Add immich-sync ansible role for photo library sync

Implements hourly sync from macOS Photos Library to Immich:
- osxphotos exports photos with metadata to staging directory
- immich-cli uploads to Immich via Docker
- LaunchAgent schedules hourly syncs (mcquack pattern)
- API key stored securely from 1Password

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/playbooks/indri.yml

@@ -78,6 +78,23 @@
       no_log: true
       tags: [caddy]
 
+    # Immich API key for photo sync
+    - name: Fetch Immich API key
+      ansible.builtin.command:
+        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get ifcuzuceejqcjx7k7zd2gdsjem --fields api_key --reveal
+      delegate_to: localhost
+      register: _immich_api_key
+      changed_when: false
+      no_log: true
+      check_mode: false
+      tags: [immich_sync]
+
+    - name: Set Immich API key fact
+      ansible.builtin.set_fact:
+        immich_sync_api_key: "{{ _immich_api_key.stdout }}"
+      no_log: true
+      tags: [immich_sync]
+
   roles:
     - role: alloy
       tags: alloy
@@ -99,3 +116,5 @@
       tags: plex_metrics
     - role: caddy
       tags: caddy
+    - role: immich_sync
+      tags: immich_sync

ansible/roles/immich_sync/defaults/main.yml

@@ -0,0 +1,20 @@
+---
+# Immich server URL
+immich_sync_url: "https://photos.ops.eblu.me"
+
+# Directory paths
+immich_sync_export_dir: /Users/erichblume/Pictures/immich-export
+immich_sync_log_dir: /Users/erichblume/Library/Logs
+immich_sync_bin_dir: /Users/erichblume/bin
+
+# Schedule: hourly (StartInterval in seconds)
+immich_sync_interval_seconds: 3600
+
+# osxphotos export options
+immich_sync_export_edited: true      # Export edited versions
+immich_sync_export_originals: true   # Also export originals (as sidecars)
+immich_sync_update_mode: true        # Only export new/changed photos
+
+# immich-cli options
+immich_sync_create_albums: true      # Create albums from folder names
+immich_sync_concurrency: 4           # Parallel uploads

ansible/roles/immich_sync/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Reload immich-sync
+  ansible.builtin.shell: |
+    launchctl unload ~/Library/LaunchAgents/mcquack.eblume.immich-sync.plist 2>/dev/null || true
+    launchctl load ~/Library/LaunchAgents/mcquack.eblume.immich-sync.plist
+  changed_when: true

ansible/roles/immich_sync/tasks/main.yml

@@ -0,0 +1,55 @@
+---
+# Note: osxphotos is installed via mise (pipx), not managed here.
+# This role manages the sync wrapper script and scheduled LaunchAgent.
+#
+# Prerequisites:
+# - osxphotos: Add to ~/.config/mise/config.toml on indri:
+#     [tools]
+#     "pipx:osxphotos" = "latest"
+#   Then run: mise install
+# - Docker: Already installed on indri
+
+- name: Ensure export directory exists
+  ansible.builtin.file:
+    path: "{{ immich_sync_export_dir }}"
+    state: directory
+    mode: '0755'
+
+- name: Ensure bin directory exists
+  ansible.builtin.file:
+    path: "{{ immich_sync_bin_dir }}"
+    state: directory
+    mode: '0755'
+
+- name: Write Immich API key to secure file
+  ansible.builtin.copy:
+    content: "{{ immich_sync_api_key }}"
+    dest: ~/.immich-api-key
+    mode: '0600'
+  no_log: true
+
+- name: Deploy immich-sync wrapper script
+  ansible.builtin.template:
+    src: immich-sync.sh.j2
+    dest: "{{ immich_sync_bin_dir }}/immich-sync.sh"
+    mode: '0755'
+  notify: Reload immich-sync
+
+- name: Deploy immich-sync LaunchAgent plist
+  ansible.builtin.template:
+    src: immich-sync.plist.j2
+    dest: ~/Library/LaunchAgents/mcquack.eblume.immich-sync.plist
+    mode: '0644'
+  notify: Reload immich-sync
+
+- name: Check if immich-sync LaunchAgent is loaded
+  ansible.builtin.command: launchctl list mcquack.eblume.immich-sync
+  register: immich_sync_launchctl_check
+  changed_when: false
+  failed_when: false
+
+- name: Load immich-sync LaunchAgent if not loaded
+  ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.immich-sync.plist
+  when: immich_sync_launchctl_check.rc != 0
+  changed_when: true
+  failed_when: false

ansible/roles/immich_sync/templates/immich-sync.plist.j2

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- {{ ansible_managed }} -->
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>KeepAlive</key>
+	<false/>
+	<key>Label</key>
+	<string>mcquack.eblume.immich-sync</string>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>PATH</key>
+		<string>/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
+		<key>HOME</key>
+		<string>/Users/erichblume</string>
+	</dict>
+	<key>ProgramArguments</key>
+	<array>
+		<string>{{ immich_sync_bin_dir }}/immich-sync.sh</string>
+	</array>
+	<key>RunAtLoad</key>
+	<false/>
+	<key>StandardErrorPath</key>
+	<string>{{ immich_sync_log_dir }}/mcquack.immich-sync.err.log</string>
+	<key>StandardOutPath</key>
+	<string>{{ immich_sync_log_dir }}/mcquack.immich-sync.out.log</string>
+	<key>StartInterval</key>
+	<integer>{{ immich_sync_interval_seconds }}</integer>
+</dict>
+</plist>

ansible/roles/immich_sync/templates/immich-sync.sh.j2

@@ -0,0 +1,114 @@
+#!/bin/bash
+# {{ ansible_managed }}
+#
+# Immich photo sync script
+# Exports photos from macOS Photos Library and uploads to Immich
+#
+# Prerequisites:
+# - osxphotos (installed via mise/pipx)
+# - Docker (for immich-cli)
+# - API key at ~/.immich-api-key
+
+set -euo pipefail
+
+EXPORT_DIR="{{ immich_sync_export_dir }}"
+IMMICH_URL="{{ immich_sync_url }}"
+API_KEY_FILE="$HOME/.immich-api-key"
+LOG_PREFIX="[immich-sync]"
+
+log() {
+    echo "$LOG_PREFIX $(date '+%Y-%m-%d %H:%M:%S') $*"
+}
+
+error() {
+    echo "$LOG_PREFIX $(date '+%Y-%m-%d %H:%M:%S') ERROR: $*" >&2
+}
+
+# Check prerequisites
+if ! command -v osxphotos &>/dev/null; then
+    # Try via mise
+    if command -v mise &>/dev/null; then
+        eval "$(mise activate bash)"
+    fi
+    if ! command -v osxphotos &>/dev/null; then
+        error "osxphotos not found. Install via: mise install pipx:osxphotos"
+        exit 1
+    fi
+fi
+
+if ! command -v docker &>/dev/null; then
+    error "Docker not found"
+    exit 1
+fi
+
+if [[ ! -f "$API_KEY_FILE" ]]; then
+    error "Immich API key not found at $API_KEY_FILE"
+    exit 1
+fi
+
+IMMICH_API_KEY=$(cat "$API_KEY_FILE")
+
+# Ensure export directory exists
+mkdir -p "$EXPORT_DIR"
+
+log "Starting photo export from Photos Library to $EXPORT_DIR"
+
+# Export photos using osxphotos
+# --directory: export directory structure by date
+# --update: only export new/changed photos (incremental)
+# --exiftool: write metadata to EXIF tags
+# --edited-suffix _edited: suffix for edited versions
+# --download-missing: download from iCloud if needed
+OSXPHOTOS_ARGS=(
+    export "$EXPORT_DIR"
+    --directory "{created.year}/{created.mm}-{created.mon}"
+{% if immich_sync_update_mode %}
+    --update
+{% endif %}
+    --exiftool
+    --download-missing
+{% if immich_sync_export_edited %}
+    --export-edited
+    --edited-suffix "_edited"
+{% endif %}
+{% if immich_sync_export_originals %}
+    --export-originals
+{% endif %}
+)
+
+log "Running: osxphotos ${OSXPHOTOS_ARGS[*]}"
+if ! osxphotos "${OSXPHOTOS_ARGS[@]}"; then
+    error "osxphotos export failed"
+    exit 1
+fi
+
+log "Photo export complete"
+log "Starting upload to Immich at $IMMICH_URL"
+
+# Upload to Immich using immich-cli in Docker
+# -r: recursive upload
+# -a: create albums from folder names
+# --concurrency: parallel uploads
+IMMICH_CLI_ARGS=(
+    upload
+    --recursive
+{% if immich_sync_create_albums %}
+    --album
+{% endif %}
+    --concurrency {{ immich_sync_concurrency }}
+    /import
+)
+
+log "Running: docker run immich-cli ${IMMICH_CLI_ARGS[*]}"
+if ! docker run --rm \
+    -v "$EXPORT_DIR:/import:ro" \
+    -e IMMICH_INSTANCE_URL="$IMMICH_URL" \
+    -e IMMICH_API_KEY="$IMMICH_API_KEY" \
+    ghcr.io/immich-app/immich-cli:latest \
+    "${IMMICH_CLI_ARGS[@]}"; then
+    error "immich-cli upload failed"
+    exit 1
+fi
+
+log "Upload to Immich complete"
+log "Sync finished successfully"