Most active commenters

    ←back to thread

    Self-hosting my photos with Immich

    (michael.stapelberg.ch)
    659 points birdculture | 15 comments | 30 Nov 25 09:11 UTC | HN request time: 0s | source | bottom
    Show context
    WD-42 ◴[06 Dec 25 03:02 UTC] No.46170203[source]
    Self hosting used to mean conceding on something. I can honestly say Immich is better in every way than Google Photos or whatever Apple calls it. The only thing is having to set it up yourself.
    replies(8): >>46170508 #>>46170879 #>>46171072 #>>46171096 #>>46171210 #>>46171919 #>>46172322 #>>46175671 #
    1. ptk ◴[06 Dec 25 03:50 UTC] No.46170508[source]
    How does sharing an album with others work on Immich?
    replies(3): >>46170576 #>>46170670 #>>46170681 #
    2. jasonjayr ◴[06 Dec 25 04:04 UTC] No.46170576[source]
    You get a link and you can set read or write permissions on it.

    Whoever gets that link can browse it in a web browser.

    I've used this to share albums of photos with gatherings of folks; it works very well. It does assume you have your Immich installation publicly available, however. (Not open to the public, but on a publicly accessible web server)

    replies(2): >>46171665 #>>46171693 #
    3. bicepjai ◴[06 Dec 25 04:24 UTC] No.46170670[source]
    I have not shared it with many people. But one of my most wanted feature is to completely share by photos with my partner. None of the services I tried (Plex, Synology Photos) had it. In Immich, it’s just a flip of a button.
    replies(2): >>46171183 #>>46173638 #
    4. cyberax ◴[06 Dec 25 04:27 UTC] No.46170681[source]
    If you want to share with family, you can permanently add them as users to your Immich instance. Otherwise, you can create a link that they can use.
    5. Bishonen88 ◴[06 Dec 25 06:27 UTC] No.46171183[source]
    Ugreen has it. It has conditional albums in which one can setup rules like person, file type, location, anniversary and more and share a live album. Or leave all params empty and simply mirror the entire library.
    6. cromka ◴[06 Dec 25 08:34 UTC] No.46171665[source]
    OK. Then you concede your security, as I can't imagine any single person self-hosting can be better at keeping their public service more secure than engineers at Google can. Especially with limited time.
    replies(3): >>46172147 #>>46172227 #>>46173816 #
    7. navane ◴[06 Dec 25 08:39 UTC] No.46171693[source]
    How safe is that to set up for novice it people? I have a pi with pi-hole on it and am thinking about putting immich on it but the fact that it exposes itself outside my LAN frightens me.
    replies(2): >>46172214 #>>46176618 #
    8. lurking_swe ◴[06 Dec 25 10:15 UTC] No.46172147{3}[source]
    I mean, if you’re confident about security best practices, have a moderate amount of networking experience, and are a seasoned web developer, it’s not too scary at all. I realize that’s a lot of prerequisites though.

    it’s not a fair comparison with Google because Google has a much bigger target on their back. There are millions of users of Google, so the value of hacking Google is very high. The value of hacking a random Immich instance is extremely low.

    9. kristjank ◴[06 Dec 25 10:33 UTC] No.46172214{3}[source]
    I have it set up in a container that I keep updated. Then it's reverse proxied by another container which runs nginx proxy manager, which keeps the HTTPS encryption online. So far, the maintenance has only been checking whether a new version has been released and docker pulling the images, then restarting the containers.
    10. kristjank ◴[06 Dec 25 10:36 UTC] No.46172227{3}[source]
    You definitely have a dull imagination. If the software itself is secure, containerized version of Immich behind a containerized version of nginx proxy manager is probably as secure as you can get. Also google security tends to be mainly leaning towards securing google and less towards securing google's (non paying) customers.
    11. embedding-shape ◴[06 Dec 25 14:32 UTC] No.46173638[source]
    > In Immich, it’s just a flip of a button.

    Flip a switch and then what, are you getting a isolated public URL to share? Or you have your infrastructure exposed to the internet and the shared URL is pointing to your actual server where the data is hosted?

    replies(1): >>46175216 #
    12. esseph ◴[06 Dec 25 14:58 UTC] No.46173816{3}[source]
    If you're not Cloudflare averse...

    Setup immich VM or docker container with a cloudflare tunnel

    Front access with Cloudflare Access (ZeroTrust) for free.

    Set "can only be accessed by users with email = xyz@myuser”

    Done.

    Now assuming this is the same user email as the one you shared photos with, there is a base level of security keeping the riffraff away.

    Home IP is never exposed either, because it's proxied through the cf tunnel.

    replies(1): >>46210201 #
    13. DrammBA ◴[06 Dec 25 17:56 UTC] No.46175216{3}[source]
    > you have your infrastructure exposed to the internet and the shared URL is pointing to your actual server where the data is hosted

    I think the previous commenter misunderstood your question, this is the answer (you can also put it behind something like cloudflared tunnels).

    Immich is a service like any other running on your server, if you want it exposed to the internet you need to do it yourself (get a domain, expose the service to the internet via your home ip or a tunnel like cloudflared, and link that to your domain).

    After that, Immich allows you to share public folders (anyone with the link can see the album, no auth), or private folders (people have to auth with your immich server, you either create an account for them since you're the admin, or set up oauth with automatic account creation).

    14. Duralias ◴[06 Dec 25 21:10 UTC] No.46176618{3}[source]
    If you are worried about that then I can highly recommend https://github.com/alangrainger/immich-public-proxy

    I keep that running on a VPS, but with with proper firewalling you could probably run it on the same machine.

    15. cromka ◴[09 Dec 25 20:29 UTC] No.46210201{4}[source]
    I dont need that. I use wireguard to connect to my LAN. I meant risk of getting your data stolen either through physical breakup or some security vulnerability