othrayte/infra
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Add an immich server

Browse Source
This commit is contained in:
Adrian Cowan
2025-10-11 14:49:45 +11:00
parent b53bfe4075
commit e2562ce4b0
4 changed files with 176 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
2-nomad-config/immich.nomad.hcl Normal file
View File

@@ -0,0 +1,106 @@
job "immich" {
group "immich" {
network {
mode = "bridge"
port "http" {
to = 2283
}
}
service {
connect {
sidecar_service {
proxy {
# TODO https://docs.immich.app/administration/postgres-standalone#prerequisites
upstreams {
destination_name = "postgres"
local_bind_port = 5432
}
}
}
}
}
task "immich-server" {
driver = "docker"
config {
image = "ghcr.io/immich-app/immich-server:release"
ports = ["http"]
}
service {
name = "immich"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.immich.middlewares=auth@file",
]
# Todo try GET /server/ping (https://api.immich.app/endpoints/server/pingServer)
# https://github.com/immich-app/immich-charts/blob/main/charts/immich/templates/server.yaml#L57
check {
name = "alive"
type = "tcp"
port = "http"
interval = "10s"
timeout = "2s"
}
}
env {
UPLOAD_LOCATION = "./library"
TZ = "Australia/Melbourne"
REDIS_HOSTNAME = "localhost"
DB_HOSTNAME = "localhost"
}
volume_mount {
volume = "unraid_appdata_immich"
destination = "/data"
read_only = false
}
resources {
cpu = 200
memory = 1024
}
template {
data = <<EOH
DB_USERNAME="immich"
DB_PASSWORD="{{ with nomadVar "nomad/jobs/immich" }}{{ .database_pw }}{{ end }}"
EOH
destination = "secrets/db.env"
env = true # Load the file as environment variables
}
}
volume "unraid_appdata_immich" {
type = "csi"
read_only = false
source = "unraid_appdata_immich"
access_mode = "single-node-writer"
attachment_mode = "file-system"
mount_options {
mount_flags = ["uid=1000", "gid=1000"]
}
}
task "immich-machine-learning" {
driver = "docker"
config {
image = "ghcr.io/immich-app/immich-machine-learning:release"
}
}
task "redis" {
driver = "docker"
config {
image = "docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571"
}
}
}
}

60
2-nomad-config/immich.tf Normal file
View File

@@ -0,0 +1,60 @@
resource "nomad_job" "immich" {
jobspec = file("immich.nomad.hcl")
}
resource "postgresql_role" "immich" {
name = "immich"
password = data.sops_file.secrets.data["immich.database_pw"]
login = true
}
resource "postgresql_database" "immich" {
name = "immich"
owner = postgresql_role.immich.name
}
resource "postgresql_extension" "immich_vchord" {
name = "vchord"
database = postgresql_database.immich.name
create_cascade = true
}
resource "postgresql_extension" "immich_earthdistance" {
name = "earthdistance"
database = postgresql_database.immich.name
create_cascade = true
}
resource "nomad_variable" "immich" {
path = "nomad/jobs/immich"
items = {
database_pw = data.sops_file.secrets.data["immich.database_pw"]
}
}
resource "nomad_csi_volume_registration" "unraid_appdata_immich" {
#Note: Before chaning the definition of this volume you need to stop the jobs that are using it
depends_on = [data.nomad_plugin.smb]
plugin_id = "smb"
volume_id = "unraid_appdata_immich"
name = "unraid_appdata_immich"
external_id = "unraid_appdata_immich"
capability {
access_mode = "single-node-writer"
attachment_mode = "file-system"
}
context = {
source = "//192.168.1.192/appdata"
subDir = "immich" # Note: Needs to be manually created on the share
}
secrets = {
"username" = "nomad"
"password" = data.sops_file.secrets.data["unraid.nomad"]
}
}

