feat: add Immich database credentials and deployment configuration

This commit is contained in:
Nik Afiq 2026-05-01 19:43:09 +09:00
parent 861f9c9688
commit 1ceb8209bc
5 changed files with 331 additions and 1 deletions

View File

@ -31,4 +31,7 @@ REGISTRY_PASSWORD=your_token_here
# Home Assistant and Discord integration # Home Assistant and Discord integration
HA_TOKEN=your_home_assistant_token_here HA_TOKEN=your_home_assistant_token_here
DISCORD_TOKEN=your_discord_token_here DISCORD_TOKEN=your_discord_token_here
GUILD_ID=your_discord_guild_id_here GUILD_ID=your_discord_guild_id_here
# Immich database credentials
IMMICH_POSTGRES_PASSWORD=your_password_here

View File

@ -0,0 +1,13 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: immich-postgres
namespace: immich
spec:
encryptedData:
password: AgAHwzFI/21GYnhIc08Q4E0fshe9AHn77D0u28+f4jxPRSWPvKf7OaKOAoQUfZhFWsfaayphASg7NMpuhgvFl8oC1MZ1oXX48p3M3wOQmV3yhaWFjXtQuDIyhwsRY7IYTED4sPNaEpVM/NGQS8XQyKaFaQ1aAqPwVZwLAVEj5SeJcCnG9lfANB+x8Hua1DZezrYelQQ8kT3xURfOkvZ57e/2kCdvHYs/SXJZCj6iyuXzefjH25ZNqNVGdaa36cT5Mo7V3eNrT014qed+4Uf7uv+aPcrKJYkSRkaPEJdp0THCofiI/QrgKknQTWRrQLxnOFMnTTckrkI89JTo9wCzfXOFF8KcDMAur7E4QfYbgFqLMlCShsY9bcb5mGD5xa2RKoBnQyQslNMYeNWgVmt7sn1F56v5Gh3e2tg++ydCIlQwvUywPFyt/lL9+Eojdn8LknykpmH34z0cd+KVDcsl+9dHRx3jAgefpIwJc+MihGB8H+Sm6dP8PW3r7o29/KgpBPjpebbq4G31QLDyeAjVavk2CxTdnHsJWmWl2mwB5GlrEB1cRqSOctzvDkwx+TdwyRM2Ggl5J2azt+QZaCYES6sTdxPQOUuDJ7SeY3qy9C0v+0OBpu9q1WPUP6E14LUZzdOp4+S8mC6Llwxcypro7oWOS3GrK4z6eSrpj6bg5FlqkEjQjc0EJ4C6kPevLp2JaCdFXt9FXkDTKv97A8sT1ruG9M86FqHf1d6aTWw2UC9i7w==
template:
metadata:
name: immich-postgres
namespace: immich

View File

@ -0,0 +1,16 @@
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../../.env"
kubectl create secret generic immich-postgres \
--namespace=immich \
--from-literal=password="${IMMICH_POSTGRES_PASSWORD}" \
--dry-run=client -o yaml \
| kubeseal \
--controller-namespace=kube-system \
--controller-name=sealed-secrets-controller \
--format yaml \
> "$SCRIPT_DIR/immich-postgres-sealed.yaml"
echo "Wrote $SCRIPT_DIR/immich-postgres-sealed.yaml"

