Fix immich

apps/immich/cluster.yaml

@@ -1,30 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: immich-cluster
-spec:
-  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17.5-0.3.0
-  instances: 1
-  storage:
-    size: 4Gi
-
-  postgresql:
-    shared_preload_libraries:
-    - "vchord.so"
----
-apiVersion: postgresql.cnpg.io/v1
-kind: Database
-metadata:
-  name: immich
-spec:
-  name: immich
-  owner: immich
-  cluster:
-    name: immich-cluster
-  extensions:
-  - name: vector
-    ensure: present
-  - name: vchord
-    ensure: present
-  - name: earthdistance
-    ensure: present

apps/immich/database.yaml

@@ -0,0 +1,34 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: immich
+  namespace: postgres
+spec:
+  name: immich
+  owner: immich
+  cluster:
+    name: postgres-cluster
+  extensions:
+  - name: vector
+    ensure: present
+  - name: vchord
+    ensure: present
+  - name: cube
+    ensure: present
+  - name: earthdistance
+    ensure: present
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-immich
+spec:
+  secretName: postgres-immich
+  usages:
+  - client auth
+  # same as pg user
+  commonName: immich
+  issuerRef:
+    name: postgres-ca
+    kind: ClusterIssuer
+    group: cert-manager.io

apps/immich/kustomization.yaml

@@ -2,12 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 helmCharts:
-- repo: oci://ghcr.io/immich-app/immich-charts
-  name: immich
-  releaseName: immich
-  version: 0.9.3
-  valuesFile: values.yaml
+  - repo: oci://ghcr.io/immich-app/immich-charts
+    name: immich
+    releaseName: immich
+    namespace: immich
+    version: 0.9.3
+    valuesFile: values.yaml
 
 resources:
-- pvc.yaml
-- cluster.yaml
+  - pvc.yaml
+  - database.yaml
+  - oidc.yaml

apps/immich/oidc.yaml

@@ -0,0 +1,32 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: immich-oidc
+spec:
+  refreshInterval: 24h
+  secretStoreRef:
+    name: bitwarden
+    kind: ClusterSecretStore
+  target:
+    template:
+      engineVersion: v2
+      data:
+        "config.yaml": |-
+          oauth:
+            enabled: true
+            buttonText: Login with OAuth
+            clientId: "{{ .clientId }}"
+            clientSecret: "{{ .clientSecret }}"
+            defaultStorageQuota: 0
+            issuerUrl: https://authentik.sdg.moe/application/o/immich/.well-known/openid-configuration
+            scope: openid email profile
+            signingAlgorithm: RS256
+            profileSigningAlgorithm: none
+            storageLabelClaim: preferred_username
+            storageQuotaClaim: immich_quota
+            autoLaunch: true
+          passwordLogin:
+            enabled: false
+  dataFrom:
+  - extract:
+      key: immich-sso

apps/immich/values.yaml

@@ -6,46 +6,42 @@ immich:
       existingClaim: pictures
 redis:
   enabled: true
+
 server:
   ingress:
     main:
       enabled: true
+      className: cilium
       annotations:
         cert-manager.io/cluster-issuer: letsencrypt
         acme.cert-manager.io/http01-edit-in-place: "true"
         # proxy-body-size is set to 0 to remove the body limit on file uploads
         nginx.ingress.kubernetes.io/proxy-body-size: "0"
       hosts:
-      - host: immich.sdg.moe
-        paths:
-          - path: "/"
+        - host: immich.sdg.moe
+          paths:
+            - path: /
       tls:
-      - secretName: immich-tls
-        hosts:
-        - immich.sdg.moe
+        - secretName: immich-tls
+          hosts:
+            - immich.sdg.moe
+
 machine-learning:
   persistence:
     cache:
       type: pvc
-#
-# env:
-#   DB_HOSTNAME:
-#     valueFrom:
-#       secretKeyRef:
-#         name: database-immich-user
-#         key: HOST
-#   DB_USERNAME:
-#     valueFrom:
-#       secretKeyRef:
-#         name: database-immich-user
-#         key: LOGIN
-#   DB_PASSWORD:
-#     valueFrom:
-#       secretKeyRef:
-#         name: database-immich-user
-#         key: PASSWORD
-#   DB_DATABASE_NAME:
-#     valueFrom:
-#       secretKeyRef:
-#         name: database-immich-user
-#         key: DATABASE_NAME
+
+env:
+  DB_URL: postgres://immich@postgres-cluster-rw.postgres/immich?sslcert=/pg/tls.crt&sslkey=/pg/tls.key&sslrootcert=/pg/ca.crt
+  IMMICH_CONFIG_FILE: /config/config.yaml
+persistence:
+  pg:
+    enabled: true
+    type: secret
+    name: postgres-immich
+    defaultMode: 0640
+
+  config:
+    enabled: true
+    type: secret
+    name: immich-oidc

apps/postgres/cluster.yaml

@@ -9,6 +9,9 @@ spec:
   storage:
     size: 10Gi
 
+  backup:
+    retentionPolicy: 7d
+
   certificates:
     serverCASecret: postgres-server-cert
     serverTLSSecret: postgres-server-cert
@@ -18,10 +21,13 @@ spec:
     pg_hba:
       - hostssl all all all cert
 
-  backup:
-    retentionPolicy: 7d
+  # this is needed for immich
+    shared_preload_libraries:
+    - "vchord.so"
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17.5-0.3.0
 
-  # this is here because no `Role` crd exsists yet.
+
+  # this is here because no `Role` crd exists yet.
   # see https://github.com/cloudnative-pg/cloudnative-pg/issues/5341
   managed:
     roles:
@@ -34,3 +40,6 @@ spec:
     - name: gitea
       login: true
       disablePassword: true
+    - name: immich
+      login: true
+      disablePassword: true

cilium-values.yaml

@@ -44,11 +44,13 @@ externalIPs:
 
 ingressController:
   enabled: true
+  default: true
   loadbalancerMode: shared
   service:
     annotations:
       lbipam.cilium.io/ips: 192.168.0.201
       
+
 gatewayAPI:
   enabled: true
 operator: