feat: add immich

kubernetes/apps/database/cloudnative-pg/templates/cluster.yaml

@@ -11,7 +11,7 @@ spec:
   instances: 2
   # yamllint disable rule:line-length
   # renovate: datasource=docker depName=ghcr.io/cloudnative-pg/postgresql versioning=redhat
-  imageName: "ghcr.io/cloudnative-pg/postgresql:16.4-5"
+  imageName: "ghcr.io/tensorchord/cloudnative-pgvecto.rs:16.4-v0.3.0"
   # yamllint enable rule:line-length
   enableSuperuserAccess: true
   inheritedMetadata:
@@ -27,6 +27,8 @@ spec:
     recovery:
       source: &previousCluster postgres-v4
   postgresql:
+    shared_preload_libraries:
+      - "vectors.so"
     parameters:
       max_connections: "600"
       shared_buffers: 512MB

kubernetes/apps/default/immich/Chart.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/chart.json
+apiVersion: v2
+name: immich
+version: 1.0.0
+type: application
+dependencies:
+  - name: app-template
+    version: 3.4.0
+    repository: https://bjw-s.github.io/helm-charts

kubernetes/apps/default/immich/application.yaml

@@ -0,0 +1,28 @@
+---
+# yaml-language-server: $schema=https://deedee-ops.github.io/schemas/argoproj.io/application_v1alpha1.json
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: immich
+  namespace: argocd
+spec:
+  project: default
+  sources:
+    - repoURL: https://github.com/deedee-ops/home-ops.git
+      targetRevision: master
+      path: kubernetes/apps/default/immich
+      plugin:
+        name: argocd-vault-plugin-helm
+  destination:
+    namespace: default
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: restricted
+        pod-security.kubernetes.io/audit: restricted
+        pod-security.kubernetes.io/warn: restricted

kubernetes/apps/default/immich/files/authelia.yaml

@@ -0,0 +1,24 @@
+---
+# yaml-language-server: disabled
+identity_providers:
+  oidc:
+    clients:
+      - client_id: immich
+        client_name: Immich
+        # docker run authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512
+        # --random --random.length 72 --random.charset rfc3986
+        client_secret: '<path:kubernetes/data/internal/immich#OIDC_SECRET_ENCRYPTED>'
+        consent_mode: 'implicit'
+        public: false
+        authorization_policy: 'two_factor'
+        require_pkce: false
+        redirect_uris:
+          - 'app.immich:///oauth-callback'
+          - 'https://immich.<path:kubernetes/data/internal/base#ROOT_DOMAIN>/auth/login'
+          - 'https://immich.<path:kubernetes/data/internal/base#ROOT_DOMAIN>/user-settings'
+        scopes:
+          - 'email'
+          - 'openid'
+          - 'profile'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'

kubernetes/apps/default/immich/files/config.json

@@ -0,0 +1,180 @@
+{
+  "ffmpeg": {
+    "crf": 23,
+    "threads": 0,
+    "preset": "medium",
+    "targetVideoCodec": "h264",
+    "acceptedVideoCodecs": [
+      "h264"
+    ],
+    "targetAudioCodec": "aac",
+    "acceptedAudioCodecs": [
+      "aac",
+      "mp3"
+    ],
+    "acceptedContainers": [
+      "mov",
+      "ogg",
+      "webm"
+    ],
+    "targetResolution": "1080",
+    "maxBitrate": "0",
+    "bframes": -1,
+    "refs": 0,
+    "gopSize": 0,
+    "npl": 0,
+    "temporalAQ": false,
+    "cqMode": "auto",
+    "twoPass": false,
+    "preferredHwDevice": "auto",
+    "transcode": "required",
+    "tonemap": "hable",
+    "accel": "qsv",
+    "accelDecode": true
+  },
+  "job": {
+    "backgroundTask": {
+      "concurrency": 5
+    },
+    "smartSearch": {
+      "concurrency": 2
+    },
+    "metadataExtraction": {
+      "concurrency": 5
+    },
+    "faceDetection": {
+      "concurrency": 2
+    },
+    "search": {
+      "concurrency": 5
+    },
+    "sidecar": {
+      "concurrency": 5
+    },
+    "library": {
+      "concurrency": 5
+    },
+    "migration": {
+      "concurrency": 5
+    },
+    "thumbnailGeneration": {
+      "concurrency": 3
+    },
+    "videoConversion": {
+      "concurrency": 1
+    },
+    "notifications": {
+      "concurrency": 5
+    }
+  },
+  "logging": {
+    "enabled": true,
+    "level": "log"
+  },
+  "machineLearning": {
+    "enabled": true,
+    "url": "http://immich-machine-learning.default.svc.cluster.local:3003",
+    "clip": {
+      "enabled": true,
+      "modelName": "ViT-B-32__openai"
+    },
+    "duplicateDetection": {
+      "enabled": true,
+      "maxDistance": 0.01
+    },
+    "facialRecognition": {
+      "enabled": false,
+      "modelName": "buffalo_l",
+      "minScore": 0.7,
+      "maxDistance": 0.5,
+      "minFaces": 3
+    }
+  },
+  "map": {
+    "enabled": true,
+    "lightStyle": "",
+    "darkStyle": ""
+  },
+  "reverseGeocoding": {
+    "enabled": true
+  },
+  "metadata": {
+    "faces": {
+      "import": true
+    }
+  },
+  "oauth": {
+    "autoLaunch": true,
+    "autoRegister": false,
+    "buttonText": "Login with Authelia",
+    "clientId": "immich",
+    "clientSecret": "<path:kubernetes/data/internal/immich#OIDC_SECRET_RAW>",
+    "defaultStorageQuota": 0,
+    "enabled": true,
+    "issuerUrl": "https://authelia.<path:kubernetes/data/internal/base#ROOT_DOMAIN>",
+    "mobileOverrideEnabled": false,
+    "mobileRedirectUri": "",
+    "scope": "openid email profile",
+    "signingAlgorithm": "RS256",
+    "profileSigningAlgorithm": "none",
+    "storageLabelClaim": "preferred_username",
+    "storageQuotaClaim": "immich_quota"
+  },
+  "passwordLogin": {
+    "enabled": true
+  },
+  "storageTemplate": {
+    "enabled": false,
+    "hashVerificationEnabled": true,
+    "template": "{{y}}/{{y}}-{{MM}}-{{dd}}/{{filename}}"
+  },
+  "image": {
+    "thumbnailFormat": "webp",
+    "thumbnailSize": 250,
+    "previewFormat": "jpeg",
+    "previewSize": 1440,
+    "quality": 80,
+    "colorspace": "p3",
+    "extractEmbedded": false
+  },
+  "newVersionCheck": {
+    "enabled": false
+  },
+  "trash": {
+    "enabled": true,
+    "days": 30
+  },
+  "theme": {
+    "customCss": ""
+  },
+  "library": {
+    "scan": {
+      "enabled": true,
+      "cronExpression": "0 0 * * *"
+    },
+    "watch": {
+      "enabled": false
+    }
+  },
+  "server": {
+    "externalDomain": "https://immich.<path:kubernetes/data/internal/base#ROOT_DOMAIN>",
+    "loginPageMessage": ""
+  },
+  "notifications": {
+    "smtp": {
+      "enabled": true,
+      "from": "<path:kubernetes/data/internal/base#MAIL_FROM_CLUSTER>",
+      "replyTo": "",
+      "transport": {
+        "ignoreCert": false,
+        "host": "smtp-relay.networking.svc.cluster.local",
+        "port": 25,
+        "username": "",
+        "password": ""
+      }
+    }
+  },
+  "user": {
+    "deleteDelay": 7
+  }
+}

