Some weeks ago I discovered Immich and was immediately hooked and started feeding the family photo collection into it.

Immich on CIFS

It’s running on a VM at Hetzner, and I immediately filled up the disk with too much data. Looking around, I discovered that Hetzner offers “storage boxes” at the fraction of the cost of a VM with the same disk space, so I launched a 1 TB instance there.

The Immich instance is rooted at /cb/immich/library/. In that directory, Immich confusingly creates another “library” directory, which holds the actual pictures, plus some more subdirectories.

There is now a cifs mount inside the outer library dir:

//u000000-sub1.your-storagebox.de/u000000-sub1 on /cb/immich/library/cifs type cifs

And a bunch of symlinks redirect some of the Immich directories to the remote server:

$ ls -l /cb/immich/library/
insgesamt 12
drwxr-xr-x 2 root root 4096 25. Mär 02:00 backups/
drwxr-xr-x 2 root root    0  2. Apr 18:18 cifs/
lrwxrwxrwx 1 root root   18 24. Mär 19:28 encoded-video -> cifs/encoded-video/
lrwxrwxrwx 1 root root   12 24. Mär 19:28 library -> cifs/library/
drwxr-xr-x 3 root root 4096 23. Mär 13:05 profile/
lrwxrwxrwx 1 root root   11  2. Apr 20:37 thumbs -> cifs/thumbs/
drwxr-xr-x 4 root root 4096 25. Mär 21:54 upload/

Initially I had planned to keep the “thumbs” directory on the local disk for performance, but it outgrew the local disk pretty fast as well. (Perhaps I should move the remaining two over as well…)

It’s not the fastest setup, but it works and the storage space costs are very much ok.

Immich on PostgreSQL

I already have a PostgreSQL instance running, so I didn’t want Immich to create another one. The official documentation mentions this is possible, but doesn’t detail out the instructions. Here’s what I did:

1. In docker-compose.yml, removed the entire database: section.

2. In .env, use these database settings:

DB_PASSWORD=xxxxxxxxxxxx
DB_URL='postgresql://immich:xxxxxxxxxxxx@172.17.0.1/immich'
DB_DATABASE_NAME=immich

(Possibly DB_URL is enough, but the other two don’t hurt.)

3. One complication was that the PostgreSQL running outside of Docker needs to be reachable by Immich inside Docker, so I told it to use the Docker network address 172.17.0.1. PostgreSQL was already set to listen_addresses='*', and I just had to add a ufw firewall rule:

sudo ufw allow proto tcp from 172.17.0.0/16 to 0.0.0.0/0 port 5432

And a pg_hba.conf entry:

host    all             all             172.18.0.0/16           scram-sha-256

Information on this is sparse, so here’s a few notes in case I need this again:

To use mods on a Minecraft server, a patched server with a mod loader is required. There are about 4 different ones, but CurseForge seems to be the most popular one.

Go to https://files.minecraftforge.net/ (redirects to https://files.minecraftforge.net/net/minecraftforge/forge/) and download the installer for the desired Minecraft version.

Copy that to the server and run

java -jar forge-1.21.10-60.1.0-installer.jar --installServer .

This creates the directory structure for a Minecraft server. Start it:

./run.sh

On the first run, it will refuse to run. Edit eula.txt and accept the license:

eula=true

If any mods are desired, copy the .jar files into the mods/ folder.

Start it again and configure the whitelist:

screen ./run
[19:36:07] [main/INFO] [cp.mo.mo.Launcher/MODLAUNCHER]: ModLauncher running: args [--launchTarget, forge_server]
[19:36:07] [main/INFO] [cp.mo.mo.Launcher/MODLAUNCHER]: JVM identified as Debian OpenJDK 64-Bit Server VM 25.0.1+8-Debian-1deb13u1
[19:36:07] [main/INFO] [cp.mo.mo.Launcher/MODLAUNCHER]: ModLauncher 10.2.4 starting: java version 25.0.1 by Debian; OS Linux arch aarch64 version 6.12.48+deb13-arm64
...
> whitelist on
> whitelist add swordfish
> op swordfish
[19:37:55] [Server thread/INFO] [minecraft/MinecraftServer]: Made swordfish a server operator

Update: To use “Fabric” instead of Forge, go to https://fabricmc.net/use/server/, and use

java -jar jar

This “downloader” is then also used to launch the server itself with the same command.

