←back to thread

Self-hosting my photos with Immich

(michael.stapelberg.ch)
659 points birdculture | 9 comments | 30 Nov 25 09:11 UTC | HN request time: 0.863s | source | bottom
Show context
WD-42 ◴[06 Dec 25 03:02 UTC] No.46170203[source]
Self hosting used to mean conceding on something. I can honestly say Immich is better in every way than Google Photos or whatever Apple calls it. The only thing is having to set it up yourself.
replies(8): >>46170508 #>>46170879 #>>46171072 #>>46171096 #>>46171210 #>>46171919 #>>46172322 #>>46175671 #
ptk ◴[06 Dec 25 03:50 UTC] No.46170508[source]
How does sharing an album with others work on Immich?
replies(3): >>46170576 #>>46170670 #>>46170681 #
1. jasonjayr ◴[06 Dec 25 04:04 UTC] No.46170576[source]
You get a link and you can set read or write permissions on it.

Whoever gets that link can browse it in a web browser.

I've used this to share albums of photos with gatherings of folks; it works very well. It does assume you have your Immich installation publicly available, however. (Not open to the public, but on a publicly accessible web server)

replies(2): >>46171665 #>>46171693 #
2. cromka ◴[06 Dec 25 08:34 UTC] No.46171665[source]
OK. Then you concede your security, as I can't imagine any single person self-hosting can be better at keeping their public service more secure than engineers at Google can. Especially with limited time.
replies(3): >>46172147 #>>46172227 #>>46173816 #
3. navane ◴[06 Dec 25 08:39 UTC] No.46171693[source]
How safe is that to set up for novice it people? I have a pi with pi-hole on it and am thinking about putting immich on it but the fact that it exposes itself outside my LAN frightens me.
replies(2): >>46172214 #>>46176618 #
4. lurking_swe ◴[06 Dec 25 10:15 UTC] No.46172147[source]
I mean, if you’re confident about security best practices, have a moderate amount of networking experience, and are a seasoned web developer, it’s not too scary at all. I realize that’s a lot of prerequisites though.

it’s not a fair comparison with Google because Google has a much bigger target on their back. There are millions of users of Google, so the value of hacking Google is very high. The value of hacking a random Immich instance is extremely low.

5. kristjank ◴[06 Dec 25 10:33 UTC] No.46172214[source]
I have it set up in a container that I keep updated. Then it's reverse proxied by another container which runs nginx proxy manager, which keeps the HTTPS encryption online. So far, the maintenance has only been checking whether a new version has been released and docker pulling the images, then restarting the containers.
6. kristjank ◴[06 Dec 25 10:36 UTC] No.46172227[source]
You definitely have a dull imagination. If the software itself is secure, containerized version of Immich behind a containerized version of nginx proxy manager is probably as secure as you can get. Also google security tends to be mainly leaning towards securing google and less towards securing google's (non paying) customers.
7. esseph ◴[06 Dec 25 14:58 UTC] No.46173816[source]
If you're not Cloudflare averse...

Setup immich VM or docker container with a cloudflare tunnel

Front access with Cloudflare Access (ZeroTrust) for free.

Set "can only be accessed by users with email = xyz@myuser”

Done.

Now assuming this is the same user email as the one you shared photos with, there is a base level of security keeping the riffraff away.

Home IP is never exposed either, because it's proxied through the cf tunnel.

replies(1): >>46210201 #
8. Duralias ◴[06 Dec 25 21:10 UTC] No.46176618[source]
If you are worried about that then I can highly recommend https://github.com/alangrainger/immich-public-proxy

I keep that running on a VPS, but with with proper firewalling you could probably run it on the same machine.

9. cromka ◴[09 Dec 25 20:29 UTC] No.46210201{3}[source]
I dont need that. I use wireguard to connect to my LAN. I meant risk of getting your data stolen either through physical breakup or some security vulnerability