From e38cac524b2a0fffec6e17145870a1fbcdce4a2d Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Fri, 10 May 2024 01:52:29 +0800 Subject: [PATCH] feat: add immich --- .../biohazard/flux/kustomization.yaml | 1 + kube/deploy/apps/immich/app/es.yaml | 19 ++ kube/deploy/apps/immich/app/hr.yaml | 208 ++++++++++++++++++ kube/deploy/apps/immich/ks.yaml | 68 ++++++ kube/deploy/apps/immich/kustomization.yaml | 6 + kube/deploy/apps/immich/ns.yaml | 10 + 6 files changed, 312 insertions(+) create mode 100644 kube/deploy/apps/immich/app/es.yaml create mode 100644 kube/deploy/apps/immich/app/hr.yaml create mode 100644 kube/deploy/apps/immich/ks.yaml create mode 100644 kube/deploy/apps/immich/kustomization.yaml create mode 100644 kube/deploy/apps/immich/ns.yaml diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index 5cb2d70a..7fec8c45 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -120,6 +120,7 @@ resources: - ../../../deploy/apps/goatcounter/ - ../../../deploy/apps/ollama/ - ../../../deploy/apps/davis/ + - ../../../deploy/apps/immich/ - ../../../deploy/vm/_kubevirt/ #- ../../../deploy/vm/_base/ - ../../../deploy/vm/ad/ diff --git a/kube/deploy/apps/immich/app/es.yaml b/kube/deploy/apps/immich/app/es.yaml new file mode 100644 index 00000000..460ec463 --- /dev/null +++ b/kube/deploy/apps/immich/app/es.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name immich-secrets + namespace: immich +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "Immich - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name diff --git a/kube/deploy/apps/immich/app/hr.yaml b/kube/deploy/apps/immich/app/hr.yaml new file mode 100644 index 00000000..f8c7bd8c --- /dev/null +++ b/kube/deploy/apps/immich/app/hr.yaml @@ -0,0 +1,208 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app immich + namespace: *app +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 3.1.0 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + immich: + type: deployment + replicas: 1 + pod: + labels: + ingress.home.arpa/nginx-internal: allow + db.home.arpa/pg: pg-home + containers: + main: + image: &img + repository: ghcr.io/immich-app/immich-server + tag: v1.103.1@sha256:10761af14a6145353169042f29d2e49943de75b57a5d19251b365fe0d41ee15a + command: &cmd ["tini", "--", "node", "/usr/src/app/dist/main"] + args: ["immich"] + env: &env + TZ: "${CONFIG_TZ}" + LD_PRELOAD: /usr/lib/x86_64-linux-gnu/libmimalloc.so.2 + NODE_ENV: production + LOG_LEVEL: verbose + IMMICH_MEDIA_LOCATION: &pvc /data + IMMICH_SERVER_URL: http://immich.immich.svc.cluster.local:3001 + IMMICH_MACHINE_LEARNING_URL: http://immich-ml.immich.svc.cluster.local:3003 + REDIS_HOSTNAME: immich-redis.immich.svc.cluster.local + REDIS_PORT: "6379" + DB_VECTOR_EXTENSION: pgvector # I couldn't really care less for worser machine learning, over half my library is screenshots + DB_URL: + valueFrom: + secretKeyRef: + name: pg-home-pguser-immich + key: pgbouncer-uri + envFrom: &ef + - secretRef: + name: immich-secrets + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "3000m" + memory: "6Gi" + microservices: + type: deployment + replicas: 1 + pod: + labels: + db.home.arpa/pg: pg-home + containers: + main: + image: *img + command: *cmd + args: ["microservices"] + env: *env + securityContext: *sc + resources: + requests: + cpu: "10m" + memory: "128Mi" + gpu.intel.com/i915: "1" + limits: + cpu: "3000m" + memory: "6Gi" + gpu.intel.com/i915: "1" + ml: + type: deployment + replicas: 1 + pod: + labels: + db.home.arpa/pg: pg-home + containers: + main: + image: *img + env: *env + securityContext: *sc + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "3000m" + memory: "6Gi" + redis: + type: deployment + replicas: 1 + containers: + redis: + image: + repository: "public.ecr.aws/docker/library/redis" + tag: "7.2.4-bookworm@sha256:f14f42fc7e824b93c0e2fe3cdf42f68197ee0311c3d2e0235be37480b2e208e6" + command: ["redis-server", "--save", "''", "--appendonly", "no"] # save and appendonly options forcibly disable RDB and AOF persistence entirely + securityContext: *sc + resources: + requests: + cpu: "10m" + memory: "32Mi" + limits: + cpu: "1000m" + memory: "512Mi" + service: + immich: + controller: immich + ports: + http: + port: 3001 + ml: + controller: ml + ports: + http: + port: 3003 + redis: + controller: redis + ports: + http: + port: 6379 + ingress: + main: + className: nginx-internal + hosts: + - host: &host "${APP_DNS_IMMICH}" + paths: &paths + - path: / + pathType: Prefix + service: + identifier: immich + port: http + tls: + - hosts: [*host] + persistence: + data: + existingClaim: immich-data + advancedMounts: + immich: + main: + - subPath: data + path: *pvc + ml: + main: + - subPath: ml + path: /cache + tmp: + type: emptyDir + medium: Memory + globalMounts: + - subPath: tmp + path: /tmp + - subPath: geocode + path: /usr/src/app/.reverse-geocoding-dump + - subPath: geoname + path: /usr/src/app/node_modules/local-reverse-geocoder/geonames_dump + - subPath: transformers + path: /usr/src/app/.transformers_cache + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + securityContext: + runAsNonRoot: true + runAsUser: &uid ${APP_UID_IMMICH} + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: Always + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: fuckoff.home.arpa/immich + operator: DoesNotExist + networkpolicies: + immich: + podSelector: &sel + matchLabels: + app.kubernetes.io/name: immich + policyTypes: [Ingress, Egress] + rules: + ingress: + - from: [{podSelector: *sel}] + egress: + - to: [{podSelector: *sel}] diff --git a/kube/deploy/apps/immich/ks.yaml b/kube/deploy/apps/immich/ks.yaml new file mode 100644 index 00000000..8115d226 --- /dev/null +++ b/kube/deploy/apps/immich/ks.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: immich-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "immich" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/apps/immich/app + targetNamespace: "immich" + dependsOn: + - name: immich-db + - name: immich-pvc +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: immich-pvc + namespace: flux-system + labels: &l + app.kubernetes.io/name: "immich" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/core/storage/volsync/template + targetNamespace: "immich" + dependsOn: + - name: 1-core-storage-volsync-app + - name: 1-core-storage-rook-ceph-cluster + postBuild: + substitute: + PVC: "immich-data" + SIZE: "100Gi" + SC: &sc "file" + SNAP: *sc + ACCESSMODE: "ReadWriteMany" + RUID: !!str &uid | + ${APP_UID_IMMICH} + RGID: !!str | + ${APP_UID_IMMICH} + RFSG: !!str | + ${APP_UID_IMMICH} +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: immich-db + namespace: flux-system + labels: &l + prune.flux.home.arpa/enabled: "true" + db.home.arpa/pg: "pg-home" + app.kubernetes.io/name: "immich" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/core/db/pg/clusters/template/pguser + targetNamespace: "pg" + dependsOn: + - name: 1-core-db-pg-clusters-home + - name: 1-core-secrets-es-k8s + postBuild: + substitute: + PG_NAME: "home" + PG_DB_USER: &app "immich" + PG_APP_NS: *app diff --git a/kube/deploy/apps/immich/kustomization.yaml b/kube/deploy/apps/immich/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/apps/immich/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/deploy/apps/immich/ns.yaml b/kube/deploy/apps/immich/ns.yaml new file mode 100644 index 00000000..55fc7c51 --- /dev/null +++ b/kube/deploy/apps/immich/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: immich + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps