From e2562ce4b0b2c2262d18d7bb60d952aadc916fe9 Mon Sep 17 00:00:00 2001
From: Adrian Cowan <othrayte@gmail.com>
Date: Sat, 11 Oct 2025 14:49:45 +1100
Subject: [PATCH] Add an immich server

---
 2-nomad-config/immich.nomad.hcl   | 106 ++++++++++++++++++++++++++++++
 2-nomad-config/immich.tf          |  60 +++++++++++++++++
 2-nomad-config/postgres.nomad.hcl |   7 +-
 2-nomad-config/secrets.enc.json   |   7 +-
 4 files changed, 176 insertions(+), 4 deletions(-)
 create mode 100644 2-nomad-config/immich.nomad.hcl
 create mode 100644 2-nomad-config/immich.tf

diff --git a/2-nomad-config/immich.nomad.hcl b/2-nomad-config/immich.nomad.hcl
new file mode 100644
index 0000000..5d84161
--- /dev/null
+++ b/2-nomad-config/immich.nomad.hcl
@@ -0,0 +1,106 @@
+job "immich" {
+  group "immich" {
+    network {
+      mode = "bridge"
+      port "http" {
+        to = 2283
+      }
+    }
+    service {
+      connect {
+        sidecar_service {
+          proxy {
+            # TODO https://docs.immich.app/administration/postgres-standalone#prerequisites
+            upstreams {
+              destination_name = "postgres"
+              local_bind_port  = 5432
+            }
+          }
+        }
+      }
+    }
+
+    task "immich-server" {
+      driver = "docker"
+
+      config {
+        image = "ghcr.io/immich-app/immich-server:release"
+        ports = ["http"]
+      }
+
+      service {
+        name = "immich"
+        port = "http"
+
+        tags = [
+          "traefik.enable=true",
+          "traefik.http.routers.immich.middlewares=auth@file",
+        ]
+
+        # Todo try GET /server/ping (https://api.immich.app/endpoints/server/pingServer)
+        # https://github.com/immich-app/immich-charts/blob/main/charts/immich/templates/server.yaml#L57
+        check {
+          name     = "alive"
+          type     = "tcp"
+          port     = "http"
+          interval = "10s"
+          timeout  = "2s"
+        }
+      }
+
+      env {
+        UPLOAD_LOCATION = "./library"
+        TZ              = "Australia/Melbourne"
+        REDIS_HOSTNAME  = "localhost"
+        DB_HOSTNAME     = "localhost"
+      }
+
+      volume_mount {
+        volume      = "unraid_appdata_immich"
+        destination = "/data"
+        read_only   = false
+      }
+
+      resources {
+        cpu    = 200
+        memory = 1024
+      }
+
+      template {
+        data        = <<EOH
+DB_USERNAME="immich"
+DB_PASSWORD="{{ with nomadVar "nomad/jobs/immich" }}{{ .database_pw }}{{ end }}"
+EOH
+        destination = "secrets/db.env"
+        env         = true # Load the file as environment variables
+      }
+    }
+
+    volume "unraid_appdata_immich" {
+      type            = "csi"
+      read_only       = false
+      source          = "unraid_appdata_immich"
+      access_mode     = "single-node-writer"
+      attachment_mode = "file-system"
+
+      mount_options {
+        mount_flags = ["uid=1000", "gid=1000"]
+      }
+    }
+
+    task "immich-machine-learning" {
+      driver = "docker"
+      config {
+        image = "ghcr.io/immich-app/immich-machine-learning:release"
+      }
+    }
+
+    task "redis" {
+      driver = "docker"
+
+      config {
+        image = "docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571"
+      }
+    }
+  }
+}
diff --git a/2-nomad-config/immich.tf b/2-nomad-config/immich.tf
new file mode 100644
index 0000000..b2c7eb7
--- /dev/null
+++ b/2-nomad-config/immich.tf
@@ -0,0 +1,60 @@
+
+resource "nomad_job" "immich" {
+  jobspec = file("immich.nomad.hcl")
+}
+
+resource "postgresql_role" "immich" {
+  name     = "immich"
+  password = data.sops_file.secrets.data["immich.database_pw"]
+  login    = true
+}
+
+resource "postgresql_database" "immich" {
+  name  = "immich"
+  owner = postgresql_role.immich.name
+}
+
+resource "postgresql_extension" "immich_vchord" {
+  name           = "vchord"
+  database       = postgresql_database.immich.name
+  create_cascade = true
+}
+
+resource "postgresql_extension" "immich_earthdistance" {
+  name           = "earthdistance"
+  database       = postgresql_database.immich.name
+  create_cascade = true
+}
+
+resource "nomad_variable" "immich" {
+  path = "nomad/jobs/immich"
+  items = {
+    database_pw = data.sops_file.secrets.data["immich.database_pw"]
+  }
+}
+
+resource "nomad_csi_volume_registration" "unraid_appdata_immich" {
+  #Note: Before chaning the definition of this volume you need to stop the jobs that are using it
+  depends_on = [data.nomad_plugin.smb]
+  plugin_id  = "smb"
+
+  volume_id = "unraid_appdata_immich"
+  name      = "unraid_appdata_immich"
+
+  external_id = "unraid_appdata_immich"
+
+  capability {
+    access_mode     = "single-node-writer"
+    attachment_mode = "file-system"
+  }
+
+  context = {
+    source = "//192.168.1.192/appdata"
+    subDir = "immich" # Note: Needs to be manually created on the share
+  }
+
+  secrets = {
+    "username" = "nomad"
+    "password" = data.sops_file.secrets.data["unraid.nomad"]
+  }
+}
diff --git a/2-nomad-config/postgres.nomad.hcl b/2-nomad-config/postgres.nomad.hcl
index ba259a8..f51ef77 100644
--- a/2-nomad-config/postgres.nomad.hcl
+++ b/2-nomad-config/postgres.nomad.hcl
@@ -13,7 +13,10 @@ job "postgres" {
       driver = "docker"
 
