feat: add immich

kubernetes/main/apps/media/immich/app/helm-release.yaml

@@ -0,0 +1,103 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: immich
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+  values:
+    controllers:
+      immich:
+        containers:
+          app:
+            image:
+              repository: ghcr.io/immich-app/immich-server
+              tag: v1.122.3
+            envFrom: &envFrom
+              - secretRef:
+                  name: immich-secret
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /
+                    port: &port 2283
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+              startup:
+                enabled: true
+                spec:
+                  failureThreshold: 30
+                  periodSeconds: 10
+            # resources:
+            #   requests:
+            #     cpu: 2m
+            #     memory: 1500Mi
+            #   limits:
+            #     memory: 3200Mi
+          machine-learning:
+            image:
+              repository: ghcr.io/immich-app/immich-machine-learning
+              tag: v1.122.3-openvino
+            envFrom: *envFrom
+            resources:
+              limits:
+                gpu.intel.com/i915: 1
+#    defaultPodOptions:
+#      securityContext:
+#        runAsUser: 10000
+#        runAsGroup: 10000
+#        fsGroup: 10000
+#        fsGroupChangePolicy: OnRootMismatch
+    
+    service:
+      app:
+        controller: immich
+        ports:
+          http:
+            port: *port
+          mlhttp:
+            port: 3003
+    
+    ingress:
+      app:
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+          - host: "immich.${SECRET_NEW_DOMAIN}"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+                  
+    persistence:
+      mlcache:
+        type: emptyDir
+        accessMode: ReadWriteMany
+        size: 10Gi
+        advancedMounts:
+          immich: # controller name
+            machine-learning: # container name
+            - path: /cache
+      storage:
+        type: hostPath
+        hostPath: /mnt/MainPool/Media/Photos
+        advancedMounts:
+          immich:
+            app:
+            - path: /usr/src/app/upload

kubernetes/main/apps/media/immich/app/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./secret.sops.yaml
+- ./helm-release.yaml

