diff --git a/apps/immich/cluster.yaml b/apps/immich/cluster.yaml deleted file mode 100644 index 707dcd8..0000000 --- a/apps/immich/cluster.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: immich-cluster -spec: - imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17.5-0.3.0 - instances: 1 - storage: - size: 4Gi - - postgresql: - shared_preload_libraries: - - "vchord.so" ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Database -metadata: - name: immich -spec: - name: immich - owner: immich - cluster: - name: immich-cluster - extensions: - - name: vector - ensure: present - - name: vchord - ensure: present - - name: earthdistance - ensure: present diff --git a/apps/immich/database.yaml b/apps/immich/database.yaml new file mode 100644 index 0000000..c4511bf --- /dev/null +++ b/apps/immich/database.yaml @@ -0,0 +1,34 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: immich + namespace: postgres +spec: + name: immich + owner: immich + cluster: + name: postgres-cluster + extensions: + - name: vector + ensure: present + - name: vchord + ensure: present + - name: cube + ensure: present + - name: earthdistance + ensure: present +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgres-immich +spec: + secretName: postgres-immich + usages: + - client auth + # same as pg user + commonName: immich + issuerRef: + name: postgres-ca + kind: ClusterIssuer + group: cert-manager.io diff --git a/apps/immich/kustomization.yaml b/apps/immich/kustomization.yaml index b711900..662ddb0 100644 --- a/apps/immich/kustomization.yaml +++ b/apps/immich/kustomization.yaml @@ -2,12 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization helmCharts: -- repo: oci://ghcr.io/immich-app/immich-charts - name: immich - releaseName: immich - version: 0.9.3 - valuesFile: values.yaml + - repo: oci://ghcr.io/immich-app/immich-charts + name: immich + releaseName: immich + namespace: immich + version: 0.9.3 + valuesFile: values.yaml resources: -- pvc.yaml -- cluster.yaml + - pvc.yaml + - database.yaml + - oidc.yaml diff --git a/apps/immich/oidc.yaml b/apps/immich/oidc.yaml new file mode 100644 index 0000000..0430a0a --- /dev/null +++ b/apps/immich/oidc.yaml @@ -0,0 +1,32 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: immich-oidc +spec: + refreshInterval: 24h + secretStoreRef: + name: bitwarden + kind: ClusterSecretStore + target: + template: + engineVersion: v2 + data: + "config.yaml": |- + oauth: + enabled: true + buttonText: Login with OAuth + clientId: "{{ .clientId }}" + clientSecret: "{{ .clientSecret }}" + defaultStorageQuota: 0 + issuerUrl: https://authentik.sdg.moe/application/o/immich/.well-known/openid-configuration + scope: openid email profile + signingAlgorithm: RS256 + profileSigningAlgorithm: none + storageLabelClaim: preferred_username + storageQuotaClaim: immich_quota + autoLaunch: true + passwordLogin: + enabled: false + dataFrom: + - extract: + key: immich-sso diff --git a/apps/immich/values.yaml b/apps/immich/values.yaml index 1bbde46..2ef1aa6 100644 --- a/apps/immich/values.yaml +++ b/apps/immich/values.yaml @@ -6,46 +6,42 @@ immich: existingClaim: pictures redis: enabled: true + server: ingress: main: enabled: true + className: cilium annotations: cert-manager.io/cluster-issuer: letsencrypt acme.cert-manager.io/http01-edit-in-place: "true" # proxy-body-size is set to 0 to remove the body limit on file uploads nginx.ingress.kubernetes.io/proxy-body-size: "0" hosts: - - host: immich.sdg.moe - paths: - - path: "/" + - host: immich.sdg.moe + paths: + - path: / tls: - - secretName: immich-tls - hosts: - - immich.sdg.moe + - secretName: immich-tls + hosts: + - immich.sdg.moe + machine-learning: persistence: cache: type: pvc -# -# env: -# DB_HOSTNAME: -# valueFrom: -# secretKeyRef: -# name: database-immich-user -# key: HOST -# DB_USERNAME: -# valueFrom: -# secretKeyRef: -# name: database-immich-user -# key: LOGIN -# DB_PASSWORD: -# valueFrom: -# secretKeyRef: -# name: database-immich-user -# key: PASSWORD -# DB_DATABASE_NAME: -# valueFrom: -# secretKeyRef: -# name: database-immich-user -# key: DATABASE_NAME + +env: + DB_URL: postgres://immich@postgres-cluster-rw.postgres/immich?sslcert=/pg/tls.crt&sslkey=/pg/tls.key&sslrootcert=/pg/ca.crt + IMMICH_CONFIG_FILE: /config/config.yaml +persistence: + pg: + enabled: true + type: secret + name: postgres-immich + defaultMode: 0640 + + config: + enabled: true + type: secret + name: immich-oidc diff --git a/apps/postgres/cluster.yaml b/apps/postgres/cluster.yaml index 56e1e38..fa01b12 100644 --- a/apps/postgres/cluster.yaml +++ b/apps/postgres/cluster.yaml @@ -9,6 +9,9 @@ spec: storage: size: 10Gi + backup: + retentionPolicy: 7d + certificates: serverCASecret: postgres-server-cert serverTLSSecret: postgres-server-cert @@ -18,10 +21,13 @@ spec: pg_hba: - hostssl all all all cert - backup: - retentionPolicy: 7d + # this is needed for immich + shared_preload_libraries: + - "vchord.so" + imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17.5-0.3.0 - # this is here because no `Role` crd exsists yet. + + # this is here because no `Role` crd exists yet. # see https://github.com/cloudnative-pg/cloudnative-pg/issues/5341 managed: roles: @@ -34,3 +40,6 @@ spec: - name: gitea login: true disablePassword: true + - name: immich + login: true + disablePassword: true diff --git a/cilium-values.yaml b/cilium-values.yaml index 0aedd2f..d63ca2a 100644 --- a/cilium-values.yaml +++ b/cilium-values.yaml @@ -44,10 +44,12 @@ externalIPs: ingressController: enabled: true + default: true loadbalancerMode: shared service: annotations: lbipam.cilium.io/ips: 192.168.0.201 + gatewayAPI: enabled: true