# Immich — First-Time Setup

## Prerequisites

- DNS: `immich.<domain_suffix>` must resolve to the server
- **Authentik** must be deployed and running (dependency)

## Steps

1. **Create the app:**
   ```bash
   abra app new immich --server <SERVER> --domain immich.<DOMAIN_SUFFIX> --no-input
   ```

2. **Generate secrets:**
   ```bash
   abra app secret generate immich.<DOMAIN_SUFFIX> --all -m --no-input
   ```
   Save output to `recipe-info/testsecrets/immich.<DOMAIN_SUFFIX>`.

3. **Deploy:**
   ```bash
   abra app deploy immich.<DOMAIN_SUFFIX> --chaos --force --no-input
   ```

4. **Authentik SSO integration:**
   ```bash
   python3 recipe-info/immich/setup_authentik_integration.py
   ```
   This creates an OAuth2 provider and application in Authentik, creates a test user, creates an Immich admin account via the API, and configures Immich's OAuth settings via the Immich system API.

5. **Verify:** curl `https://immich.<DOMAIN_SUFFIX>` returns HTTP 200.

## Notes

- Credentials are saved to `recipe-info/immich/authentik-test-credentials.<DOMAIN_SUFFIX>.toml`.
- Unlike other recipes, Immich's OAuth is configured via its admin API (not env vars), so no redeploy is needed after SSO setup.
- OIDC test user: `testuser` / `testpass123`.