File permissions for Immich directories (/var/lib/immich by default)

Oneechan69 · June 3, 2026, 11:41am

Right now reading files in /var/lib/immich requires sudo, I want to be able to access the images in apps like Obsidian (I want to symlink the media folder into my vault so I embed images in my notes).

If I change the permissions with sudo chmod, would the permissions be changed back at all by other programs, like whenever I upload new images? Should I change services.immich.mediaLocation to inside my home folder?

These is my immich config right now:

services.immich = {
      enable = true;
      host = "0.0.0.0";
      accelerationDevices = null;
    };

eblechschmidt · June 3, 2026, 12:43pm

Most of the time it is not a good idea to access the files of a service directly. You should rather find a way to access it via the designed interfaces.

I’m not using immich but have you checked out External Library | Immich? It seems like this is what you might be looking for.

waffle8946 · June 3, 2026, 1:05pm

Unlikely, but you would have to check the immich code for that. Of course, new files will have whatever permissions immich sets, or failing that, umask takes over.

You asked this before, right? The service user cannot access your home dir.

not-jack · June 3, 2026, 1:12pm

You can change the permissions of the mediaLocation via

systemd.tmpfiles.settings.immich.<mediaLocation>.e = {
  user = "immich";
  group = "immich";
  mode = "0740";   # <---- only line that really changes
};

and add the obsidian user to the immich group, via

users.users.<obsidian-user>.extraGroups = [
  "immich"
];

Oneechan69 · June 3, 2026, 2:29pm

Would I do systemd.tmpfiles.settings.immich."/var/lib/immich/".e? If so I could leave the medialocation as the default.

Oneechan69 · June 4, 2026, 12:57am

Actually the solution was very simple: add myself to the immich group. Then I can symlink /var/lib/immich into my Obsidian vault:

users.users.myUsername.extraGroups = [ "immich" ];
home-manager.users.myusername.file."PathTo/ObsidianVault/Immich".source = config.lib.file.mkOutOfStoreSymlink "/var/lib/immich";

TLATER · June 4, 2026, 4:47am

That will work, but breaks service isolation.

For anyone else reading this post, an external storage like @eblechschmidt suggests is probably the best way to do this, but using immich like this at all seems like a mistake to me.

Using immich’s “share link” feature and using an image embed in obsidian would be the intended mechanism, after all, obsidian vaults can be shared with other machines (where the immich paths aren’t present), and immich should not really be hosted on a workstation in the first place.

I’m not 100% certain immich and obsidian support using HTTP basic auth for this (though they should), if they do not this would be a good use case for a new obsidian plugin (or worth an upstream issue or two).