kubernetes/main/apps/media/immich/app/secret.sops.yaml

@@ -0,0 +1,77 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: immich-secret
+    namespace: media
+stringData:
+    REDIS_HOSTNAME: ENC[AES256_GCM,data:Lqn6/AMXLa+13acO3PjFPMnn,iv:NCko1SPVv6G1hEVqGrMvkvEAo070Kpd0Yn2G+kHLrc0=,tag:ixPPBLHLQ+YAcSyjJxXisA==,type:str]
+    REDIS_PASSWORD: ENC[AES256_GCM,data:klwA1O//Ts82sC1umJcSobUq6mfO9IG4TAeKQ20=,iv:r0RF+aN3+EXq5NVB/nPFkt/59fqdzCKjWh9jyeyKkMg=,tag:AbvtMDXzlHVQfyMDZfD4hA==,type:str]
+    DB_HOSTNAME: ENC[AES256_GCM,data:C4GG7OqFd5RVBxPeqsKYQ+IQI911PaNt9fY=,iv:rw6A1vXdRvhdk2A6NZ3y3kwt4OwcPsVyloFNECD6CKM=,tag:TVsoAn4aGwqnfwiRUkGRWg==,type:str]
+    DB_DATABASE_NAME: ENC[AES256_GCM,data:qcaJ3eAg,iv:PmOJOJqxsS05Jnjz7MPbJUvqbNu9Hqdopz4AnT3CCXg=,tag:J0hCI9cwekjfnIW2/v122g==,type:str]
+    DB_USERNAME: ENC[AES256_GCM,data:qjcLby68,iv:IkhCJwirOsYGcTJYawAk5QJmrLJ8TMkNHDaVQJom9qY=,tag:7pufxIcm1ALbicV2Pf+PIQ==,type:str]
+    DB_PASSWORD: ENC[AES256_GCM,data:mJns8nHbVvasRASX1gyBMplvP5K14G9vZCbWGGm7VtQ=,iv:q4M3cqGhPBTJipteIXIMm9NtjygY45bzCFguko3PQMI=,tag:AsNPx+P4bjkbDcoA4uIDSg==,type:str]
+    IMMICH_MACHINE_LEARNING_URL: ENC[AES256_GCM,data:pqRoNqJ0MfuThxaOS+lVVVJNnQlV,iv:lMPALDTqoUrlQ7ponGGchLs6ToFKJfGm++RjRpx5Bzw=,tag:0dgfzg7VwUffJ0s+6urYkg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-12-31T00:01:48Z"
+    mac: ENC[AES256_GCM,data:EWQNFZUMxIi+5Ara/ki99tEsej8d54b8ST9EwlUh7IVybTlSUU8TOJ64YEy/bMmhQFCxIYllN5SPUn2kxyfU8w/zS7NkyDEnZpw3g8SLDXH0nC6duMop2xRLu1NfcmgdvFUrc2zQZ2eZiUfnxuHvorUVFLHDqTNbvspar7lr3EI=,iv:lm0cvCCkN1JGnjTCpR/pqxaDYv/Agz1SS4QuJdT4QME=,tag:EXh41QsSbeKdeWyuI9CrXg==,type:str]
+    pgp:
+        - created_at: "2024-12-31T00:01:48Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAyqlIeyoxYovARAAujZltYu1Sjp6GZ64nBg7/7VfFrdWzAcRRIorVwShPGZZ
+            HLxtEpO5KjZ/Y97lrmM+z9uQE5P8B5F7yjb272yLzF2be7bMejEF7Lq5pb1vT4MB
+            3awxNFf4B0TkVHzUOhggCuCWs1wJEfHAtZWs9ftwaEUuRmZCgjpG6mzsCeX2MXb5
+            gT8jHXeG02xWiLmo+qEyJpH11hOGFspgJbbw8xoiV4jyKuu4mMrjfLmj2hlqIH24
+            ICkvnCW/KE2DR0UJgnS1qen7JBbNegiYhUYZ+AV49UnYAn7GDrQZAfi1vCxcgZrg
+            AW9o6qFEHdP4/gHxpjDvePW0xMM1Q2w9m0JUuBtddw8N/yK1Q4SKEx5mFgYv8bmH
+            W72jdkbiFfeBYdSfCQUziUWPZSaWC6uHU1fTI7nKgfa6l0LmQJ+Ga/wlvZtmGsAw
+            DbjE/JpGNI9bzOOwmU2YA5knhBJwIuAe7J7oJd92Tt79uxv2DLnrJMXBHSbIUp9g
+            1neteRt2Xp+tHwGt8Mldfu0R2YUw9Ft+sgRz3FpyFX9zHPwXV4zKvS/9ODPCpXB6
+            OBoCVLFk0EeB6y7REDoGCIMNeeEmsBq6/J/UkcQCHLj38dFzHBCoO/rpxi6JXuMt
+            2w8Fm/9VHTeQNDyvWUW2vIFRmksxpq4sMsCghqYgBjotGv2eu6H5Jp6eSaPh2QmF
+            AgwDXjg0p2IN1X8BD/9M9YLokALo/odOm+2XZdl8Dm304qnGro6aVWqSKah1XZQF
+            PLViGtWjO8/YghXWPZLqNMk3koXBRBHsIMPRvepVagOyvhMVIHM7HUfzyjSFENjd
