Writing /My Immich Setup

My Immich Setup

Date18 March 2026
Tags
DockerDockerSelf HostSelf HostOpen SourceOpen Source

I’m writing up this guide as a few people have asked about setting up Immich, or getting into self-hosting.

Prerequisites

  • A device that you’re wanting to run Immich on (this can be an old laptop, a Raspberry Pi or a mini PC) - immich recommends at least 6GB RAM and 2 CPU cores.
    • It’s easier if the device is running Linux and has Docker installed.
  • Experience with Linux and Docker

Other Things to Consider

  • Before starting, here are a few things I would advise thinking about:
    • How are you going to access it? Are you comfortable making your immich instance available to the public? How are you going to handle security / auth?
      • What is your backup strategy? Is making regular snapshots of your image data / database to another device within your local network sufficient or do you want to back up to cloud storage or offsite?
  • How much storage do you need? I currently have about 26k photos, 1.4k videos and it’s consuming 165GiB of storage - to be fair many of these are high-resolution photo exports.

Setting up Immich

There’s no point re-writing what the Immich team spend a long time maintaining, so here’s their guide.

Non-Local Access

I’ve seen a lot of people have success with using Tailscale to get access to their self-hosted services when they are not home. However I’ve decided to use a Cloudflare tunnel and Google OAuth to secure it.

To use a Cloudflare tunnel, you’ll need a domain and to set up some DNS records to get it to work - Cloudflare has a great write-up on how to do that here. I would suggest using the Docker option, and adding the cloudflare daemon container in the docker-compose file:

cloudflared:
    container_name: cloudflared
    image: cloudflare/cloudflared:latest
    depends_on:
      - immich-server
    restart: always
    command: 'tunnel --no-autoupdate run --token YOUR_TUNNEL_TOKEN'

Authentication

Given that the set up is publicly accessible, I wanted to use something stronger than Username/Password authentication. For this reason I set up Google OAuth login. You can get started with this by visiting the Google API Console and creating an OAuth client.

When creating the OAuth Web Client, make sure to set up the correct Authorised origins for your domain that you are serving up Immich on. Also be careful to set up the correct authorized redirect URLs:

https://DOMAIN.com/auth/login
https://DOMAIN.com/api/oauth/mobile-redirect

Add your OAuth Client ID and Secrets into Immich. For the other fields I have the following values, but I’m pretty sure they’re just the defaults.

  • ISSUER_URL: https://accounts.google.com
  • TOKEN_ENDPOINT_AUTH_METHOD: client_secret_post
  • SCOPE: openid email profile
  • ID_TOKEN_SIGNED_RESPONSE_ALG: RS256
  • USERINFO_SIGNED_RESPONSE_ALG: none
  • REQUEST_TIMEOUT: 30000
  • STORAGE_LABEL_CLAIM: preferred_username
  • ROLE CLAIM: immich_role

I have also turned Auto register and Password Login to off as it’s public facing and I don’t want unauthorised users creating accounts. If you are intending to set up the mobile app you’ll probably want to set https://DOMAIN.com/api/oauth/mobile-redirect

Storage Template

  • For some reason, the default Immich storage template is just a series of GUIDs which isn’t very explorable on the file system. For this reason I’ve set mine to {{y}}/{{y}}-{{MM}}/{{filename}} which on the file system looks something like
IMMICH_DATA_ROOT/library/username/2026/2026-01/IMAGE_1234.jpg
← All posts