BentoPDF fetches /config.json at runtime. In our build/deploy flow this file
may be missing, causing noisy 404 errors in the browser console.
Create a minimal default config.json ({}), only when absent, during install
and update so custom configs are not overwritten.
LibreOffice WASM requires crossOriginIsolated + secure context.
LAN HTTP origins (http://192.168.x.x) are not trustworthy, so Office
conversion fails with DataCloneError on SharedArrayBuffer transfer.
- generate self-signed TLS cert (idempotent)
- add HTTPS server on :8443
- redirect HTTP :8080 to HTTPS :8443
- keep WASM gzip/mime handling
- update post-install URL hint to https://IP:8443
Word/Excel/PowerPoint to PDF conversion uses LibreOffice WASM which
requires SharedArrayBuffer. SharedArrayBuffer only works when the server
sends Cross-Origin-Opener-Policy: same-origin and
Cross-Origin-Embedder-Policy: require-corp headers.
The previous http-server setup did not send these headers, causing WASM
initialization to time out for office-format conversions.
Fix: replace http-server with nginx and configure COOP/COEP headers in the
nginx site config, matching the upstream Docker image's nginx.conf.
Also adds a one-time migration path in update_script for existing installs
running the old http-server service.
Helmet's useDefaults adds upgrade-insecure-requests to the CSP,
which forces browsers to upgrade all HTTP requests to HTTPS.
Since most LXC users access Immich directly via HTTP, this breaks
the web UI completely (CORS errors, spinning logo).
Patch helmet.json after deploy to explicitly null out the directive,
keeping CSP benefits while allowing HTTP access.
Fixes#13597
* Rename gokapi binary and update service
Change the installed binary name from pre-v2.2.4 `gokapi-linux_amd64` to v2.2.4+ `gokapi` and update service configuration accordingly. Add a migration step to remove any legacy `gokapi-linux_amd64` binary file, update binary reference in existing `gokapi.service`, and reload systemd before starting the service.
* Update comment for binary name migration
---------
Co-authored-by: Tobias <96661824+CrazyWolf13@users.noreply.github.com>
* fix(immich): use start.sh in service, ensure DB_HOSTNAME in .env
* Bump Immich to v2.6.2 and adjust chown handling
Update Immich release references from v2.6.1 to v2.6.2 in ct/immich.sh and install/immich-install.sh. Replace broad recursive chown -R on the install dir with a safer approach that avoids recursing into the upload directory (which may be a mounted volume with restricted permissions): set ownership on the install dir itself, chown each top-level entry except 'upload', and attempt to chown the upload path while ignoring errors. Also adjust ordering for /var/log/immich chown to avoid permission issues when enabling services.
