feat: add immich

kube/clusters/biohazard/flux/kustomization.yaml

@@ -120,6 +120,7 @@ resources:
   - ../../../deploy/apps/goatcounter/
   - ../../../deploy/apps/ollama/
   - ../../../deploy/apps/davis/
+  - ../../../deploy/apps/immich/
   - ../../../deploy/vm/_kubevirt/
   #- ../../../deploy/vm/_base/
   - ../../../deploy/vm/ad/

kube/deploy/apps/immich/app/es.yaml

@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name immich-secrets
+  namespace: immich
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1p
+  dataFrom:
+    - extract:
+        key: "Immich - ${CLUSTER_NAME}"
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: *name

kube/deploy/apps/immich/app/hr.yaml

@@ -0,0 +1,208 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app immich
+  namespace: *app
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.1.0
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controllers:
+      immich:
+        type: deployment
+        replicas: 1
+        pod:
+          labels:
+            ingress.home.arpa/nginx-internal: allow
+            db.home.arpa/pg: pg-home
+        containers:
+          main:
+            image: &img
+              repository: ghcr.io/immich-app/immich-server
+              tag: v1.103.1@sha256:10761af14a6145353169042f29d2e49943de75b57a5d19251b365fe0d41ee15a
+            command: &cmd ["tini", "--", "node", "/usr/src/app/dist/main"]
+            args: ["immich"]
+            env: &env
+              TZ: "${CONFIG_TZ}"
+              LD_PRELOAD: /usr/lib/x86_64-linux-gnu/libmimalloc.so.2
+              NODE_ENV: production
+              LOG_LEVEL: verbose
+              IMMICH_MEDIA_LOCATION: &pvc /data
+              IMMICH_SERVER_URL: http://immich.immich.svc.cluster.local:3001
+              IMMICH_MACHINE_LEARNING_URL: http://immich-ml.immich.svc.cluster.local:3003
+              REDIS_HOSTNAME: immich-redis.immich.svc.cluster.local
+              REDIS_PORT: "6379"
+              DB_VECTOR_EXTENSION: pgvector # I couldn't really care less for worser machine learning, over half my library is screenshots
+              DB_URL:
+                valueFrom:
+                  secretKeyRef:
+                    name: pg-home-pguser-immich
+                    key: pgbouncer-uri
+            envFrom: &ef
+              - secretRef:
+                  name: immich-secrets
+            securityContext: &sc
+              readOnlyRootFilesystem: true
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+            resources:
+              requests:
+                cpu: "10m"
+                memory: "128Mi"
+              limits:
+                cpu: "3000m"
+                memory: "6Gi"
+      microservices:
+        type: deployment
+        replicas: 1
+        pod:
+          labels:
+            db.home.arpa/pg: pg-home
+        containers:
+          main:
+            image: *img
+            command: *cmd
+            args: ["microservices"]
+            env: *env
+            securityContext: *sc
+            resources:
+              requests:
+                cpu: "10m"
+                memory: "128Mi"
+                gpu.intel.com/i915: "1"
+              limits:
+                cpu: "3000m"
+                memory: "6Gi"
+                gpu.intel.com/i915: "1"
+      ml:
+        type: deployment
+        replicas: 1
+        pod:
+          labels:
+            db.home.arpa/pg: pg-home
+        containers:
+          main:
+            image: *img
+            env: *env
+            securityContext: *sc
+            resources:
+              requests:
+                cpu: "10m"
+                memory: "128Mi"
+              limits:
+                cpu: "3000m"
+                memory: "6Gi"
+      redis:
+        type: deployment
+        replicas: 1
+        containers:
+          redis:
+            image:
+              repository: "public.ecr.aws/docker/library/redis"
+              tag: "7.2.4-bookworm@sha256:f14f42fc7e824b93c0e2fe3cdf42f68197ee0311c3d2e0235be37480b2e208e6"
+            command: ["redis-server", "--save", "''", "--appendonly", "no"] # save and appendonly options forcibly disable RDB and AOF persistence entirely
+            securityContext: *sc
+            resources:
+              requests:
+                cpu: "10m"
+                memory: "32Mi"
+              limits:
+                cpu: "1000m"
+                memory: "512Mi"
+    service:
+      immich:
+        controller: immich
+        ports:
+          http:
+            port: 3001
+      ml:
+        controller: ml
+        ports:
+          http:
+            port: 3003
+      redis:
+        controller: redis
+        ports:
+          http:
+            port: 6379
+    ingress:
+      main:
+        className: nginx-internal
+        hosts:
+          - host: &host "${APP_DNS_IMMICH}"
+            paths: &paths
+              - path: /
+                pathType: Prefix
+                service:
+                  identifier: immich
+                  port: http
+        tls:
+          - hosts: [*host]
+    persistence:
+      data:
+        existingClaim: immich-data
+        advancedMounts:
+          immich:
+            main:
+              - subPath: data
+                path: *pvc
+          ml:
+            main:
+              - subPath: ml
+                path: /cache
+      tmp:
+        type: emptyDir
+        medium: Memory
+        globalMounts:
+          - subPath: tmp
+            path: /tmp
+          - subPath: geocode
+            path: /usr/src/app/.reverse-geocoding-dump
+          - subPath: geoname
+            path: /usr/src/app/node_modules/local-reverse-geocoder/geonames_dump
+          - subPath: transformers
+            path: /usr/src/app/.transformers_cache
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: &uid ${APP_UID_IMMICH}
+        runAsGroup: *uid
+        fsGroup: *uid
+        fsGroupChangePolicy: Always
+        seccompProfile: { type: "RuntimeDefault" }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: *app
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: fuckoff.home.arpa/immich
+                    operator: DoesNotExist
+    networkpolicies:
+      immich:
+        podSelector: &sel
+          matchLabels:
+            app.kubernetes.io/name: immich
+        policyTypes: [Ingress, Egress]
+        rules:
+          ingress:
+            - from: [{podSelector: *sel}]
+          egress:
+            - to: [{podSelector: *sel}]