kubernetes/apps/default/immich/templates/authelia.tmpl.yaml

@@ -0,0 +1,14 @@
+---
+# yamllint disable rule:line-length
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master-standalone/configmap-v1.json
+# yamllint enable rule:line-length
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: immich-authelia
+  labels:
+    authelia.com/enabled: "true"
+data:
+  immich.yaml: |
+{{ .Files.Get "files/authelia.yaml" | indent 4 }}
+

kubernetes/apps/default/immich/templates/config.tmpl.yaml

@@ -0,0 +1,13 @@
+---
+# yamllint disable rule:line-length
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master-standalone/configmap-v1.json
+# yamllint enable rule:line-length
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: immich-configmap
+data:
+  config.json: |
+{{ .Files.Get "files/config.json" | indent 4 }}
+
+

kubernetes/apps/default/immich/templates/initdb.yaml

@@ -0,0 +1,46 @@
+---
+# yamllint disable rule:line-length
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master-standalone/job.json
+# yamllint enable
+apiVersion: batch/v1
+kind: Job
+metadata:
+  generateName: immich-init-db-
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: init-db
+          image: ghcr.io/deedee-ops/postgres-init:16.4
+          volumeMounts:
+            - mountPath: /secrets
+              name: secrets
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: immich
+          name: secrets
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+
+# @todo, automate:
+# ALTER DATABASE immich SET search_path TO "$user", public, vectors;
+# CREATE EXTENSION IF NOT EXISTS vectors;
+# CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;
+# ALTER SCHEMA vectors OWNER TO pg_database_owner;

kubernetes/apps/default/immich/templates/network_policy.yaml

@@ -0,0 +1,22 @@
+---
+# yaml-language-server: $schema=https://deedee-ops.github.io/schemas/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: immich
+specs:
+  - endpointSelector:
+      matchLabels:
+        app.kubernetes.io/name: immich
+        app.kubernetes.io/component: machine-learning
+    egress:
+      - toPorts:
+          - ports:
+              - port: "53"
+                protocol: ANY
+            rules:
+              dns:
+                - matchPattern: "*"
+      - toFQDNs:
+          - matchName: huggingface.co
+          - matchPattern: "*.huggingface.co"

kubernetes/apps/default/immich/templates/pvc.yaml

@@ -0,0 +1,32 @@
+# yamllint disable rule:line-length
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master-standalone/persistentvolumeclaim.json
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: immich-external
+  annotations:
+    nfs.io/storage-path: photos
+spec:
+  storageClassName: nfs-client-media
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 7Ti  # use rough size of NAS NFS volume to silence "volume filling up" alerts
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master-standalone/persistentvolumeclaim.json
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: immich-data
+  annotations:
+    nfs.io/storage-path: immich
+spec:
+  storageClassName: nfs-client-kubernetes
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 7Ti  # use rough size of NAS NFS volume to silence "volume filling up" alerts
+# yamllint enable rule:line-length