From 1ceb8209bc67ff348a0bcb05f00b0ac58e117e7b Mon Sep 17 00:00:00 2001 From: Nik Afiq Date: Fri, 1 May 2026 19:43:09 +0900 Subject: [PATCH] feat: add Immich database credentials and deployment configuration --- .env.example | 5 +- manifests/media/immich-postgres-sealed.yaml | 13 + manifests/media/immich-postgres-secret.sh | 16 ++ manifests/media/immich.yaml | 297 ++++++++++++++++++++ values/pihole.yaml | 1 + 5 files changed, 331 insertions(+), 1 deletion(-) create mode 100644 manifests/media/immich-postgres-sealed.yaml create mode 100755 manifests/media/immich-postgres-secret.sh create mode 100644 manifests/media/immich.yaml diff --git a/.env.example b/.env.example index f9e7ac7..200619a 100644 --- a/.env.example +++ b/.env.example @@ -31,4 +31,7 @@ REGISTRY_PASSWORD=your_token_here # Home Assistant and Discord integration HA_TOKEN=your_home_assistant_token_here DISCORD_TOKEN=your_discord_token_here -GUILD_ID=your_discord_guild_id_here \ No newline at end of file +GUILD_ID=your_discord_guild_id_here + +# Immich database credentials +IMMICH_POSTGRES_PASSWORD=your_password_here \ No newline at end of file diff --git a/manifests/media/immich-postgres-sealed.yaml b/manifests/media/immich-postgres-sealed.yaml new file mode 100644 index 0000000..790f82c --- /dev/null +++ b/manifests/media/immich-postgres-sealed.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: immich-postgres + namespace: immich +spec: + encryptedData: + password: AgAHwzFI/21GYnhIc08Q4E0fshe9AHn77D0u28+f4jxPRSWPvKf7OaKOAoQUfZhFWsfaayphASg7NMpuhgvFl8oC1MZ1oXX48p3M3wOQmV3yhaWFjXtQuDIyhwsRY7IYTED4sPNaEpVM/NGQS8XQyKaFaQ1aAqPwVZwLAVEj5SeJcCnG9lfANB+x8Hua1DZezrYelQQ8kT3xURfOkvZ57e/2kCdvHYs/SXJZCj6iyuXzefjH25ZNqNVGdaa36cT5Mo7V3eNrT014qed+4Uf7uv+aPcrKJYkSRkaPEJdp0THCofiI/QrgKknQTWRrQLxnOFMnTTckrkI89JTo9wCzfXOFF8KcDMAur7E4QfYbgFqLMlCShsY9bcb5mGD5xa2RKoBnQyQslNMYeNWgVmt7sn1F56v5Gh3e2tg++ydCIlQwvUywPFyt/lL9+Eojdn8LknykpmH34z0cd+KVDcsl+9dHRx3jAgefpIwJc+MihGB8H+Sm6dP8PW3r7o29/KgpBPjpebbq4G31QLDyeAjVavk2CxTdnHsJWmWl2mwB5GlrEB1cRqSOctzvDkwx+TdwyRM2Ggl5J2azt+QZaCYES6sTdxPQOUuDJ7SeY3qy9C0v+0OBpu9q1WPUP6E14LUZzdOp4+S8mC6Llwxcypro7oWOS3GrK4z6eSrpj6bg5FlqkEjQjc0EJ4C6kPevLp2JaCdFXt9FXkDTKv97A8sT1ruG9M86FqHf1d6aTWw2UC9i7w== + template: + metadata: + name: immich-postgres + namespace: immich diff --git a/manifests/media/immich-postgres-secret.sh b/manifests/media/immich-postgres-secret.sh new file mode 100755 index 0000000..a4dfdf3 --- /dev/null +++ b/manifests/media/immich-postgres-secret.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +set -euo pipefail +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +source "$SCRIPT_DIR/../../.env" + +kubectl create secret generic immich-postgres \ + --namespace=immich \ + --from-literal=password="${IMMICH_POSTGRES_PASSWORD}" \ + --dry-run=client -o yaml \ + | kubeseal \ + --controller-namespace=kube-system \ + --controller-name=sealed-secrets-controller \ + --format yaml \ + > "$SCRIPT_DIR/immich-postgres-sealed.yaml" + +echo "Wrote $SCRIPT_DIR/immich-postgres-sealed.yaml" \ No newline at end of file diff --git a/manifests/media/immich.yaml b/manifests/media/immich.yaml new file mode 100644 index 0000000..b878438 --- /dev/null +++ b/manifests/media/immich.yaml @@ -0,0 +1,297 @@ +# Apply: kubectl apply -f manifests/media/immich.yaml +# Delete: kubectl delete -f manifests/media/immich.yaml +# Description: Immich photo management deployment at immich.home.arpa. +# External libraries mounted read-only from NFS. +# NOTE: Set the postgres password before first apply (see Secret below). +apiVersion: v1 +kind: Namespace +metadata: + name: immich +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: immich-postgres-data + namespace: immich + annotations: + helm.sh/resource-policy: keep +spec: + accessModes: + - ReadWriteOnce + storageClassName: local-path + resources: + requests: + storage: 20Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: immich-library + namespace: immich + annotations: + helm.sh/resource-policy: keep +spec: + accessModes: + - ReadWriteOnce + storageClassName: local-path + resources: + requests: + storage: 50Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: immich-ml-cache + namespace: immich +spec: + accessModes: + - ReadWriteOnce + storageClassName: local-path + resources: + requests: + storage: 10Gi +--- +# ─── Postgres ───────────────────────────────────────────────────────────────── +apiVersion: apps/v1 +kind: Deployment +metadata: + name: immich-postgres + namespace: immich +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: immich-postgres + template: + metadata: + labels: + app: immich-postgres + spec: + containers: + - name: postgres + image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0 + ports: + - containerPort: 5432 + env: + - name: POSTGRES_DB + value: immich + - name: POSTGRES_USER + value: immich + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: immich-postgres + key: password + - name: POSTGRES_INITDB_ARGS + value: "--data-checksums" + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + volumeMounts: + - name: data + mountPath: /var/lib/postgresql/data + volumes: + - name: data + persistentVolumeClaim: + claimName: immich-postgres-data +--- +apiVersion: v1 +kind: Service +metadata: + name: immich-postgres + namespace: immich +spec: + selector: + app: immich-postgres + ports: + - port: 5432 + targetPort: 5432 +--- +# ─── Redis ──────────────────────────────────────────────────────────────────── +apiVersion: apps/v1 +kind: Deployment +metadata: + name: immich-redis + namespace: immich +spec: + replicas: 1 + selector: + matchLabels: + app: immich-redis + template: + metadata: + labels: + app: immich-redis + spec: + containers: + - name: redis + image: docker.io/redis:6.2-alpine + ports: + - containerPort: 6379 + volumeMounts: + - name: data + mountPath: /data + volumes: + - name: data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: immich-redis + namespace: immich +spec: + selector: + app: immich-redis + ports: + - port: 6379 + targetPort: 6379 +--- +# ─── Immich Server ──────────────────────────────────────────────────────────── +apiVersion: apps/v1 +kind: Deployment +metadata: + name: immich-server + namespace: immich +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: immich-server + template: + metadata: + labels: + app: immich-server + spec: + containers: + - name: immich-server + image: ghcr.io/immich-app/immich-server:v1.144.1 + ports: + - containerPort: 2283 + env: + - name: DB_HOSTNAME + value: immich-postgres + - name: DB_DATABASE_NAME + value: immich + - name: DB_USERNAME + value: immich + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: immich-postgres + key: password + - name: REDIS_HOSTNAME + value: immich-redis + - name: IMMICH_MACHINE_LEARNING_URL + value: http://immich-machine-learning:3003 + - name: TZ + value: Asia/Tokyo + volumeMounts: + - name: library + mountPath: /usr/src/app/upload + - name: photos-other + mountPath: /mnt/external/other + readOnly: true + - name: photos-art + mountPath: /mnt/external/art + readOnly: true + volumes: + - name: library + persistentVolumeClaim: + claimName: immich-library + - name: photos-other + nfs: + server: 192.168.7.183 + path: /mnt/storage/jellyfin/other + - name: photos-art + nfs: + server: 192.168.7.183 + path: /mnt/storage/jellyfin/art +--- +apiVersion: v1 +kind: Service +metadata: + name: immich-server + namespace: immich +spec: + selector: + app: immich-server + ports: + - port: 2283 + targetPort: 2283 +--- +# ─── Immich Machine Learning ────────────────────────────────────────────────── +apiVersion: apps/v1 +kind: Deployment +metadata: + name: immich-machine-learning + namespace: immich +spec: + replicas: 1 + selector: + matchLabels: + app: immich-machine-learning + template: + metadata: + labels: + app: immich-machine-learning + spec: + containers: + - name: immich-machine-learning + image: ghcr.io/immich-app/immich-machine-learning:v1.144.1 + ports: + - containerPort: 3003 + volumeMounts: + - name: cache + mountPath: /cache + volumes: + - name: cache + persistentVolumeClaim: + claimName: immich-ml-cache +--- +apiVersion: v1 +kind: Service +metadata: + name: immich-machine-learning + namespace: immich +spec: + selector: + app: immich-machine-learning + ports: + - port: 3003 + targetPort: 3003 +--- +# ─── Ingress / TLS ──────────────────────────────────────────────────────────── +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: immich-tls + namespace: immich +spec: + secretName: immich-tls + issuerRef: + name: internal-ca-issuer + kind: ClusterIssuer + dnsNames: + - immich.home.arpa +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: immich + namespace: immich +spec: + entryPoints: + - websecure + routes: + - kind: Rule + match: Host(`immich.home.arpa`) + services: + - name: immich-server + namespace: immich + port: 2283 + tls: + secretName: immich-tls diff --git a/values/pihole.yaml b/values/pihole.yaml index 1ee0984..a88a62f 100644 --- a/values/pihole.yaml +++ b/values/pihole.yaml @@ -79,6 +79,7 @@ dnsmasq: - address=/auth.home.arpa/192.168.7.77 - address=/traefik.home.arpa/192.168.7.77 - address=/photoview.home.arpa/192.168.7.77 + - address=/immich.home.arpa/192.168.7.77 - address=/gitea.nik4nao.com/192.168.7.77 - address=/ha.home.arpa/192.168.7.77 - address=/argocd.home.arpa/192.168.7.77 \ No newline at end of file