diff --git a/kubernetes/main/apps/media/immich/app/helm-release.yaml b/kubernetes/main/apps/media/immich/app/helm-release.yaml
new file mode 100644
index 00000000..053f1bd5
--- /dev/null
+++ b/kubernetes/main/apps/media/immich/app/helm-release.yaml
@@ -0,0 +1,103 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: immich
+spec:
+ interval: 5m
+ chart:
+ spec:
+ chart: app-template
+ version: 3.5.1
+ sourceRef:
+ kind: HelmRepository
+ name: bjws-charts
+ namespace: flux-system
+ values:
+ controllers:
+ immich:
+ containers:
+ app:
+ image:
+ repository: ghcr.io/immich-app/immich-server
+ tag: v1.122.3
+ envFrom: &envFrom
+ - secretRef:
+ name: immich-secret
+ probes:
+ liveness: &probes
+ enabled: true
+ custom: true
+ spec:
+ httpGet:
+ path: /
+ port: &port 2283
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ failureThreshold: 3
+ readiness: *probes
+ startup:
+ enabled: true
+ spec:
+ failureThreshold: 30
+ periodSeconds: 10
+ # resources:
+ # requests:
+ # cpu: 2m
+ # memory: 1500Mi
+ # limits:
+ # memory: 3200Mi
+ machine-learning:
+ image:
+ repository: ghcr.io/immich-app/immich-machine-learning
+ tag: v1.122.3-openvino
+ envFrom: *envFrom
+ resources:
+ limits:
+ gpu.intel.com/i915: 1
+# defaultPodOptions:
+# securityContext:
+# runAsUser: 10000
+# runAsGroup: 10000
+# fsGroup: 10000
+# fsGroupChangePolicy: OnRootMismatch
+
+ service:
+ app:
+ controller: immich
+ ports:
+ http:
+ port: *port
+ mlhttp:
+ port: 3003
+
+ ingress:
+ app:
+ annotations:
+ cert-manager.io/cluster-issuer: letsencrypt-production
+ traefik.ingress.kubernetes.io/router.entrypoints: websecure
+ hosts:
+ - host: "immich.${SECRET_NEW_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ identifier: app
+ port: http
+
+ persistence:
+ mlcache:
+ type: emptyDir
+ accessMode: ReadWriteMany
+ size: 10Gi
+ advancedMounts:
+ immich: # controller name
+ machine-learning: # container name
+ - path: /cache
+ storage:
+ type: hostPath
+ hostPath: /mnt/MainPool/Media/Photos
+ advancedMounts:
+ immich:
+ app:
+ - path: /usr/src/app/upload
diff --git a/kubernetes/main/apps/media/immich/app/kustomization.yaml b/kubernetes/main/apps/media/immich/app/kustomization.yaml
new file mode 100644
index 00000000..8d145d23
--- /dev/null
+++ b/kubernetes/main/apps/media/immich/app/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./secret.sops.yaml
+- ./helm-release.yaml
diff --git a/kubernetes/main/apps/media/immich/app/secret.sops.yaml b/kubernetes/main/apps/media/immich/app/secret.sops.yaml
new file mode 100644
index 00000000..bb62a0ec
--- /dev/null
+++ b/kubernetes/main/apps/media/immich/app/secret.sops.yaml
@@ -0,0 +1,77 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: immich-secret
+ namespace: media
