One bright sunny day, while I was riding my bike to my friend’s house, my phone fell out of my pocket. I was super tense, thinking all my photos would be lost. Thankfully, a good samaritan found the phone and returned it to me.
Until that point, I had been procrastinating setting up backups for my phone, but that incident was the inflection point. I finally decided to check out the pricing for iCloud storage – and it was outrageous!
Essentially, I would need to keep paying a subscription fee just to get more storage – and that too for my entire life.
I know iCloud is more than just “storage,” and there are tons of extra features that such solutions provide. But paying a recurring fee for hardware made me wonder if there was another way out. I knew people in the OSS community would have decided to say “frick you” to these corporate giants and would have probably created something helpful.
I was right and found Immich and Nextcloud. I researched a bit more, and since my primary focus was on storage and backups for photos, Immich felt like a better fit.
As I finally had an actual problem at hand to solve, this was good motivation for me to finally self-host something of my own.
Back to Immich – it provides quite impressive iOS and Android apps, alongside other helpful features like duplicate detection, face recognition, photo tagging for search, and a lot more. The features I liked most were linking external libraries (as I had a bunch of backups from my old phones lying around on several hard disks) and first-class support for backups.
My first laptop served me well for 5 years and had been lying around in my closet for some time. Since I didn’t want to spend money on setting up a full-blown self-hosting stack, I decided to use that laptop. It had enough CPU power and RAM for my tiny use case. I configured the settings to not suspend the laptop when closing the lid and disabled the Ubuntu desktop UI.
The plan was simple: start with a very basic setup and then harden the security. For connectivity, the wifi router was good enough to create a local network.
Getting Immich up and running is quite simple; you just download a docker-compose file and then docker compose up it. I also had a bunch of hard disks, for which I created permanent mount paths on my server and then bound those mount paths in my Immich server container, and that’s it!
It really is that simple. I tried connecting to the server over plain HTTP via the iOS app, and once Immich finished transcoding images and generating thumbnails, I had access to all my old photos!
OSS feels like a superpower. :)
Next, I wanted to make this setup more secure, as the traffic was being sent as plain HTTP requests and it’s easy for anyone with access to the wifi network to sniff those packets and see all my photos.
Also, I wanted to add some firewall rules to prevent exposing the Immich server to the entire local network.
For SSL, I initially thought of setting up self-signed SSL certificates locally and using them to enable SSL communications. However, there was a better solution in place – Tailscale.
Tailscale is an awesome piece of software that allows you to create a VPN network and provides a secure way to expose your applications. TLS was solved out of the box by Tailscale for me, and it also provided a domain name that I could use even if the wifi router rotates the local IP. (I really want to understand how Tailscale works – but for now, let’s not lose our focus.)
From my previous jobs, I was aware that if you expose: 3003:3003 the port, Docker will create an iptables entry that allows traffic from all hosts to that port. Even adding custom ufw rules to restrict the traffic does not work.
One good solution to solve this is to bind the port to your local IP:
# bind localhost's 3003 to immich:3003
ports: 127.0.0.1:3003:3003
This will still allow Tailscale to connect to 127.0.0.1:3003, but other machines on the local network won’t be able to access it.
With that done, I had my self-hosted photo backup and storage solution in place, and I was pretty happy with how it was working. I also added my sister to my Tailscale network, and she was able to offload some large videos from her phone to Immich to free up space before her next trip.
Next, I would like to experiment with using Ceph to add fault tolerance to my setup, but that’s a project for another time.