From 41020f8c79aa5168579611263faa1d908d538292 Mon Sep 17 00:00:00 2001 From: Lumpiasty Date: Sun, 27 Jul 2025 20:47:17 +0200 Subject: [PATCH] install immich --- apps/immich/ingress.yaml | 26 +++++++++++++ apps/immich/kustomization.yaml | 4 +- apps/immich/postgres-cluster.yaml | 20 +++++++++- apps/immich/postgres-password.yaml | 38 +++++++++++++++++++ apps/immich/release.yaml | 61 ++++++++++++++++++++++-------- vault/kubernetes-roles/immich.yaml | 6 +++ vault/policy/immich.hcl | 4 ++ 7 files changed, 142 insertions(+), 17 deletions(-) create mode 100644 apps/immich/ingress.yaml create mode 100644 apps/immich/postgres-password.yaml create mode 100644 vault/kubernetes-roles/immich.yaml create mode 100644 vault/policy/immich.hcl diff --git a/apps/immich/ingress.yaml b/apps/immich/ingress.yaml new file mode 100644 index 0000000..4aed358 --- /dev/null +++ b/apps/immich/ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + namespace: immich + name: immich + annotations: + cert-manager.io/cluster-issuer: letsencrypt + nginx.org/client-max-body-size: "0" +spec: + ingressClassName: nginx + rules: + - host: immich.lumpiasty.xyz + http: + paths: + - backend: + service: + name: immich-server + port: + number: 2283 + path: / + pathType: Prefix + tls: + - hosts: + - immich.lumpiasty.xyz + secretName: immich-ingress diff --git a/apps/immich/kustomization.yaml b/apps/immich/kustomization.yaml index c3a63f7..2df4638 100644 --- a/apps/immich/kustomization.yaml +++ b/apps/immich/kustomization.yaml @@ -4,5 +4,7 @@ resources: - namespace.yaml - volume.yaml - redis.yaml + - postgres-password.yaml - postgres-cluster.yaml - # - release.yaml + - release.yaml + - ingress.yaml diff --git a/apps/immich/postgres-cluster.yaml b/apps/immich/postgres-cluster.yaml index d49dff5..5830916 100644 --- a/apps/immich/postgres-cluster.yaml +++ b/apps/immich/postgres-cluster.yaml @@ -2,7 +2,7 @@ apiVersion: postgresql.cnpg.io/v1 kind: Cluster metadata: - name: immich-postgres + name: immich-db namespace: immich spec: imageName: ghcr.io/tensorchord/cloudnative-vectorchord:14-0.4.3 @@ -12,3 +12,21 @@ spec: storage: size: 10Gi storageClass: mayastor-single-hdd + bootstrap: + initdb: + # Defaults of immich chart + database: immich + owner: immich + + # We need to create custom role because default one does not allow to set up + # vectorchord extension + managed: + roles: + - name: immich + createdb: true + login: true + superuser: true + # We need to manually create secret + # https://github.com/cloudnative-pg/cloudnative-pg/issues/3788 + passwordSecret: + name: immich-db-immich diff --git a/apps/immich/postgres-password.yaml b/apps/immich/postgres-password.yaml new file mode 100644 index 0000000..d225b61 --- /dev/null +++ b/apps/immich/postgres-password.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: immich-password + namespace: immich +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: immich + namespace: immich +spec: + method: kubernetes + mount: kubernetes + kubernetes: + role: immich + serviceAccount: immich-password +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: immich-db + namespace: immich +spec: + type: kv-v2 + + mount: secret + path: immich-db + + destination: + create: true + name: immich-db-immich + type: kubernetes.io/basic-auth + transformation: + excludeRaw: true + + vaultAuthRef: immich diff --git a/apps/immich/release.yaml b/apps/immich/release.yaml index 947c6d1..920904a 100644 --- a/apps/immich/release.yaml +++ b/apps/immich/release.yaml @@ -2,12 +2,11 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: - name: immich + name: secustor namespace: immich spec: interval: 24h - type: "oci" - url: oci://ghcr.io/immich-app/immich-charts + url: https://secustor.dev/helm-charts --- apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease @@ -19,21 +18,53 @@ spec: chart: spec: chart: immich - version: 0.9.3 + version: 0.6.8 sourceRef: kind: HelmRepository - name: immich + name: secustor values: - immich: - persistence: - library: - existingClaim: library + common: + config: + vecotrExtension: vectorchord + postgres: + host: immich-db-rw + existingSecret: + enabled: true + secretName: immich-db-immich + usernameKey: username + passwordKey: password + redis: + host: redis-master + existingSecret: + enabled: true + secretName: redis + passwordKey: redis-password - redis: + server: + volumeMounts: + - mountPath: /usr/src/app/upload + name: uploads + volumes: + - name: uploads + persistentVolumeClaim: + claimName: library + + machineLearning: enabled: true - postgresql: - global: - postgresql: - auth: - existingSecret: + ingress: + # Ingress definition is broken in chart (reference to wrong port value) + # Supplying our own separate ingress.yaml + enabled: false + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt + hosts: + - host: immich.lumpiasty.xyz + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - immich.lumpiasty.xyz + secretName: immich-ingress diff --git a/vault/kubernetes-roles/immich.yaml b/vault/kubernetes-roles/immich.yaml new file mode 100644 index 0000000..2b51a92 --- /dev/null +++ b/vault/kubernetes-roles/immich.yaml @@ -0,0 +1,6 @@ +bound_service_account_names: + - immich-password +bound_service_account_namespaces: + - immich +token_policies: + - immich diff --git a/vault/policy/immich.hcl b/vault/policy/immich.hcl new file mode 100644 index 0000000..cdc0b5d --- /dev/null +++ b/vault/policy/immich.hcl @@ -0,0 +1,4 @@ + +path "secret/data/immich-db" { + capabilities = ["read"] +}