+stringData:
+ REDIS_HOSTNAME: ENC[AES256_GCM,data:Lqn6/AMXLa+13acO3PjFPMnn,iv:NCko1SPVv6G1hEVqGrMvkvEAo070Kpd0Yn2G+kHLrc0=,tag:ixPPBLHLQ+YAcSyjJxXisA==,type:str]
+ REDIS_PASSWORD: ENC[AES256_GCM,data:klwA1O//Ts82sC1umJcSobUq6mfO9IG4TAeKQ20=,iv:r0RF+aN3+EXq5NVB/nPFkt/59fqdzCKjWh9jyeyKkMg=,tag:AbvtMDXzlHVQfyMDZfD4hA==,type:str]
+ DB_HOSTNAME: ENC[AES256_GCM,data:C4GG7OqFd5RVBxPeqsKYQ+IQI911PaNt9fY=,iv:rw6A1vXdRvhdk2A6NZ3y3kwt4OwcPsVyloFNECD6CKM=,tag:TVsoAn4aGwqnfwiRUkGRWg==,type:str]
+ DB_DATABASE_NAME: ENC[AES256_GCM,data:qcaJ3eAg,iv:PmOJOJqxsS05Jnjz7MPbJUvqbNu9Hqdopz4AnT3CCXg=,tag:J0hCI9cwekjfnIW2/v122g==,type:str]
+ DB_USERNAME: ENC[AES256_GCM,data:qjcLby68,iv:IkhCJwirOsYGcTJYawAk5QJmrLJ8TMkNHDaVQJom9qY=,tag:7pufxIcm1ALbicV2Pf+PIQ==,type:str]
+ DB_PASSWORD: ENC[AES256_GCM,data:mJns8nHbVvasRASX1gyBMplvP5K14G9vZCbWGGm7VtQ=,iv:q4M3cqGhPBTJipteIXIMm9NtjygY45bzCFguko3PQMI=,tag:AsNPx+P4bjkbDcoA4uIDSg==,type:str]
+ IMMICH_MACHINE_LEARNING_URL: ENC[AES256_GCM,data:pqRoNqJ0MfuThxaOS+lVVVJNnQlV,iv:lMPALDTqoUrlQ7ponGGchLs6ToFKJfGm++RjRpx5Bzw=,tag:0dgfzg7VwUffJ0s+6urYkg==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2024-12-31T00:01:48Z"
+ mac: ENC[AES256_GCM,data:EWQNFZUMxIi+5Ara/ki99tEsej8d54b8ST9EwlUh7IVybTlSUU8TOJ64YEy/bMmhQFCxIYllN5SPUn2kxyfU8w/zS7NkyDEnZpw3g8SLDXH0nC6duMop2xRLu1NfcmgdvFUrc2zQZ2eZiUfnxuHvorUVFLHDqTNbvspar7lr3EI=,iv:lm0cvCCkN1JGnjTCpR/pqxaDYv/Agz1SS4QuJdT4QME=,tag:EXh41QsSbeKdeWyuI9CrXg==,type:str]
+ pgp:
+ - created_at: "2024-12-31T00:01:48Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAyqlIeyoxYovARAAujZltYu1Sjp6GZ64nBg7/7VfFrdWzAcRRIorVwShPGZZ
+ HLxtEpO5KjZ/Y97lrmM+z9uQE5P8B5F7yjb272yLzF2be7bMejEF7Lq5pb1vT4MB
+ 3awxNFf4B0TkVHzUOhggCuCWs1wJEfHAtZWs9ftwaEUuRmZCgjpG6mzsCeX2MXb5
+ gT8jHXeG02xWiLmo+qEyJpH11hOGFspgJbbw8xoiV4jyKuu4mMrjfLmj2hlqIH24
+ ICkvnCW/KE2DR0UJgnS1qen7JBbNegiYhUYZ+AV49UnYAn7GDrQZAfi1vCxcgZrg
+ AW9o6qFEHdP4/gHxpjDvePW0xMM1Q2w9m0JUuBtddw8N/yK1Q4SKEx5mFgYv8bmH
+ W72jdkbiFfeBYdSfCQUziUWPZSaWC6uHU1fTI7nKgfa6l0LmQJ+Ga/wlvZtmGsAw
+ DbjE/JpGNI9bzOOwmU2YA5knhBJwIuAe7J7oJd92Tt79uxv2DLnrJMXBHSbIUp9g
+ 1neteRt2Xp+tHwGt8Mldfu0R2YUw9Ft+sgRz3FpyFX9zHPwXV4zKvS/9ODPCpXB6
+ OBoCVLFk0EeB6y7REDoGCIMNeeEmsBq6/J/UkcQCHLj38dFzHBCoO/rpxi6JXuMt
+ 2w8Fm/9VHTeQNDyvWUW2vIFRmksxpq4sMsCghqYgBjotGv2eu6H5Jp6eSaPh2QmF
+ AgwDXjg0p2IN1X8BD/9M9YLokALo/odOm+2XZdl8Dm304qnGro6aVWqSKah1XZQF
+ PLViGtWjO8/YghXWPZLqNMk3koXBRBHsIMPRvepVagOyvhMVIHM7HUfzyjSFENjd
+ 1tC8CzWn5erO38gEgi8JMhMyINpjGNaF5OFjIYntQnU3sUgG2pIspaN+DqYy1Uxt
+ Mb/rLj9euPSSWTjF9GNjgOuk18Oehj3uuMvU2IdYJnt2wnemJ6SG7nAFUO3lgqzx
+ U42lZQsm5uurEdcih3Kax2nEiE6rkBUaln9CTd1CWZuvdD+s+0uRSxS3ZvHlLFzl
+ u26LerXXrtFmUySktvfgaRBf6Yf91FoIJvVTplKKWv/yxR7K0q7ax9fZOon8N3tm
+ ijj3vzjBIvmS8+426eyRIg9y1TMXEMaFOsobcRmGy588qx9ElZNbw/eHagWsAZHU
