Fix immich

2025-12-05 23:06:23 +00:00 · 2025-08-29 23:37:44 +02:00
parent 76b0fa3286
commit a4f5edabb3
7 changed files with 113 additions and 68 deletions
--- a/apps/immich/cluster.yaml
+++ b/apps/immich/cluster.yaml
@@ -1,30 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: immich-cluster
-spec:
-  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17.5-0.3.0
-  instances: 1
-  storage:
-    size: 4Gi
-
-  postgresql:
-    shared_preload_libraries:
-    - "vchord.so"
---
-apiVersion: postgresql.cnpg.io/v1
-kind: Database
-metadata:
-  name: immich
-spec:
-  name: immich
-  owner: immich
-  cluster:
-    name: immich-cluster
-  extensions:
-  - name: vector
-    ensure: present
-  - name: vchord
-    ensure: present
-  - name: earthdistance
-    ensure: present
--- a/apps/immich/database.yaml
+++ b/apps/immich/database.yaml
@@ -0,0 +1,34 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: immich
+  namespace: postgres
+spec:
+  name: immich
+  owner: immich
+  cluster:
+    name: postgres-cluster
+  extensions:
+  - name: vector
+    ensure: present
+  - name: vchord
+    ensure: present
+  - name: cube
+    ensure: present
+  - name: earthdistance
+    ensure: present
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-immich
+spec:
+  secretName: postgres-immich
+  usages:
+  - client auth
+  # same as pg user
+  commonName: immich
+  issuerRef:
+    name: postgres-ca
+    kind: ClusterIssuer
+    group: cert-manager.io
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -2,12 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 helmCharts:
- repo: oci://ghcr.io/immich-app/immich-charts
+  - repo: oci://ghcr.io/immich-app/immich-charts
    name: immich
    releaseName: immich
+    namespace: immich
    version: 0.9.3
    valuesFile: values.yaml

 resources:
- pvc.yaml
- cluster.yaml
+  - pvc.yaml
+  - database.yaml
+  - oidc.yaml
--- a/apps/immich/oidc.yaml
+++ b/apps/immich/oidc.yaml
@@ -0,0 +1,32 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: immich-oidc
+spec:
+  refreshInterval: 24h
+  secretStoreRef:
+    name: bitwarden
+    kind: ClusterSecretStore
+  target:
+    template:
+      engineVersion: v2
+      data:
+        "config.yaml": |-
+          oauth:
+            enabled: true
+            buttonText: Login with OAuth
+            clientId: "{{ .clientId }}"
+            clientSecret: "{{ .clientSecret }}"
+            defaultStorageQuota: 0
+            issuerUrl: https://authentik.sdg.moe/application/o/immich/.well-known/openid-configuration
+            scope: openid email profile
+            signingAlgorithm: RS256
+            profileSigningAlgorithm: none
+            storageLabelClaim: preferred_username
+            storageQuotaClaim: immich_quota
+            autoLaunch: true
+          passwordLogin:
+            enabled: false
+  dataFrom:
+  - extract:
+      key: immich-sso
--- a/apps/immich/values.yaml
+++ b/apps/immich/values.yaml
@@ -6,10 +6,12 @@ immich:
      existingClaim: pictures
 redis:
  enabled: true
+
 server:
  ingress:
    main:
      enabled: true
+      className: cilium
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        acme.cert-manager.io/http01-edit-in-place: "true"
@@ -18,34 +20,28 @@ server:
      hosts:
        - host: immich.sdg.moe
          paths:
-          - path: "/"
+            - path: /
      tls:
        - secretName: immich-tls
          hosts:
            - immich.sdg.moe
+
 machine-learning:
  persistence:
    cache:
      type: pvc
-#
-# env:
-#   DB_HOSTNAME:
-#     valueFrom:
-#       secretKeyRef:
-#         name: database-immich-user
-#         key: HOST
-#   DB_USERNAME:
-#     valueFrom:
-#       secretKeyRef:
-#         name: database-immich-user
-#         key: LOGIN
-#   DB_PASSWORD:
-#     valueFrom:
-#       secretKeyRef:
-#         name: database-immich-user
-#         key: PASSWORD
-#   DB_DATABASE_NAME:
-#     valueFrom:
-#       secretKeyRef:
-#         name: database-immich-user
-#         key: DATABASE_NAME
+
+env:
+  DB_URL: postgres://immich@postgres-cluster-rw.postgres/immich?sslcert=/pg/tls.crt&sslkey=/pg/tls.key&sslrootcert=/pg/ca.crt
+  IMMICH_CONFIG_FILE: /config/config.yaml
+persistence:
+  pg:
+    enabled: true
+    type: secret
+    name: postgres-immich
+    defaultMode: 0640
+
+  config:
+    enabled: true
+    type: secret
+    name: immich-oidc
--- a/apps/postgres/cluster.yaml
+++ b/apps/postgres/cluster.yaml
@@ -9,6 +9,9 @@ spec:
  storage:
    size: 10Gi

+  backup:
+    retentionPolicy: 7d
+
  certificates:
    serverCASecret: postgres-server-cert
    serverTLSSecret: postgres-server-cert
@@ -18,10 +21,13 @@ spec:
    pg_hba:
      - hostssl all all all cert

-  backup:
-    retentionPolicy: 7d
+  # this is needed for immich
+    shared_preload_libraries:
+    - "vchord.so"
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17.5-0.3.0

-  # this is here because no `Role` crd exsists yet.
+
+  # this is here because no `Role` crd exists yet.
  # see https://github.com/cloudnative-pg/cloudnative-pg/issues/5341
  managed:
    roles:
@@ -34,3 +40,6 @@ spec:
    - name: gitea
      login: true
      disablePassword: true
+    - name: immich
+      login: true
+      disablePassword: true
--- a/cilium-values.yaml
+++ b/cilium-values.yaml
@@ -44,11 +44,13 @@ externalIPs:

 ingressController:
  enabled: true
+  default: true
  loadbalancerMode: shared
  service:
    annotations:
      lbipam.cilium.io/ips: 192.168.0.201
      
+
 gatewayAPI:
  enabled: true
 operator: