immich

This commit is contained in:
auricom
2023-01-04 22:17:06 +01:00
parent 58dd5ae706
commit 982440c4d3
20 changed files with 574 additions and 11 deletions

View File

@@ -77,12 +77,12 @@ identity_providers:
redirect_uris:
["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
userinfo_signing_algorithm: none
# - id: minio
# description: Minio
# secret: "${SECRET_MINIO_OAUTH_CLIENT_SECRET}"
# public: false
# authorization_policy: two_factor
# pre_configured_consent_duration: 1y
# scopes: ["openid", "profile", "groups", "email"]
# redirect_uris: ["https://minio.${SECRET_CLUSTER_DOMAIN}/oauth_callback"]
# userinfo_signing_algorithm: none
- id: immich
description: Immich
secret: "${SECRET_IMMICH_OAUTH_CLIENT_SECRET}"
public: false
authorization_policy: two_factor
pre_configured_consent_duration: 1y
scopes: ["openid", "profile", "email"]
redirect_uris: ["https://photos.${SECRET_CLUSTER_DOMAIN}/auth/login", "app.immich:/"]
userinfo_signing_algorithm: none

View File

@@ -0,0 +1,24 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: immich-configmap
namespace: default
data:
DB_PORT: "5432"
DISABLE_REVERSE_GEOCODING: "true"
ENABLE_MAPBOX: "false"
LOG_LEVEL: verbose
NODE_ENV: "production"
REDIS_PORT: "6379"
REDIS_DBINDEX: "0"
IMMICH_WEB_URL: http://immich-web.default.svc.cluster.local:3000
IMMICH_SERVER_URL: http://immich-server.default.svc.cluster.local:3001
IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning.default.svc.cluster.local:3003
# Below are deprecated and can only be set in the Immich Admin settings
# OAUTH_ENABLED: "true"
# OAUTH_ISSUER_URL: https://auth.${SECRET_CLUSTER_DOMAIN}/.well-known/openid-configuration
# OAUTH_CLIENT_ID: immich
# OAUTH_CLIENT_SECRET: "${SECRET_IMMICH_OAUTH_CLIENT_SECRET}"
# OAUTH_AUTO_REGISTER: "true"
# OAUTH_BUTTON_TEXT: "Login with Authelia"

View File

@@ -0,0 +1,15 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./configmap.yaml
- ./microservices
- ./machine-learning
- ./proxy
- ./redis
- ./secret.sops.yaml
- ./server
- ./volume.yaml
- ./web

View File

@@ -0,0 +1,61 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: immich-machine-learning
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.2.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
dependsOn:
- name: immich-server
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/immich-app/immich-machine-learning
tag: v1.40.1_63-dev
command: /bin/sh
args:
- ./entrypoint.sh
envFrom:
- secretRef:
name: immich-secret
- configMapRef:
name: immich-configmap
service:
main:
ports:
http:
port: 3003
persistence:
library:
enabled: true
existingClaim: immich-nfs
mountPath: /usr/src/app/upload
resources:
requests:
cpu: 100m
memory: 250Mi
limits:
memory: 2000Mi

View File

@@ -0,0 +1,6 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml

View File

@@ -0,0 +1,59 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: immich-microservices
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.2.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
dependsOn:
- name: immich-server
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/immich-app/immich-server
tag: v1.40.1_63-dev
command: /bin/sh
args:
- ./start-microservices.sh
envFrom:
- secretRef:
name: immich-secret
- configMapRef:
name: immich-configmap
service:
main:
enabled: false
persistence:
library:
enabled: true
existingClaim: immich-nfs
mountPath: /usr/src/app/upload
resources:
requests:
cpu: 100m
memory: 250Mi
limits:
memory: 2000Mi

View File

@@ -0,0 +1,6 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml

View File

@@ -0,0 +1,69 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: immich-proxy
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.2.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
dependsOn:
- name: immich-server
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/immich-app/immich-proxy
tag: v1.40.1_63-dev
envFrom:
- secretRef:
name: immich-secret
- configMapRef:
name: immich-configmap
service:
main:
ports:
http:
port: 8080
ingress:
main:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "0"
hajimari.io/appName: "Immich"
hajimari.io/icon: heroicons:photo
hosts:
- host: &host photos.${SECRET_CLUSTER_DOMAIN}
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
resources:
requests:
cpu: 100m
memory: 250Mi
limits:
memory: 2000Mi

View File

@@ -0,0 +1,6 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml

View File

@@ -0,0 +1,52 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: immich-redis
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.2.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: public.ecr.aws/docker/library/redis
tag: 7.0.7
env:
REDIS_REPLICATION_MODE: master
envFrom:
- secretRef:
name: immich-secret
command: ["redis-server", "--requirepass", "$(REDIS_PASSWORD)"]
service:
main:
ports:
http:
port: 6379
resources:
requests:
cpu: 10m
memory: 10Mi
limits:
memory: 100Mi

View File

@@ -0,0 +1,6 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml

View File

@@ -0,0 +1,42 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: immich-secret
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:M3l1uxCayw==,iv:Vr0yrJF/xDpqANJSg5VpU0RPxknE3N8HW5NPkZ+Ngko=,tag:5X9qYSGAMJ08DMOdpF/fgg==,type:comment]
DB_DATABASE_NAME: ENC[AES256_GCM,data:/1JmFMnq,iv:aycc8Tqv4h95ATSrtTp3uOKkJ7uJ3fF8P9rx99+F+jk=,tag:vgciF1KIzr6lIhbpsL4bwQ==,type:str]
DB_HOSTNAME: ENC[AES256_GCM,data:Tx7HFLwCYQjXN79Qu6+vKSIdR1Lxs397mV+Hi0XqlL0/vY5kAg==,iv:xVxuZuEeGdT9Ja7FzfWLFhz/dRxCGAk97893jPEPyzk=,tag:+wOzSIjORLrAKPYD+7vtPQ==,type:str]
DB_PASSWORD: ENC[AES256_GCM,data:xGc/+0jUa2FcMKSFyjaxYia1ZnU=,iv:A0i5vPLMXLmqNicsQI6vrlOnR8lEJXOMomABnGMOLAQ=,tag:RXPncaj3YxgdK4UpOp2oCw==,type:str]
DB_USERNAME: ENC[AES256_GCM,data:usQAPAXx,iv:/dG1qJr2i1uwarjTn9RcxPt12DbY/gAO+rUdSDqeWNA=,tag:JM3zv0xI+rlX+1ju7kyVxw==,type:str]
JWT_SECRET: ENC[AES256_GCM,data:177xddBgbYp4B1xLlfHsGqm1SdW6W7S7Z53ExG3dYw==,iv:LAX2iW9hj/fX7n1g6yWAZOtZNH3xXMSXn9nFoffCkvU=,tag:76Kxh3v7pqazzDJDuVcpNQ==,type:str]
REDIS_HOSTNAME: ENC[AES256_GCM,data:MjZKUZTEBTLkPh3f4DoK2cbvg7dVhWse5EE4C8ptvGlvC/XP49Y=,iv:9QHpHezHlccOFOIUXiZd2iqJZO6Z7lHoDdlRtyW2f68=,tag:vGdhYsqS3aBLVVc7m7x8wA==,type:str]
REDIS_PASSWORD: ENC[AES256_GCM,data:KSzXwFU1lnpaRKusVjnUhuHTy68=,iv:qe4nhzMOXrSKxjI32tL8fcEqDU7pmzOaryJI4O2U1nc=,tag:2WXAsx/9u8ty8bl47txorA==,type:str]
#ENC[AES256_GCM,data:1+sGdHMiMe3clIg6KVo=,iv:II/LS19frtCXo/niP5/HPaVF6IcYr/FBqddAlKFytA0=,tag:IubpMI5HxdnxZB8mSezASA==,type:comment]
POSTGRES_DB: ENC[AES256_GCM,data:NMVSQmNi,iv:/5aMX5er4zqsOVidsnaArmBwRreVPLBE9hn5jNSDkso=,tag:vGJDIQgfCOqUOtYFtlL51w==,type:str]
POSTGRES_HOST: ENC[AES256_GCM,data:TpU9sKI32nQJ3pFnas9FjLXNlnAzX73heXQ7EwYVuur5AKQwdw==,iv:/SdWujct0FaDNMpUwk9ImuKDwDKL2oun8I6kPfU+P6s=,tag:LUqHoWf8wMkBM4sKri+5Ew==,type:str]
POSTGRES_PASS: ENC[AES256_GCM,data:xnX/vIBKWeIDaUUWnSVI7F3538Q=,iv:K59DXnnGxWbLAQKnzn4EEhY3nLKs6NJQv6qNpF/OwH8=,tag:L5mAlCeNh3J2GlG2udEspA==,type:str]
POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:mcsuRKRBTmB/mIlfRY0EGA==,iv:OVLvJemtTQINZ3MzsXUhJ/OJsWAP0iI5/jQDJpzmTug=,tag:MKnEYcpR9Qq7/mks67kQPw==,type:str]
POSTGRES_USER: ENC[AES256_GCM,data:G6pSju/U,iv:eVTKbpYCD7hv7y2zYKr6wv6Wsca4QmHwC1MZZmQ8aKA=,tag:17QhReyXRFeL7nULag++Bw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NVpnZE1xaXY3VmEwb24z
Z2lLQ1d4NzFUdWdUUWphUkVPK0ljRmMvSGpvCkhjT1pyOE94bXkwQkVpL0Ywa0tv
VmVhQzA4WEVqK0lxQUVzUTFidXVrL0UKLS0tIEtJSFNqbkVDZm9Mc3ZCbzJiOXov
MGN2VjZaRzhTM3JxeWlVelhvQUhlcTgKIQnk7XcpuK9ZWinZf9s/rYFAeFbF2yXX
+afSzOZKXq6ENcnTY/Or0A76wXVpYAJ3yaNsfFhXY0QQw/wwE14cMA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-04T21:16:40Z"
mac: ENC[AES256_GCM,data:mWyyhgs0zkHxwQzdGPQf+9uJB3H3GRDS0PcRfBt5J/cMQ3/UEHWBi07boxJoFZOyljW9wxFu4z0rt7Eo9FFJPRq0hddNbgRoEU17xoEn4BkzbKcvMmSsJLw0dLVHXvzm69sxAPwfWEB8+44Oan9xA78MUtNlHbZf/CpOW+WZ/ik=,iv:68cPaccLy2CqYxWvJ4EM+DT9VJMY2QH9NawyjveYiZg=,tag:Rjchcl/LqaDKAbEMPoVggQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