       config {
-        image = "postgres:latest"
+        # Temporarily pin to v17 as v18 moved the default data directory and immich doesn't officially support it yet
+        # immich also needs >= 0.3.0, < 0.5.0. https://docs.immich.app/administration/postgres-standalone/#prerequisites
+        #image = "postgres:17"  
+        image = "tensorchord/vchord-postgres:pg17-v0.4.3"
         ports = ["db"]
 
         volumes = [
@@ -35,7 +38,7 @@ job "postgres" {
 
       resources {
         cpu    = 500
-        memory = 512
+        memory = 1024
       }
 
       template {
diff --git a/2-nomad-config/secrets.enc.json b/2-nomad-config/secrets.enc.json
index 8286fbd..c343ee8 100644
--- a/2-nomad-config/secrets.enc.json
+++ b/2-nomad-config/secrets.enc.json
@@ -29,6 +29,9 @@
 	"traefik": {
 		"cf_tunnel_token": "ENC[AES256_GCM,data:IgrmKwdeipix1dIXNuXnTWN5rCZjClbKZQJfgr5c2IP/n8bcc/nG5Wb42WL2C4hTeVqhG5p62ZXoz0j4dNAjxvuzcW/P0XeSYaiDRXMNWKhNIcK7jOexgswio0sUC+F7f3fa6HH4C02Mx8dWoFZChYtM5EhGdcEwVwspyBlMhTSHTz+/w5T9OqH18o132ZTM6kMQY85sgH36azWoSw73N+aC4ANhgybuok06z6R5D2jMdDX47Bo5bg==,iv:yOcUDTYHh58iejbl0wxNJO1hcDypcBq6KlHKyqnMSVk=,tag:CMyHKgahkIGdXItMJ1/hOg==,type:str]"
 	},
+	"immich": {
+		"database_pw": "ENC[AES256_GCM,data:SUyMGqu7deZyZpVt,iv:asZehOvn/JamwFyS+Xl9Xpr4JFkKlJjHVw7LywYOxTc=,tag:plRvuv7+ievfEhxurBl7YQ==,type:str]"
+	},
 	"sops": {
 		"age": [
 			{
@@ -36,8 +39,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-10-11T03:45:00Z",
-		"mac": "ENC[AES256_GCM,data:zLaCBYKSnXc81LOSuKHlBkiclsvV2B88SUFvy5oW2kL+Sbu3x058oE0P6T+9BlKkfKWLuTKjMwzAQGPeY0wjHtS4htxpcnMl+uVni888jr3lDLe7IPDReOp7Liv7UddQnLP9ftLIxZEOCeFtCP3/jkCEFbD8t30tLM2hSO6MjgM=,iv:IuMsWEQWZT537vMgfOFxdw2kwJO2rB5PmhsjJsnE934=,tag:8j5hVJCsvffebuj2Ay7zgg==,type:str]",
+		"lastmodified": "2025-10-11T03:45:25Z",
+		"mac": "ENC[AES256_GCM,data:GfOzYXFJVo6GTVyw2LOXOwrwBV27GN7SGNi3AZpiQUvLMZZQrC0swuH+/xmXzvOhVTdvAmW8tuR9Ue3yaK0orTIvhCb4rURitjyTu6cnVdmPYA5RGLLjt97sUcuqaafESwPGJSdjWUK/Ff6pqlPkQNU53/MScv53xGbpGYEfSho=,iv:0px5+uUXd6UkSoKaX7siPr/3gkitwzGr/BUxvZ9Y6Jo=,tag:ln31oDutGKK+rgaWrEPV2g==,type:str]",
 		"encrypted_regex": "^(.*)$",
 		"version": "3.10.2"
 	}