# Email-to-Photo-Frame Upload

Photos emailed to a dedicated mailbox are automatically saved to the
photo-frame Samba share, where the kiosk picks them up on its next scan
(PhotoManager rescans every 10 minutes).

## Three moving parts

### 1. Mailbox to receive photos

Easiest path: a dedicated Gmail account (e.g. `deathstarhomephotos@gmail.com`).

- Enable 2FA on the Google account
- Generate an **app password** under Security → App passwords (needed for IMAP,
  since n8n's IMAP node uses username/password auth)
- Share the address with family members

Lock it down in the n8n workflow by whitelisting sender addresses; reject
anything else so strangers can't spam the frame.

### 2. Samba share visible to n8n

n8n runs on 192.168.1.254 and needs to write to the same Samba share the
kiosk reads from. Two options:

**Option A — Mount the share inside the n8n container**

```bash
# On the n8n LXC host (192.168.1.254), install cifs-utils and mount:
apt install -y cifs-utils
mkdir -p /mnt/family-photos
echo '//SERVER/SHARE /mnt/family-photos cifs credentials=/etc/samba/credentials-n8n,uid=1000,gid=1000,rw,_netdev,x-systemd.automount 0 0' >> /etc/fstab
# credentials file with chmod 600
mount -a
```

Then bind-mount `/mnt/family-photos` into the n8n Docker container so the
Write Binary File node can target it at a path like `/data/family-photos/`.

**Option B — SSH to the fileshare LXC (192.168.1.193)**

Give n8n an SSH key to the fileshare host. Use the Execute Command node to
`scp` / `cat > file` onto the share. Simpler to configure than cifs, but
adds SSH surface area on the fileshare box.

### 3. n8n workflow

Pseudocode:

```
IMAP Email Trigger (mark read, download attachments, poll every 2 min)
  → IF From ∈ [your-email, wife-email]
  → Split attachments
  → IF mimeType startsWith "image/"
  → Rename: ${yyyyMMdd_HHmmss}_${randomHex}.${ext}
  → Write Binary File → /data/family-photos/${filename}
```

Nodes used:
- **Email Trigger (IMAP)** — reads Gmail (server `imap.gmail.com`, port 993, SSL)
- **IF** — sender whitelist guard
- **Item Lists / Split In Batches** — one item per attachment
- **IF** — filter on `$binary.attachment_0.mimeType`
- **Set** — build filename
- **Write Binary File** — write to the mount path

Kiosk picks them up on the next rescan (up to 10 min), or restart the app
to force an immediate scan.

## Hardening

- Limit attachment size (e.g. reject > 30 MB per file) to avoid filling
  the share
- Strip EXIF if you don't want location data persisted on the share
- Keep an audit trail: add an extra branch that appends sender + filename
  to a log file

## Credentials I'll need to build the workflow

- Gmail address + app password (or OAuth refresh token)
- Which option above for the Samba mount (A or B)
- If option B, SSH key + fileshare path to write to
- List of allowed sender emails