Self-hosting my photos with Immich

📝 Discussion Summary (Click to expand)

The Hacker News discussion, primarily centered around self-hosting photo management with Immich, revolves around three dominant themes: the complexity and necessity of secure external access, the perceived feature parity and superiority of Immich over commercial alternatives, and the debate over system configuration paradigms (Containers vs. Nix).

Here are the three most prevalent themes:

1. Secure External Access and Public Exposure Concerns

Users expressed significant concern and debate regarding how to securely expose their self-hosted Immich instance to the internet for mobile access or sharing, balancing convenience against security risks like exposing one's home IP address. Cloudflare Tunnels were frequently mentioned as a solution, though they introduced new limitations (like upload size restrictions).

Supporting Quote: "My main problem with it is privacy. Let's say I set up some sort of dynamic DNS to point foo.bar.example.org to my home IP. Then, after some family event, I share an album link... Once somebody figures out foo.bar.example.org points to my home IP, they can look up my home IP at all times." (cuu508)
Supporting Quote (Alternative Solution): "Setup immich VM or docker container with a cloudflare tunnel Front access with Cloudflare Access (ZeroTrust) for free." (esseph)

2. Immich's Competitive Feature Set vs. Commercial Options

A strong sentiment emerged that Immich has largely closed the gap with proprietary services like Google Photos and Apple Photos, particularly regarding usability, performance, and features like facial recognition and sharing capabilities. For many, self-hosting no longer equals conceding functionality.

Supporting Quote: "Self hosting used to mean conceding on something. I can honestly say Immich is better in every way than Google Photos or whatever Apple calls it." (WD-42)
Supporting Quote (on Sync Reliability): "I'd gladly trade manual but bulletproof sync over paying a fee forever for essentially… storing files on drives." (vachina)
Supporting Quote (on Performance): "The project as a whole feels competent. Stuff that should be fast is fast." (Groxx)

3. Configuration Paradigms: Docker/Containers vs. NixOS

There was a significant technical tangent debating the best way to deploy and manage Immich (and other services). Users familiar with declarative configuration, particularly NixOS, pitched it as superior for managing complex, interconnected services compared to traditional Docker/Docker Compose setups.

Supporting Quote (Pro-Nix): "I find this really powerful and simpler than docker and docker-compose. ... Having a single language for configuring all services/applications... is refreshing." (trizic)
Supporting Quote (Pro-Container/Familiarity): "It isn't the absolutely easiest process [in Nix]. But it works on Ubuntu, it works on Debian, it works on Mac, it works on Windows... I don't have to know Nix for anything else." (jerf)

🚀 Project Ideas

Secure Immich Access Gateway (ImmichTunnel)

Summary

A dedicated, lightweight service designed to securely expose self-hosted applications like Immich externally, specifically designed to bypass the Cloudflare Tunnel 100MB upload limit for large media files.
Core value proposition: Enabling secure, large-file access to services behind tunnels without sacrificing the IP address protection offered by services like Cloudflare Tunnel.

Details

Key	Value
Target Audience	Immich users leveraging Cloudflare Tunnels who frequently upload large videos/photos from mobile devices.
Core Feature	A dedicated reverse proxy/uploader service that accepts large media uploads (bypassing CF Tunnel limits) and forwards them securely to a local Immich instance via a private tunnel or direct connection permitted by the user's home network configuration.
Tech Stack	Go (for performance and single binary deployment), WireGuard or dedicated Tailscale integration for secure communication bridge endpoint.
Difficulty	Medium
Monetization	Hobby

Notes

Why HN commenters would love it: Addresses the specific pain point mentioned by CuteDepravity/geekologist regarding Cloudflare's 100MB limit ("Are you also facing the the 100mb upload limit when using cloudflare tunnel?"). It provides a middle ground between proxying everything (and hitting caps) and exposing the public IP (privacy risk).
Potential for discussion or practical utility: Highly practical utility for anyone using secure tunneling (Tunnels, Tailscale Funnel) for self-hosted services where file uploads are crucial. It could be designed as a simple, immutable container replacement for the direct exposure mentioned by geekologist.

Zero-Maintenance Family Sync Agent (FamilySync Proxy)

Summary

A small, user-installable agent (optimized for both Android and iOS, focusing on overcoming iOS background restrictions) that ensures silent, reliable, fire-and-forget photo synchronization to a central Immich server.
Core value proposition: Solves the primary frustration for non-technical family members (parents/spouses) who need reliable background sync without ever opening or configuring the app, addressing the "just works" requirement.

Details

Key	Value
Target Audience	Self-hosters (like palata, ubertaco) needing to silently onboard non-technical family members onto their Immich setup.
Core Feature	A companion proxy/service that utilizes OS-specific background mechanisms (like Nextcloud's rumored 'all the time' location permission trick on iOS) to maintain file sync status, requiring zero user interaction after initial setup.
Tech Stack	Native Kotlin/Swift modules bundled perhaps within a unified wrapper (like React Native or Flutter, for wider reach), communicating via a secure API with the main Immich server.
Difficulty	High (Due to navigating the highly restrictive, undocumented background processing limitations on modern iOS/Android versions).
Monetization	Hobby

Notes

Why HN commenters would love it: Directly targets the reliability concerns raised by palata ("My problem with it is more that the whole thing is a bit unreliable... I need it to 'just work' on the smartphones"). It solves the "I can't rely on Nextcloud for family backup" problem for the crucial mobile upload component.
Potential for discussion or practical utility: The discussion around how Nextcloud achieves background sync on iOS (palata's observation about "location permission all the time") is ripe for exploration. A successful, reliable solution here would be immediately valuable to the community.

Automated, Rule-Based Album Curator (SmartAlbum Agent)

Summary

A server-side utility that hooks into the Immich API to create and manage "smart" albums based on ML metadata, fulfilling user requests for highly specific, self-updating collections.
Core value proposition: Bridges the gap between Immich's powerful ML backend and the lack of live, shareable Smart Albums (like those in Google Photos), enabling users to build custom curation workflows without external scripting.

Details

Key Key	Value
Target Audience	Immich power users demanding feature parity with proprietary solutions regarding intelligent, dynamic album creation (euleriancon, j_bum, fy20).
Core Feature	A configuration interface (web UI or declarative configuration file) allowing users to set rules (e.g., "All photos containing FaceID X and objects 'Beach, Sunset'" or "Photos uploaded by Partner Y, excluding photos tagged 'Statue'"). It then auto-populates and updates the corresponding Immich album.
Tech Stack	Python or Go (for easy interaction with the Immich API and ML embeddings endpoint), integrated as a dedicated container managed via Docker Compose alongside Immich.
Difficulty	Medium
Monetization	Hobby

Notes

Why HN commenters would love it: Directly addresses the feature gap where users want live albums based on faces ("auto add pictures to an album based on the face," as requested by euleriancon). Though Vinnl/piquadrat mention Workflows are coming, this product delivers this now as a complete, user-friendly solution that builds on top of Immich.
Potential for discussion or practical utility: This taps into the "curation" aspect (drekipus wanting one-click albums) without forcing bulk uploads or manual selection, providing a tangible benefit for users prioritizing data quality over archival volume.