+ xYOaBvg7hR/XK09NMRbKGI39O52H9yfU9akceFDi1FaikBHrstbDyNmzqlUfTxby
+ NkC5H7jPqZ4Sc5sTOCt+sd6W2Yy6oZLnjNE+IoCP/vnrjneKgX9sVxH+VCSNDTuT
+ krS4OdtbHjXaHHFyUE1H3Ho2wPMIstNIWU9BkwHJ90yA4h8AEo0DCUeR1dhZAal8
+ 5Me4xE06vpnNMq0LuqpPlp1eDuMPRKnreR440P7mE5Fkamdnjv6e6Tlc13NA69Rm
+ AQkCEOrO5KUt/v4/fm4qS4yLCWfwlVYGt+YC58XgI3q44hwDaq9UKUgJ+EBi0mY1
+ W9ckfLtxyTcJcnEGSOS/vMClMfgww+tv06q1CPfkv00+fl6I20GAV0vNLIhMZbnE
+ rgRlvJht
+ =N0DM
+ -----END PGP MESSAGE-----
+ fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+ - created_at: "2024-12-31T00:01:48Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAy5t8IMoPu4VARAAnd42WnAiNvvWIeYw87Q7D2fMN7HaDQEhwynYk0UzBqc9
+ BsnjrZg4B71HjxJn2GFOtwzsHQDpsh/AE/HXNauXXIwwPKgf3h+mThyTiB+dVaKl
+ bjSJQX1ZGpNHMX3ctpugSmePXrB23pmr5cO6S5pQGP54iANjtZgTMNQO8VPBgWqf
+ fkpJwrsC0SWSORSLfvohxd/Ly1ygHw+N3Xe5ADcpyxcNJOZbbccVNbxOOlpk3C8a
+ sc8ho5J9+HoZUV/d0VBpEaGSbd9xhoZ4vHkB6pXF6vIR1FpoXZE8uHNhEmKJBJPb
+ mHIFWBPjlOMrDN25z6NKnQenatTo1f7XHcwl709eSrUJBaRHAL3bifLQC3C48SA7
+ kNb5eM+cp31WgtYvn25/8DwfVDZmbZFAMMI8tnxt/M8l/g/W0YfP2CzQmJslkYk8
+ 9kGu5DcGDHYcaX4DMy2dmUy2pmZCEYBxiTz4tSGTfHdqmvKNQtPofWrkr8hyNO4t
+ 7R3ir/nPR/Qn3xtm7DoguwXIJk54s9OvIEK/NNRVOss7uTDflPByoVYjAPfqeuoo
+ VXtjObPY+T6XLlpSoGOWPJb7LSG9larm60jEpBjU9zA4rJSgKNSOo2KIcflBI4uw
+ kCODLniJxWD/aOz8MGXs+5D81ZNIePjd9F8Uuq48K/G0w5yuG4T0s1b+j1Els3nU
+ ZgEJAhD+DcMHd5i/H5PvmGQGk7CQzW+Z4XVCqDh8UxagzSiU23a7cZZmI0wI9pj0
+ CD4DIG/3n+N4RBww1HkKzUXnCWk4H7YXuupOa1QMpOToy23grNNtYHuO4nD0Ajdb
+ 2x+dvreeww==
+ =eVGZ
+ -----END PGP MESSAGE-----
+ fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+ encrypted_regex: ^(data|stringData)$
+ version: 3.9.1
diff --git a/kubernetes/main/apps/media/immich/ks.yaml b/kubernetes/main/apps/media/immich/ks.yaml
new file mode 100644
index 00000000..60448cfe
--- /dev/null
+++ b/kubernetes/main/apps/media/immich/ks.yaml
@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ name: immich
+ namespace: flux-system
+spec:
+ timeout: 5m
+ interval: 10m
+ targetNamespace: media
+ path: ./kubernetes/main/apps/media/immich/app
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: home-cluster
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-gpg
+ dependsOn:
+ - name: openebs
+ - name: openebs-sc
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ - kind: Secret
+ name: cluster-secrets
diff --git a/kubernetes/main/apps/media/kustomization.yaml b/kubernetes/main/apps/media/kustomization.yaml
index 0cb8bad8..f740fe14 100644
--- a/kubernetes/main/apps/media/kustomization.yaml
+++ b/kubernetes/main/apps/media/kustomization.yaml
@@ -12,4 +12,5 @@ resources:
- ./tautulli
- ./ombi
- ./freshrss
-- ./navidrome/ks.yaml
\ No newline at end of file
+- ./navidrome/ks.yaml
+- ./immich/ks.yaml