From 982440c4d3bf46853bb83ebda8d99681b6b31c6a Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Wed, 4 Jan 2023 22:17:06 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20immich?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../authelia/app/config/configuration.yml | 18 ++--- .../apps/default/immich/app/configmap.yaml | 24 +++++++ .../default/immich/app/kustomization.yaml | 15 ++++ .../app/machine-learning/helmrelease.yaml | 61 ++++++++++++++++ .../app/machine-learning/kustomization.yaml | 6 ++ .../immich/app/microservices/helmrelease.yaml | 59 ++++++++++++++++ .../app/microservices/kustomization.yaml | 6 ++ .../default/immich/app/proxy/helmrelease.yaml | 69 +++++++++++++++++++ .../immich/app/proxy/kustomization.yaml | 6 ++ .../default/immich/app/redis/helmrelease.yaml | 52 ++++++++++++++ .../immich/app/redis/kustomization.yaml | 6 ++ .../apps/default/immich/app/secret.sops.yaml | 42 +++++++++++ .../immich/app/server/helmrelease.yaml | 67 ++++++++++++++++++ .../immich/app/server/kustomization.yaml | 6 ++ .../apps/default/immich/app/volume.yaml | 33 +++++++++ .../default/immich/app/web/helmrelease.yaml | 61 ++++++++++++++++ .../default/immich/app/web/kustomization.yaml | 6 ++ kubernetes/apps/default/immich/ks.yaml | 42 +++++++++++ kubernetes/apps/default/kustomization.yaml | 1 + .../flux/vars/cluster-secrets.sops.yaml | 5 +- 20 files changed, 574 insertions(+), 11 deletions(-) create mode 100644 kubernetes/apps/default/immich/app/configmap.yaml create mode 100644 kubernetes/apps/default/immich/app/kustomization.yaml create mode 100644 kubernetes/apps/default/immich/app/machine-learning/helmrelease.yaml create mode 100644 kubernetes/apps/default/immich/app/machine-learning/kustomization.yaml create mode 100644 kubernetes/apps/default/immich/app/microservices/helmrelease.yaml create mode 100644 kubernetes/apps/default/immich/app/microservices/kustomization.yaml create mode 100644 kubernetes/apps/default/immich/app/proxy/helmrelease.yaml create mode 100644 kubernetes/apps/default/immich/app/proxy/kustomization.yaml create mode 100644 kubernetes/apps/default/immich/app/redis/helmrelease.yaml create mode 100644 kubernetes/apps/default/immich/app/redis/kustomization.yaml create mode 100644 kubernetes/apps/default/immich/app/secret.sops.yaml create mode 100644 kubernetes/apps/default/immich/app/server/helmrelease.yaml create mode 100644 kubernetes/apps/default/immich/app/server/kustomization.yaml create mode 100644 kubernetes/apps/default/immich/app/volume.yaml create mode 100644 kubernetes/apps/default/immich/app/web/helmrelease.yaml create mode 100644 kubernetes/apps/default/immich/app/web/kustomization.yaml create mode 100644 kubernetes/apps/default/immich/ks.yaml diff --git a/kubernetes/apps/default/authelia/app/config/configuration.yml b/kubernetes/apps/default/authelia/app/config/configuration.yml index 4a479b3ff..0d6cb993c 100644 --- a/kubernetes/apps/default/authelia/app/config/configuration.yml +++ b/kubernetes/apps/default/authelia/app/config/configuration.yml @@ -77,12 +77,12 @@ identity_providers: redirect_uris: ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"] userinfo_signing_algorithm: none - # - id: minio - # description: Minio - # secret: "${SECRET_MINIO_OAUTH_CLIENT_SECRET}" - # public: false - # authorization_policy: two_factor - # pre_configured_consent_duration: 1y - # scopes: ["openid", "profile", "groups", "email"] - # redirect_uris: ["https://minio.