Skip to content

Frameo with ImmichFrame, an amazing gift

When giving the gift of a digital frame, we want to make sure we are retaining our privacy by using our own self hosted Immich server to serve up the photos for that digital frame. If you aren't currently self-hosting, I would stick with a digital frame that at least gives you the ability to use a local usb storage, but of course this is not as flexible as fetching photos from the internet.

Downloading ADB

If using Android Studio, you should already have adb. To add it to your path (Linux), edit your bash variables

nano ~/.bashrc

and add the following wherever the Android SDK is loaded

#Android adb
export ANDROID_HOME="$HOME/Android/Sdk"
export PATH="$PATH:$ANDROID_HOME/platform-tools"

Initial Frameo Setup

Set up the Frameo as you normally would but skip the section about uploading images.

Go to Settings -> About and check the toggle for the beta program and ADB access. You should see a dialog about accepting the fingerprint of your computer. You may need to use a USB-A to USB-C cable (my type C to type C actually did not work).

Enter 

thomas@fedora:~$ adb devices

You should see a result:

<id>    device

If it says unauthorized then toggle the adb access toggle off and on again.

Install ImmichFrame

Following the instructions from ImmichFrame docs: https://immichframe.dev/docs/getting-started/apps#frameo

Installing wireguard

I haven't yet confirmed. But after installing wireguard and creating a tunnel, it will prevent you from activating the tunnel. I fixed that with:

adb shell appops set com.wireguard.android ACTIVATE_VPN allow

Using cloudflare WAF

The best tunnel method for ImmichFrame is really just Cloudlfare Tunnel. The reason is because we can set a WAF rule to work really well with what ImmichFrame gives us with its header secret.

In Cloudflare when you are on the domain console, go to Security -> Security rules.

Create a custom rule Frameo for Dad.

Set the following

Header authorization does not equal Bearer <secret from ImmichFrame> And Hostname wildcard frame.domain.com*

Choose Action: Block.

Awesome! Now we're not relying on the security at the app layer but instead requiring authentication just to get through our cloudflare proxy.

Comments