297
manifests/media/immich.yaml Normal file
View File

@ -0,0 +1,297 @@
# Apply: kubectl apply -f manifests/media/immich.yaml
# Delete: kubectl delete -f manifests/media/immich.yaml
# Description: Immich photo management deployment at immich.home.arpa.
# External libraries mounted read-only from NFS.
# NOTE: Set the postgres password before first apply (see Secret below).
apiVersion: v1
kind: Namespace
metadata:
name: immich
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: immich-postgres-data
namespace: immich
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 20Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: immich-library
namespace: immich
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 50Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: immich-ml-cache
namespace: immich
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 10Gi
---
# ─── Postgres ─────────────────────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
name: immich-postgres
namespace: immich
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: immich-postgres
template:
metadata:
labels:
app: immich-postgres
spec:
containers:
- name: postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB
value: immich
- name: POSTGRES_USER
value: immich
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: immich-postgres
key: password
- name: POSTGRES_INITDB_ARGS
value: "--data-checksums"
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
volumes:
- name: data
persistentVolumeClaim:
claimName: immich-postgres-data
---
apiVersion: v1
kind: Service
metadata:
name: immich-postgres
namespace: immich
spec:
selector:
app: immich-postgres
ports:
- port: 5432
targetPort: 5432
---
# ─── Redis ────────────────────────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
name: immich-redis
namespace: immich
spec:
replicas: 1
selector:
matchLabels:
app: immich-redis
template:
metadata:
labels:
app: immich-redis
spec:
containers:
- name: redis
image: docker.io/redis:6.2-alpine
ports:
- containerPort: 6379
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: immich-redis
namespace: immich
spec:
selector:
app: immich-redis
ports:
- port: 6379
targetPort: 6379
---
# ─── Immich Server ────────────────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
name: immich-server
namespace: immich
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: immich-server
template:
metadata:
labels:
app: immich-server
spec:
containers:
- name: immich-server
image: ghcr.io/immich-app/immich-server:v1.144.1
ports:
- containerPort: 2283
env:
- name: DB_HOSTNAME
value: immich-postgres
- name: DB_DATABASE_NAME
value: immich
- name: DB_USERNAME
value: immich
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: immich-postgres
key: password
- name: REDIS_HOSTNAME
value: immich-redis
- name: IMMICH_MACHINE_LEARNING_URL
value: http://immich-machine-learning:3003
- name: TZ
value: Asia/Tokyo
volumeMounts:
- name: library
mountPath: /usr/src/app/upload
- name: photos-other
mountPath: /mnt/external/other
readOnly: true
- name: photos-art
mountPath: /mnt/external/art
readOnly: true
volumes:
- name: library
persistentVolumeClaim:
claimName: immich-library
- name: photos-other
nfs:
server: 192.168.7.183
path: /mnt/storage/jellyfin/other
- name: photos-art
nfs:
server: 192.168.7.183
path: /mnt/storage/jellyfin/art
---
apiVersion: v1
kind: Service
metadata:
name: immich-server
namespace: immich
spec:
selector:
app: immich-server
ports:
- port: 2283
targetPort: 2283
---
# ─── Immich Machine Learning ──────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
name: immich-machine-learning
namespace: immich
spec:
replicas: 1
selector:
matchLabels:
app: immich-machine-learning
template:
metadata:
labels:
app: immich-machine-learning
spec:
containers:
- name: immich-machine-learning
image: ghcr.io/immich-app/immich-machine-learning:v1.144.1
ports:
- containerPort: 3003
volumeMounts:
- name: cache
mountPath: /cache
volumes:
- name: cache
persistentVolumeClaim:
claimName: immich-ml-cache
---
apiVersion: v1
kind: Service
metadata:
name: immich-machine-learning
namespace: immich
spec:
selector:
app: immich-machine-learning
ports:
- port: 3003
targetPort: 3003
---
# ─── Ingress / TLS ────────────────────────────────────────────────────────────
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: immich-tls
namespace: immich
spec:
secretName: immich-tls
issuerRef:
name: internal-ca-issuer
kind: ClusterIssuer
dnsNames:
- immich.home.arpa
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: immich
namespace: immich
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`immich.home.arpa`)
services:
- name: immich-server
namespace: immich
port: 2283
tls:
secretName: immich-tls

View File

@ -79,6 +79,7 @@ dnsmasq:
- address=/auth.home.arpa/192.168.7.77 - address=/auth.home.arpa/192.168.7.77
- address=/traefik.home.arpa/192.168.7.77 - address=/traefik.home.arpa/192.168.7.77
- address=/photoview.home.arpa/192.168.7.77 - address=/photoview.home.arpa/192.168.7.77
- address=/immich.home.arpa/192.168.7.77
- address=/gitea.nik4nao.com/192.168.7.77 - address=/gitea.nik4nao.com/192.168.7.77
- address=/ha.home.arpa/192.168.7.77 - address=/ha.home.arpa/192.168.7.77
- address=/argocd.home.arpa/192.168.7.77 - address=/argocd.home.arpa/192.168.7.77