View File

@@ -0,0 +1,67 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: immich-server
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.2.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
dependsOn:
- name: immich-redis
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.6
envFrom:
- secretRef:
name: immich-secret
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/immich-app/immich-server
tag: v1.40.1_63-dev
command: /bin/sh
args:
- ./start-server.sh
envFrom:
- secretRef:
name: immich-secret
- configMapRef:
name: immich-configmap
service:
main:
ports:
http:
port: 3001
persistence:
library:
enabled: true
existingClaim: immich-nfs
mountPath: /usr/src/app/upload
resources:
requests:
cpu: 100m
memory: 250Mi
limits:
memory: 2000Mi

View File

@@ -0,0 +1,6 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml

View File

@@ -0,0 +1,33 @@
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: immich-nfs
spec:
storageClassName: immich-nfs
capacity:
storage: 1Mi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
nfs:
server: ${LOCAL_LAN_TRUENAS}
path: /mnt/storage/apps/immich
mountOptions:
- nfsvers=4.2
- nconnect=8
- hard
- noatime
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: immich-nfs
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: immich-nfs
resources:
requests:
storage: 1Mi

View File

@@ -0,0 +1,61 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: immich-web
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.2.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
dependsOn:
- name: immich-server
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/immich-app/immich-web
tag: v1.40.1_63-dev
command: /bin/sh
args:
- ./entrypoint.sh
envFrom:
- secretRef:
name: immich-secret
- configMapRef:
name: immich-configmap
service:
main:
ports:
http:
port: 3000
persistence:
library:
enabled: true
existingClaim: immich-nfs
mountPath: /usr/src/app/upload
resources:
requests:
cpu: 100m
memory: 250Mi
limits:
memory: 2000Mi

View File

@@ -0,0 +1,6 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml

View File

@@ -0,0 +1,42 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: cluster-apps-immich-app
namespace: flux-system
labels:
substitution.flux.home.arpa/enabled: "true"
spec:
dependsOn:
- name: cluster-apps-cloudnative-pg-app
- name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/immich/app
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
name: immich-microservices
namespace: default
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
name: immich-proxy
namespace: default
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
name: immich-redis
namespace: default
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
name: immich-server
namespace: default
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
name: immich-web
namespace: default
interval: 30m
retryInterval: 1m
timeout: 5m

View File

@@ -20,6 +20,7 @@ resources:
- ./glauth/ks.yaml
- ./hajimari/ks.yaml
- ./home-assistant/ks.yaml
- ./immich/ks.yaml
- ./invidious/ks.yaml
- ./jellyfin/ks.yaml
- ./jellyseer/ks.yaml