${SECRET_CLUSTER_DOMAIN}/oauth_callback"] - # userinfo_signing_algorithm: none + - id: immich + description: Immich + secret: "${SECRET_IMMICH_OAUTH_CLIENT_SECRET}" + public: false + authorization_policy: two_factor + pre_configured_consent_duration: 1y + scopes: ["openid", "profile", "email"] + redirect_uris: ["https://photos.${SECRET_CLUSTER_DOMAIN}/auth/login", "app.immich:/"] + userinfo_signing_algorithm: none diff --git a/kubernetes/apps/default/immich/app/configmap.yaml b/kubernetes/apps/default/immich/app/configmap.yaml new file mode 100644 index 000000000..62eb935d2 --- /dev/null +++ b/kubernetes/apps/default/immich/app/configmap.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: immich-configmap + namespace: default +data: + DB_PORT: "5432" + DISABLE_REVERSE_GEOCODING: "true" + ENABLE_MAPBOX: "false" + LOG_LEVEL: verbose + NODE_ENV: "production" + REDIS_PORT: "6379" + REDIS_DBINDEX: "0" + IMMICH_WEB_URL: http://immich-web.default.svc.cluster.local:3000 + IMMICH_SERVER_URL: http://immich-server.default.svc.cluster.local:3001 + IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning.default.svc.cluster.local:3003 + # Below are deprecated and can only be set in the Immich Admin settings + # OAUTH_ENABLED: "true" + # OAUTH_ISSUER_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/.well-known/openid-configuration + # OAUTH_CLIENT_ID: immich + # OAUTH_CLIENT_SECRET: "${SECRET_IMMICH_OAUTH_CLIENT_SECRET}" + # OAUTH_AUTO_REGISTER: "true" + # OAUTH_BUTTON_TEXT: "Login with Authelia" diff --git a/kubernetes/apps/default/immich/app/kustomization.yaml b/kubernetes/apps/default/immich/app/kustomization.yaml new file mode 100644 index 000000000..ea845c6a3 --- /dev/null +++ b/kubernetes/apps/default/immich/app/kustomization.yaml @@ -0,0 +1,15 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - ./configmap.yaml + - ./microservices + - ./machine-learning + - ./proxy + - ./redis + - ./secret.sops.yaml + - ./server + - ./volume.yaml + - ./web diff --git a/kubernetes/apps/default/immich/app/machine-learning/helmrelease.yaml b/kubernetes/apps/default/immich/app/machine-learning/helmrelease.yaml new file mode 100644 index 000000000..a037f62e7 --- /dev/null +++ b/kubernetes/apps/default/immich/app/machine-learning/helmrelease.yaml @@ -0,0 +1,61 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: immich-machine-learning + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 1.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + maxHistory: 3 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: immich-server + values: + controller: + annotations: + reloader.stakater.com/auto: "true" + image: + repository: ghcr.io/immich-app/immich-machine-learning + tag: v1.40.1_63-dev + command: /bin/sh + args: + - ./entrypoint.sh + envFrom: + - secretRef: + name: immich-secret + - configMapRef: + name: immich-configmap + service: + main: + ports: + http: + port: 3003 + persistence: + library: + enabled: true + existingClaim: immich-nfs + mountPath: /usr/src/app/upload + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + memory: 2000Mi diff --git a/kubernetes/apps/default/immich/app/machine-learning/kustomization.yaml b/kubernetes/apps/default/immich/app/machine-learning/kustomization.yaml new file mode 100644 index 000000000..17cbc72b2 --- /dev/null +++ b/kubernetes/apps/default/immich/app/machine-learning/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/default/immich/app/microservices/helmrelease.yaml b/kubernetes/apps/default/immich/app/microservices/helmrelease.yaml new file mode 100644 index 000000000..9d628e895 --- /dev/null +++ b/kubernetes/apps/default/immich/app/microservices/helmrelease.yaml @@ -0,0 +1,59 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: immich-microservices + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 1.