My first DNSSEC setups were using OpenDNSSEC, but at some point I prefered to migrate to DNSSEC-Tools.

Here’s a hack (howto) to migrate the KSK keys to .krf format. The ZSK keys will be generated by the first zonesigner run.

#!/bin/sh

ZONE="$1"
KEY="$2"
ALGO="$3"

cd keys
sudo softhsm --export $ZONE.zsk --slot 0 --pin 1234 --id $KEY
softhsm-keyconv --tobind --in $ZONE.zsk --name $ZONE. --algorithm $ALGO

BINDKEY=$(ls K$ZONE*key)
sed -i -e 's/256/257/' $BINDKEY
BASEKEY=$(basename $BINDKEY .key)

cd ..

cat > $ZONE.krf <<EOF
zone	"$ZONE"
	serial		"2011112202"
	kskcur		"$ZONE-signset-00001"
	signedzone	"$ZONE.signed"
	kskcount	"1"
	archivedir	"/var/lib/dnssec-tools/archive"
	kskdirectory	"/cb/ns.df7cb.de/keys"
	zskdirectory	"/cb/ns.df7cb.de/keys"
	endtime		"+2592000"
	lastset		"$ZONE-signset-00004"
	zonefile	"$ZONE"
	keyrec_type	"zone"
	keyrec_signsecs	"1321964086"
	keyrec_signdate	"Tue Nov 22 12:14:46 2011"

set	"$ZONE-signset-00001"
	keys		"$BASEKEY"
	set_type	"kskcur"
	zonename	"$ZONE"
	keyrec_setsecs	"1321961247"
	keyrec_setdate	"Tue Nov 22 11:27:27 2011"

key	"$BASEKEY"
	zonename	"$ZONE"
	keyrec_type	"kskcur"
	algorithm	"$ALGO"
	random		"/dev/urandom"
	keypath		"/cb/ns.df7cb.de/keys/$BINDKEY"
	ksklength	"2048"
	ksklife		"15552000"
	revperiod	"3888000"
	keyrec_gensecs	"1321961248"
	keyrec_gendate	"Tue Nov 22 11:27:28 2011"

EOF

zonesigner -keydirectory keys -usensec3 -genzsk -verbose $ZONE

rollinit $ZONE >> all.rollrec

echo "/cb/ns.df7cb.de/$ZONE.signed $ZONE cb@df7cb.de" >> checkzones.txt

(The filenames at the end are those used by http://www.incertum.net/archives/11-DNSSEC-mit-Debiansqueeze-dnssec-tools,-bind9.html)

I need to look this up every time I need a backport (mostly PostgreSQL) at a customer site with limited networking:

$ lftp -c 'mget http://backports.debian.org/debian-backports/pool/main/p/postgresql-8.4/*_8.4.5-1~bpo50+1_amd64.deb'

Hopefully I can remember this in the future.

Setting up a 6to4 tunnel on freewrt:

#!/bin/sh
# http://tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html

ip -6 route flush dev tun6to4
ip link set dev tun6to4 down
ip tunnel del tun6to4

sleep 2

ttldefault=15
ipv4=$(ip a show ppp0 | sed -ne 's/.*inet \([^ ]*\).*/\1/p')
local6to4prefix=$(printf "2002:%02x%02x:%02x%02x" `echo $ipv4 | tr "." " "`)
local6to4address="$local6to4prefix::1"

ip tunnel add tun6to4 mode sit ttl $ttldefault remote any local $ipv4
ip link set dev tun6to4 up
ip -6 addr add $local6to4address/16 dev tun6to4
ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4

ip -6 addr add $local6to4address/64 dev eth0.0
ip -6 route add $local6to4address/64 dev eth0.0

sed -i -e "s/prefix.*/prefix $local6to4prefix::\\/64/" /etc/radvd.conf
/etc/init.d/S51radvd restart

Set dpkg options: -o DPkg::Options::=–force-confmiss

Turn off apt key verification: -o Apt::Get::AllowUnauthenticated=true

Setting up X.org on a Sony PCG C1VE on Debian/etch:

• dpkg-reconfigure xserver-xorg
• ati
• rest default
• edit xorg.conf:
• Section “Monitor”: ModeLine “1024x480” 65.00 1024 1032 1176 1344 480 488 494 560 -hsync -vsync
• Section “Screen”, SubSection “Display”: Modes “1024x480” …