Aimmich
I have a 3,2,1 backup strategy with restic+backrest. One full backup local on an external disk. Second backup in the house on a disk mounted to an OpenWRT router in the garden, third backup remote on my vps. Backup is daily at night.
My external access is via a static public IP on a VPS I rent using a double layer of NGINX reverse proxy. Vps is connected to home via wireguard, so nobody has to complain that they require a wireguard VPN on their phones… WAF is critical here.
Docker host running immich amongst other containers. Backups are done nightly to a nas device on location, the immich container has a volume mount to an external SSD.
Fire: nah, won’t survive it. Planning to fix this in the next few weeks, setting up a Nas on a remote location.
Just for support purchased the ‘“license”’, entire household moved from Google photos to immich. All using wireguard with the ‘include these applications’ option. Gave them access to jellyfin and satellite receiver too, so they are very happy to keep it up and running. No complaints, immich works great.
I am not OP but I actually have similar questions on backup because I didn’t have access to my Immich server for a few months and got really behind on keeping it updated. I want to make backups before I do a manual update, but I don’t know if following the directions on Immich’s Backup and Restore page is good enough or if I should handle it another way manually.
As I understand and have been using it, you don’t need to turn off the tailscale connection. It’s only going to affect how any individual IP address gets routed. In this case, whatever the IP is of Immich. If a phone connected to your tailscale node (phone is anywhere in the world) wants 192.168.1.50 for example, tailscale redirects that request to the other end of the tailscale VPN which happens to be at your home instead of whatever network the phone is connected to. Any non defined IPs just go where they normally would.
- VM running on a proxmox host. Tips: make sure you know your backups are in a state you can restore data from them.
- Nightly backup via proxmox to Hetzner Storage box with 2 day retention. I’d like a local copy too but I don’t currently have hardware for it.
- Don’t know. Personally I have a DNAT rule on firewall and my instance is directly open to the internet. You might not want that and I might not recommend it, but right now, for me, it works. I’d need to look in a VPN solution for android I could replace the current ‘open for all’ situation.
For backups, I have two drives that are striped and do nightly backups to idrive. I was able to find a containerized version of the console app and I have it run on a schedule from 3-7am.
I use NPM to redirect a domain name to the server with https.
I use the ImageGenius container. I mount config, library and photo store to my NAS which duplicates to another NAS and pushes a copy to C2.
To access away from home I use tailscale.
- I’m running these services on an OVH server in a data centre. It’s costly but I need it for my consultancy anyway and it’s an absolute beast. immich runs in a container, along side wireguard and traefik containers. borgmatic (for backups) runs on the host.
- I have 4 backup repos. One on disk alongside production data. One in OVH storage. One on my homeserver. One unencrypted on a removable disk in my fireproof safe. If OVH facility and my home both suspiciously burn down I will still have the data.
- Are you talking about cloudflare tunnels? I’m using wireguard. Wireguard itself is easy enough to configure. Then attach the immich docker container to the wireguard container’s network stack. Traefik is a bit of a bitch though, happy to explain more if you’re interested.