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + maxHistory: 3 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: immich-server + values: + controller: + annotations: + reloader.stakater.com/auto: "true" + image: + repository: ghcr.io/immich-app/immich-server + tag: v1.40.1_63-dev + command: /bin/sh + args: + - ./start-microservices.sh + envFrom: + - secretRef: + name: immich-secret + - configMapRef: + name: immich-configmap + service: + main: + enabled: false + persistence: + library: + enabled: true + existingClaim: immich-nfs + mountPath: /usr/src/app/upload + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + memory: 2000Mi diff --git a/kubernetes/apps/default/immich/app/microservices/kustomization.yaml b/kubernetes/apps/default/immich/app/microservices/kustomization.yaml new file mode 100644 index 000000000..17cbc72b2 --- /dev/null +++ b/kubernetes/apps/default/immich/app/microservices/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/default/immich/app/proxy/helmrelease.yaml b/kubernetes/apps/default/immich/app/proxy/helmrelease.yaml new file mode 100644 index 000000000..5a03854db --- /dev/null +++ b/kubernetes/apps/default/immich/app/proxy/helmrelease.yaml @@ -0,0 +1,69 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: immich-proxy + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 1.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + maxHistory: 3 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: immich-server + values: + controller: + annotations: + reloader.stakater.com/auto: "true" + image: + repository: ghcr.io/immich-app/immich-proxy + tag: v1.40.1_63-dev + envFrom: + - secretRef: + name: immich-secret + - configMapRef: + name: immich-configmap + service: + main: + ports: + http: + port: 8080 + ingress: + main: + enabled: true + ingressClassName: nginx + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: "0" + hajimari.io/appName: "Immich" + hajimari.io/icon: heroicons:photo + hosts: + - host: &host photos.${SECRET_CLUSTER_DOMAIN} + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + memory: 2000Mi diff --git a/kubernetes/apps/default/immich/app/proxy/kustomization.yaml b/kubernetes/apps/default/immich/app/proxy/kustomization.yaml new file mode 100644 index 000000000..17cbc72b2 --- /dev/null +++ b/kubernetes/apps/default/immich/app/proxy/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/default/immich/app/redis/helmrelease.yaml b/kubernetes/apps/default/immich/app/redis/helmrelease.yaml new file mode 100644 index 000000000..9ef808767 --- /dev/null +++ b/kubernetes/apps/default/immich/app/redis/helmrelease.yaml @@ -0,0 +1,52 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: immich-redis + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 1.