+            1tC8CzWn5erO38gEgi8JMhMyINpjGNaF5OFjIYntQnU3sUgG2pIspaN+DqYy1Uxt
+            Mb/rLj9euPSSWTjF9GNjgOuk18Oehj3uuMvU2IdYJnt2wnemJ6SG7nAFUO3lgqzx
+            U42lZQsm5uurEdcih3Kax2nEiE6rkBUaln9CTd1CWZuvdD+s+0uRSxS3ZvHlLFzl
+            u26LerXXrtFmUySktvfgaRBf6Yf91FoIJvVTplKKWv/yxR7K0q7ax9fZOon8N3tm
+            ijj3vzjBIvmS8+426eyRIg9y1TMXEMaFOsobcRmGy588qx9ElZNbw/eHagWsAZHU
+            xYOaBvg7hR/XK09NMRbKGI39O52H9yfU9akceFDi1FaikBHrstbDyNmzqlUfTxby
+            NkC5H7jPqZ4Sc5sTOCt+sd6W2Yy6oZLnjNE+IoCP/vnrjneKgX9sVxH+VCSNDTuT
+            krS4OdtbHjXaHHFyUE1H3Ho2wPMIstNIWU9BkwHJ90yA4h8AEo0DCUeR1dhZAal8
+            5Me4xE06vpnNMq0LuqpPlp1eDuMPRKnreR440P7mE5Fkamdnjv6e6Tlc13NA69Rm
+            AQkCEOrO5KUt/v4/fm4qS4yLCWfwlVYGt+YC58XgI3q44hwDaq9UKUgJ+EBi0mY1
+            W9ckfLtxyTcJcnEGSOS/vMClMfgww+tv06q1CPfkv00+fl6I20GAV0vNLIhMZbnE
+            rgRlvJht
+            =N0DM
+            -----END PGP MESSAGE-----
+          fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+        - created_at: "2024-12-31T00:01:48Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VARAAnd42WnAiNvvWIeYw87Q7D2fMN7HaDQEhwynYk0UzBqc9
+            BsnjrZg4B71HjxJn2GFOtwzsHQDpsh/AE/HXNauXXIwwPKgf3h+mThyTiB+dVaKl
+            bjSJQX1ZGpNHMX3ctpugSmePXrB23pmr5cO6S5pQGP54iANjtZgTMNQO8VPBgWqf
+            fkpJwrsC0SWSORSLfvohxd/Ly1ygHw+N3Xe5ADcpyxcNJOZbbccVNbxOOlpk3C8a
+            sc8ho5J9+HoZUV/d0VBpEaGSbd9xhoZ4vHkB6pXF6vIR1FpoXZE8uHNhEmKJBJPb
+            mHIFWBPjlOMrDN25z6NKnQenatTo1f7XHcwl709eSrUJBaRHAL3bifLQC3C48SA7
+            kNb5eM+cp31WgtYvn25/8DwfVDZmbZFAMMI8tnxt/M8l/g/W0YfP2CzQmJslkYk8
+            9kGu5DcGDHYcaX4DMy2dmUy2pmZCEYBxiTz4tSGTfHdqmvKNQtPofWrkr8hyNO4t
+            7R3ir/nPR/Qn3xtm7DoguwXIJk54s9OvIEK/NNRVOss7uTDflPByoVYjAPfqeuoo
+            VXtjObPY+T6XLlpSoGOWPJb7LSG9larm60jEpBjU9zA4rJSgKNSOo2KIcflBI4uw
+            kCODLniJxWD/aOz8MGXs+5D81ZNIePjd9F8Uuq48K/G0w5yuG4T0s1b+j1Els3nU
+            ZgEJAhD+DcMHd5i/H5PvmGQGk7CQzW+Z4XVCqDh8UxagzSiU23a7cZZmI0wI9pj0
+            CD4DIG/3n+N4RBww1HkKzUXnCWk4H7YXuupOa1QMpOToy23grNNtYHuO4nD0Ajdb
+            2x+dvreeww==
+            =eVGZ
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

kubernetes/main/apps/media/immich/ks.yaml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: immich
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  targetNamespace: media
+  path: ./kubernetes/main/apps/media/immich/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+    - name: openebs
+    - name: openebs-sc
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/main/apps/media/kustomization.yaml

@@ -12,4 +12,5 @@ resources:
 - ./tautulli
 - ./ombi
 - ./freshrss
-- ./navidrome/ks.yaml
+- ./navidrome/ks.yaml
+- ./immich/ks.yaml