kube/deploy/apps/immich/ks.yaml

@@ -0,0 +1,68 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: immich-app
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/name: "immich"
+spec:
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/apps/immich/app
+  targetNamespace: "immich"
+  dependsOn:
+    - name: immich-db
+    - name: immich-pvc
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: immich-pvc
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/name: "immich"
+spec:
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/core/storage/volsync/template
+  targetNamespace: "immich"
+  dependsOn:
+    - name: 1-core-storage-volsync-app
+    - name: 1-core-storage-rook-ceph-cluster
+  postBuild:
+    substitute:
+      PVC: "immich-data"
+      SIZE: "100Gi"
+      SC: &sc "file"
+      SNAP: *sc
+      ACCESSMODE: "ReadWriteMany"
+      RUID: !!str &uid |
+        ${APP_UID_IMMICH}
+      RGID: !!str |
+        ${APP_UID_IMMICH}
+      RFSG: !!str |
+        ${APP_UID_IMMICH}
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: immich-db
+  namespace: flux-system
+  labels: &l
+    prune.flux.home.arpa/enabled: "true"
+    db.home.arpa/pg: "pg-home"
+    app.kubernetes.io/name: "immich"
+spec:
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/core/db/pg/clusters/template/pguser
+  targetNamespace: "pg"
+  dependsOn:
+    - name: 1-core-db-pg-clusters-home
+    - name: 1-core-secrets-es-k8s
+  postBuild:
+    substitute:
+      PG_NAME: "home"
+      PG_DB_USER: &app "immich"
+      PG_APP_NS: *app

kube/deploy/apps/immich/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ns.yaml
+  - ks.yaml

kube/deploy/apps/immich/ns.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: immich
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: &ps restricted
+    pod-security.kubernetes.io/audit: *ps
+    pod-security.kubernetes.io/warn: *ps