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + maxHistory: 3 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + controller: + annotations: + reloader.stakater.com/auto: "true" + image: + repository: public.ecr.aws/docker/library/redis + tag: 7.0.7 + env: + REDIS_REPLICATION_MODE: master + envFrom: + - secretRef: + name: immich-secret + command: ["redis-server", "--requirepass", "$(REDIS_PASSWORD)"] + service: + main: + ports: + http: + port: 6379 + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + memory: 100Mi diff --git a/kubernetes/apps/default/immich/app/redis/kustomization.yaml b/kubernetes/apps/default/immich/app/redis/kustomization.yaml new file mode 100644 index 000000000..17cbc72b2 --- /dev/null +++ b/kubernetes/apps/default/immich/app/redis/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/default/immich/app/secret.sops.yaml b/kubernetes/apps/default/immich/app/secret.sops.yaml new file mode 100644 index 000000000..d8b36e37d --- /dev/null +++ b/kubernetes/apps/default/immich/app/secret.sops.yaml @@ -0,0 +1,42 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: immich-secret + namespace: default +type: Opaque +stringData: + #ENC[AES256_GCM,data:M3l1uxCayw==,iv:Vr0yrJF/xDpqANJSg5VpU0RPxknE3N8HW5NPkZ+Ngko=,tag:5X9qYSGAMJ08DMOdpF/fgg==,type:comment] + DB_DATABASE_NAME: ENC[AES256_GCM,data:/1JmFMnq,iv:aycc8Tqv4h95ATSrtTp3uOKkJ7uJ3fF8P9rx99+F+jk=,tag:vgciF1KIzr6lIhbpsL4bwQ==,type:str] + DB_HOSTNAME: ENC[AES256_GCM,data:Tx7HFLwCYQjXN79Qu6+vKSIdR1Lxs397mV+Hi0XqlL0/vY5kAg==,iv:xVxuZuEeGdT9Ja7FzfWLFhz/dRxCGAk97893jPEPyzk=,tag:+wOzSIjORLrAKPYD+7vtPQ==,type:str] + DB_PASSWORD: ENC[AES256_GCM,data:xGc/+0jUa2FcMKSFyjaxYia1ZnU=,iv:A0i5vPLMXLmqNicsQI6vrlOnR8lEJXOMomABnGMOLAQ=,tag:RXPncaj3YxgdK4UpOp2oCw==,type:str] + DB_USERNAME: ENC[AES256_GCM,data:usQAPAXx,iv:/dG1qJr2i1uwarjTn9RcxPt12DbY/gAO+rUdSDqeWNA=,tag:JM3zv0xI+rlX+1ju7kyVxw==,type:str] + JWT_SECRET: ENC[AES256_GCM,data:177xddBgbYp4B1xLlfHsGqm1SdW6W7S7Z53ExG3dYw==,iv:LAX2iW9hj/fX7n1g6yWAZOtZNH3xXMSXn9nFoffCkvU=,tag:76Kxh3v7pqazzDJDuVcpNQ==,type:str] + REDIS_HOSTNAME: ENC[AES256_GCM,data:MjZKUZTEBTLkPh3f4DoK2cbvg7dVhWse5EE4C8ptvGlvC/XP49Y=,iv:9QHpHezHlccOFOIUXiZd2iqJZO6Z7lHoDdlRtyW2f68=,tag:vGdhYsqS3aBLVVc7m7x8wA==,type:str] + REDIS_PASSWORD: ENC[AES256_GCM,data:KSzXwFU1lnpaRKusVjnUhuHTy68=,iv:qe4nhzMOXrSKxjI32tL8fcEqDU7pmzOaryJI4O2U1nc=,tag:2WXAsx/9u8ty8bl47txorA==,type:str] + #ENC[AES256_GCM,data:1+sGdHMiMe3clIg6KVo=,iv:II/LS19frtCXo/niP5/HPaVF6IcYr/FBqddAlKFytA0=,tag:IubpMI5HxdnxZB8mSezASA==,type:comment] + POSTGRES_DB: ENC[AES256_GCM,data:NMVSQmNi,iv:/5aMX5er4zqsOVidsnaArmBwRreVPLBE9hn5jNSDkso=,tag:vGJDIQgfCOqUOtYFtlL51w==,type:str] + POSTGRES_HOST: ENC[AES256_GCM,data:TpU9sKI32nQJ3pFnas9FjLXNlnAzX73heXQ7EwYVuur5AKQwdw==,iv:/SdWujct0FaDNMpUwk9ImuKDwDKL2oun8I6kPfU+P6s=,tag:LUqHoWf8wMkBM4sKri+5Ew==,type:str] + POSTGRES_PASS: ENC[AES256_GCM,data:xnX/vIBKWeIDaUUWnSVI7F3538Q=,iv:K59DXnnGxWbLAQKnzn4EEhY3nLKs6NJQv6qNpF/OwH8=,tag:L5mAlCeNh3J2GlG2udEspA==,type:str] + POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:mcsuRKRBTmB/mIlfRY0EGA==,iv:OVLvJemtTQINZ3MzsXUhJ/OJsWAP0iI5/jQDJpzmTug=,tag:MKnEYcpR9Qq7/mks67kQPw==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:G6pSju/U,iv:eVTKbpYCD7hv7y2zYKr6wv6Wsca4QmHwC1MZZmQ8aKA=,tag:17QhReyXRFeL7nULag++Bw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NVpnZE1xaXY3VmEwb24z + Z2lLQ1d4NzFUdWdUUWphUkVPK0ljRmMvSGpvCkhjT1pyOE94bXkwQkVpL0Ywa0tv + VmVhQzA4WEVqK0lxQUVzUTFidXVrL0UKLS0tIEtJSFNqbkVDZm9Mc3ZCbzJiOXov + MGN2VjZaRzhTM3JxeWlVelhvQUhlcTgKIQnk7XcpuK9ZWinZf9s/rYFAeFbF2yXX + +afSzOZKXq6ENcnTY/Or0A76wXVpYAJ3yaNsfFhXY0QQw/wwE14cMA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-01-04T21:16:40Z" + mac: ENC[AES256_GCM,data:mWyyhgs0zkHxwQzdGPQf+9uJB3H3GRDS0PcRfBt5J/cMQ3/UEHWBi07boxJoFZOyljW9wxFu4z0rt7Eo9FFJPRq0hddNbgRoEU17xoEn4BkzbKcvMmSsJLw0dLVHXvzm69sxAPwfWEB8+44Oan9xA78MUtNlHbZf/CpOW+WZ/ik=,iv:68cPaccLy2CqYxWvJ4EM+DT9VJMY2QH9NawyjveYiZg=,tag:Rjchcl/LqaDKAbEMPoVggQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kubernetes/apps/default/immich/app/server/helmrelease.yaml b/kubernetes/apps/default/immich/app/server/helmrelease.yaml new file mode 100644 index 000000000..1cc9cf874 --- /dev/null +++ b/kubernetes/apps/default/immich/app/server/helmrelease.yaml @@ -0,0 +1,67 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: immich-server + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 1.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + maxHistory: 3 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: immich-redis + values: + initContainers: + init-db: + image: ghcr.io/onedr0p/postgres-initdb:14.6 + envFrom: + - secretRef: + name: immich-secret + controller: + annotations: + reloader.stakater.com/auto: "true" + image: + repository: ghcr.io/immich-app/immich-server + tag: v1.40.1_63-dev + command: /bin/sh + args: + - ./start-server.sh + envFrom: + - secretRef: + name: immich-secret + - configMapRef: + name: immich-configmap + service: + main: + ports: + http: + port: 3001 + persistence: + library: + enabled: true + existingClaim: immich-nfs + mountPath: /usr/src/app/upload + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + memory: 2000Mi diff --git a/kubernetes/apps/default/immich/app/server/kustomization.yaml b/kubernetes/apps/default/immich/app/server/kustomization.yaml new file mode 100644 index 000000000..17cbc72b2 --- /dev/null +++ b/kubernetes/apps/default/immich/app/server/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/default/immich/app/volume.yaml b/kubernetes/apps/default/immich/app/volume.yaml new file mode 100644 index 000000000..cd6a58ece --- /dev/null +++ b/kubernetes/apps/default/immich/app/volume.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: immich-nfs +spec: + storageClassName: immich-nfs + capacity: + storage: 1Mi + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + nfs: + server: ${LOCAL_LAN_TRUENAS} + path: /mnt/storage/apps/immich + mountOptions: + - nfsvers=4.2 + - nconnect=8 + - hard + - noatime +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: immich-nfs + namespace: default +spec: + accessModes: + - ReadWriteMany + storageClassName: immich-nfs + resources: + requests: + storage: 1Mi diff --git a/kubernetes/apps/default/immich/app/web/helmrelease.yaml b/kubernetes/apps/default/immich/app/web/helmrelease.yaml new file mode 100644 index 000000000..e29d8dbc2 --- /dev/null +++ b/kubernetes/apps/default/immich/app/web/helmrelease.yaml @@ -0,0 +1,61 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: immich-web + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 1.