Lesson 14 — Files, Photos & Passwords¶
The three pillars of personal data management on your setup: file sync (Nextcloud), photos (Immich), and secrets (Bitwarden/Vaultwarden). Configured in vendor/nixproject/modules/home/selfhosted.nix.
Nextcloud — file sync¶
Your Nextcloud instance at https://next.wilsoz.com is the backbone of the setup — it stores Mixxx profiles, Joplin notes, Mixxx music library metadata, and general files, keeping both laptops in sync.
First-time setup (per machine)¶
- Launch the Nextcloud desktop client:
nextcloudor find it in the app menu - Click Add account → enter
https://next.wilsoz.com - The browser opens → log in via Authentik SSO
- Choose which folders to sync and where (
~/Nextcloudby default) - Wait for initial sync to complete
Daily use¶
The client runs in the background and syncs automatically. The system tray icon shows sync status: - Spinning arrows — syncing - Green tick — up to date - Red icon — conflict or error
# Check sync status from terminal
nextcloudcmd --status ~/Nextcloud
# Force a manual sync
nextcloudcmd -n -s https://next.wilsoz.com ~/Nextcloud
Handling conflicts¶
If both laptops edit the same file offline, Nextcloud creates a conflict file named filename (conflicted copy date).ext alongside the original. Open both, decide which to keep, delete the other, and let it sync.
App passwords¶
Some tools (Joplin, the Mixxx sync script) need a Nextcloud app password rather than your SSO login:
- Go to
https://next.wilsoz.com→ Settings → Security - Under Devices & sessions → Create new app password
- Name it descriptively (e.g.
joplin-elitebook) and copy the password
Immich — photos¶
Immich at https://photos.wilsoz.com is your self-hosted Google Photos replacement. It's installed as a PWA launcher — find Immich Photos in your app menu, which opens it in its own Chromium window.
Uploading photos¶
From the web UI / PWA: - Drag and drop photos onto the page - Click the upload button (cloud icon, top right) - Select files from your local disk
From the command line (bulk import):
# The Immich CLI can be used for bulk uploads
nix shell nixpkgs#immich-cli
immich login https://photos.wilsoz.com # authenticate once
immich upload ~/Pictures/ # upload a directory
immich upload ~/Pictures/ --recursive # include subdirectories
Navigating the UI¶
| Section | What it shows |
|---|---|
| Photos | All photos chronologically |
| Explore | Places map and people face grouping |
| Albums | Manually created or shared albums |
| Memories | "On this day" style recaps |
| Archive | Hidden-from-main-view photos |
| Favorites | Starred photos |
Useful features¶
Face recognition — Immich automatically groups faces. Go to Explore → People to name them.
Places map — photos with GPS data show on a world map under Explore → Places.
Sharing — create a shared album and send a link to share with others without them needing an Immich account.
Mobile app — the Immich mobile app (iOS/Android) backs up your phone camera roll automatically to your server. Worth setting up on your phone.
Bitwarden — passwords¶
Your Vaultwarden instance at https://vault.wilsoz.com stores all credentials. You have both the desktop app and the bw CLI.
Desktop app — first-time setup¶
- Open Bitwarden from the app menu
- Click Settings (gear icon) → Self-hosted environment
- Set server URL:
https://vault.wilsoz.com - Log in (goes through Authentik SSO)
The vault now syncs to your self-hosted server instead of Bitwarden's cloud.
Browser extension¶
Install the Bitwarden browser extension in Firefox and Chromium for autofill. After installing, set the same self-hosted server URL in extension settings and log in.
bw — the CLI¶
The bw CLI is useful for scripting and for the bootstrap script that sets up new machines.
# One-time server configuration
bw config server https://vault.wilsoz.com
# Log in (opens browser for SSO)
bw login
# Unlock the vault (required before each session)
bw unlock
# This prints: export BW_SESSION="<token>"
# Copy and run that export command, or:
export BW_SESSION=$(bw unlock --raw)
# Now you can query items
bw list items # list everything
bw list items --search github # search by name
bw get item "github" # get a specific item
bw get password "github" # just the password field
bw get username "github" # just the username field
# Lock when done
bw lock
Using bw in scripts¶
The bootstrap script (vendor/nixproject/scripts/bootstrap-secrets.sh) uses bw to pull credentials and configure things like Wi-Fi, Tailscale, and Atuin automatically on a new machine. The pattern:
export BW_SESSION=$(bw unlock --raw)
NEXTCLOUD_PASS=$(bw get password "nextcloud-app-password")
# use $NEXTCLOUD_PASS to configure the Nextcloud client
bw lock
Vault organisation tips¶
- Use Collections for grouping (work, personal, homelab)
- Use Custom fields for non-standard things (the bootstrap script reads custom fields like
usernameandkeyfrom theatuinitem) - Secure notes for things that aren't credentials (SSH key fingerprints, server IPs, recovery codes)
- Turn on Two-step login under Account Settings for the vault itself
How they work together¶
The three services are deliberately interdependent:
Bitwarden (bw CLI)
└── unlocks credentials for →
Nextcloud app password → Nextcloud client syncs files
Atuin key → atuin login (history sync)
Tailscale auth key → tailscale up (network)
Wi-Fi PSK → nmcli (networking on new installs)
Nextcloud
└── syncs to both laptops →
~/Nextcloud/Joplin/ ← Joplin notes
~/Nextcloud/Mixxx/ ← DJ profiles
~/Nextcloud/ssh-pubkeys/ ← public SSH keys distributed to servers
When setting up a new machine, scripts/bootstrap-secrets.sh uses bw to pull everything and configure all of these in one shot.