7
2-nomad-config/postgres.nomad.hcl
View File

@@ -13,7 +13,10 @@ job "postgres" {
driver = "docker" driver = "docker"
config { config {
image = "postgres:latest" # Temporarily pin to v17 as v18 moved the default data directory and immich doesn't officially support it yet
# immich also needs >= 0.3.0, < 0.5.0. https://docs.immich.app/administration/postgres-standalone/#prerequisites
#image = "postgres:17"
image = "tensorchord/vchord-postgres:pg17-v0.4.3"
ports = ["db"] ports = ["db"]
volumes = [ volumes = [
@@ -35,7 +38,7 @@ job "postgres" {
resources { resources {
cpu = 500 cpu = 500
memory = 512 memory = 1024
} }
template { template {

7
2-nomad-config/secrets.enc.json
View File

@@ -29,6 +29,9 @@
"traefik": { "traefik": {
"cf_tunnel_token": "ENC[AES256_GCM,data:IgrmKwdeipix1dIXNuXnTWN5rCZjClbKZQJfgr5c2IP/n8bcc/nG5Wb42WL2C4hTeVqhG5p62ZXoz0j4dNAjxvuzcW/P0XeSYaiDRXMNWKhNIcK7jOexgswio0sUC+F7f3fa6HH4C02Mx8dWoFZChYtM5EhGdcEwVwspyBlMhTSHTz+/w5T9OqH18o132ZTM6kMQY85sgH36azWoSw73N+aC4ANhgybuok06z6R5D2jMdDX47Bo5bg==,iv:yOcUDTYHh58iejbl0wxNJO1hcDypcBq6KlHKyqnMSVk=,tag:CMyHKgahkIGdXItMJ1/hOg==,type:str]" "cf_tunnel_token": "ENC[AES256_GCM,data:IgrmKwdeipix1dIXNuXnTWN5rCZjClbKZQJfgr5c2IP/n8bcc/nG5Wb42WL2C4hTeVqhG5p62ZXoz0j4dNAjxvuzcW/P0XeSYaiDRXMNWKhNIcK7jOexgswio0sUC+F7f3fa6HH4C02Mx8dWoFZChYtM5EhGdcEwVwspyBlMhTSHTz+/w5T9OqH18o132ZTM6kMQY85sgH36azWoSw73N+aC4ANhgybuok06z6R5D2jMdDX47Bo5bg==,iv:yOcUDTYHh58iejbl0wxNJO1hcDypcBq6KlHKyqnMSVk=,tag:CMyHKgahkIGdXItMJ1/hOg==,type:str]"
}, },
"immich": {
"database_pw": "ENC[AES256_GCM,data:SUyMGqu7deZyZpVt,iv:asZehOvn/JamwFyS+Xl9Xpr4JFkKlJjHVw7LywYOxTc=,tag:plRvuv7+ievfEhxurBl7YQ==,type:str]"
},
"sops": { "sops": {
"age": [ "age": [
{ {
@@ -36,8 +39,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2025-10-11T03:45:00Z", "lastmodified": "2025-10-11T03:45:25Z",
"mac": "ENC[AES256_GCM,data:zLaCBYKSnXc81LOSuKHlBkiclsvV2B88SUFvy5oW2kL+Sbu3x058oE0P6T+9BlKkfKWLuTKjMwzAQGPeY0wjHtS4htxpcnMl+uVni888jr3lDLe7IPDReOp7Liv7UddQnLP9ftLIxZEOCeFtCP3/jkCEFbD8t30tLM2hSO6MjgM=,iv:IuMsWEQWZT537vMgfOFxdw2kwJO2rB5PmhsjJsnE934=,tag:8j5hVJCsvffebuj2Ay7zgg==,type:str]", "mac": "ENC[AES256_GCM,data:GfOzYXFJVo6GTVyw2LOXOwrwBV27GN7SGNi3AZpiQUvLMZZQrC0swuH+/xmXzvOhVTdvAmW8tuR9Ue3yaK0orTIvhCb4rURitjyTu6cnVdmPYA5RGLLjt97sUcuqaafESwPGJSdjWUK/Ff6pqlPkQNU53/MScv53xGbpGYEfSho=,iv:0px5+uUXd6UkSoKaX7siPr/3gkitwzGr/BUxvZ9Y6Jo=,tag:ln31oDutGKK+rgaWrEPV2g==,type:str]",
"encrypted_regex": "^(.*)$", "encrypted_regex": "^(.*)$",
"version": "3.10.2" "version": "3.10.2"
} }