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + maxHistory: 3 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: immich-server + values: + controller: + annotations: + reloader.stakater.com/auto: "true" + image: + repository: ghcr.io/immich-app/immich-web + tag: v1.40.1_63-dev + command: /bin/sh + args: + - ./entrypoint.sh + envFrom: + - secretRef: + name: immich-secret + - configMapRef: + name: immich-configmap + service: + main: + ports: + http: + port: 3000 + persistence: + library: + enabled: true + existingClaim: immich-nfs + mountPath: /usr/src/app/upload + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + memory: 2000Mi diff --git a/kubernetes/apps/default/immich/app/web/kustomization.yaml b/kubernetes/apps/default/immich/app/web/kustomization.yaml new file mode 100644 index 000000000..17cbc72b2 --- /dev/null +++ b/kubernetes/apps/default/immich/app/web/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/default/immich/ks.yaml b/kubernetes/apps/default/immich/ks.yaml new file mode 100644 index 000000000..b0c482f9e --- /dev/null +++ b/kubernetes/apps/default/immich/ks.yaml @@ -0,0 +1,42 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: cluster-apps-immich-app + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + dependsOn: + - name: cluster-apps-cloudnative-pg-app + - name: cluster-apps-volsync-app + path: ./kubernetes/apps/default/immich/app + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + name: immich-microservices + namespace: default + - apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + name: immich-proxy + namespace: default + - apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + name: immich-redis + namespace: default + - apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + name: immich-server + namespace: default + - apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + name: immich-web + namespace: default + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml index 09d0f0004..481736374 100644 --- a/kubernetes/apps/default/kustomization.yaml +++ b/kubernetes/apps/default/kustomization.yaml @@ -20,6 +20,7 @@ resources: - ./glauth/ks.yaml - ./hajimari/ks.yaml - ./home-assistant/ks.yaml + - ./immich/ks.yaml - ./invidious/ks.yaml - ./jellyfin/ks.yaml - ./jellyseer/ks.yaml diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index 1664569d1..236a3b25e 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -19,6 +19,7 @@ stringData: SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str] SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str] SECRET_INVIDIOUS_DB_USER: ENC[AES256_GCM,data:snjA33syqy4X,iv:OF8LJSTdcIGgwAJPmS0HdCz0adsTuTwZ5zfuvJrA7fs=,tag:E4EnsKWITN4l6qnuxZ3A5g==,type:str] + SECRET_IMMICH_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:+MEpqgBm2kK0qOq0jl/BDKEUYB4=,iv:VDU2Dggxb/qoEoDcjNrk3O5gCprEMAdRvyW/DivTo9w=,tag:Dse5KTLDLduVGT0LSIBjVA==,type:str] SECRET_INVIDIOUS_DB_PASSWORD: ENC[AES256_GCM,data:jmHWk/hXAb9E97CEa4w=,iv:RYnGwoCy+RyVDdKVOXWFWPB/dqF2vPlx7ofRApEAsMg=,tag:nEydKLEw6mHJetEVa+NFzQ==,type:str] SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str] SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str] @@ -49,8 +50,8 @@ sops: WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-23T01:26:12Z" - mac: ENC[AES256_GCM,data:wYR8nXe5A7BePH7ttqp2YPyBthbJM892U5qZjvpVqo+vAbxYLZn/H3aDWAeUmM9rSQi8c4wR8UtDk7GTxUiMkdRYS267r2Jxcns0Z0sLq7D3YdL4zlW7TkDuo6zaknVOuePgSr9SYl/Z9y2ryk/BhRF9UjAASqnAEWtOKTqqs6I=,iv:LNqr+JPdywz/Z0wNhgKSAHJu4wMm+MykbFAzNoBNhec=,tag:kaltioo8R0HOhSYGmH1jww==,type:str] + lastmodified: "2023-01-04T21:05:24Z" + mac: ENC[AES256_GCM,data:VHzTdW9QXGKGFLrQMR64JS70ZTXl9S4niI8FjNEa2cv9oxEVJHaqZ0le8SRmBp8BtV3mflwGGEGd+JJhzywHwnGBFCuF7eGcXCH0H2cKM6qkzKxPqHicWHJpStzU3OSMSPg0AoENW4LSKI87sSPISq/A40lOqk0y36R9TpPzcJc=,iv:BhMJZ6Wu4dOlRqvLlilPCHkTr2tVKr3NJJ1Zgke+1tg=,tag:QtY5jCfls2xswFc6LeBf5w==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3