Add immich

README.md

@@ -103,7 +103,7 @@ kubectl -n datastore exec -it "$PRIMARY_POD" -- createdb --encoding=UTF8 --local
 ```
 
 #### gitea
-copy secret from datastore over to goatchat namespace
+copy secret from datastore over to gitea namespace
 ```sh
 kubectl get secrets -n datastore postgres-pguser-gitea -o json | jq 'del(.metadata.resourceVersion,.metadata.uid,.metadata.ownerReferences) | .metadata.creationTimestamp=null,.metadata.namespace="gitea"' | kubectl apply -f -
 ```
@@ -124,6 +124,11 @@ allow priviledge pods
 ```sh
 kubectl label namespace gitea pod-security.kubernetes.io/enforce=privileged
 ```
+#### Immich
+copy secret from datastore over to immich namespace
+```sh
+kubectl get secrets -n datastore postgres-pguser-immich -o json | jq 'del(.metadata.resourceVersion,.metadata.uid,.metadata.ownerReferences) | .metadata.creationTimestamp=null,.metadata.namespace="immich"' | kubectl apply -f -
+```
 
 #### Ghost Blogs
 I got tired of fighting the docker container so I manually overrode the `config.production.json`

helmfile.lock

@@ -15,6 +15,9 @@ dependencies:
 - name: grafana
   repository: https://grafana.github.io/helm-charts
   version: 8.10.4
+- name: immich
+  repository: https://immich-app.github.io/immich-charts
+  version: 0.9.1
 - name: k8up
   repository: https://k8up-io.github.io/k8up
   version: 4.8.4
@@ -51,5 +54,5 @@ dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
   version: 34.4.1
-digest: sha256:256e38bc7feb044a2b643abcc7f3fa2efbdfc7bad65647543be1917abde8b709
-generated: "2025-03-16T18:36:00.677364313-06:00"
+digest: sha256:d9f95a5155811ec4c166a0d351902b6a4d69cecbb9e466aca3b31721fd0fa7c9
+generated: "2025-03-16T22:05:07.757175164-06:00"

helmfile.yaml

@@ -148,6 +148,13 @@ releases:
       - name: adminApiSharedSecret
         value: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET"}}
 
+  - name: immich
+    namespace: immich
+    createNamespace: true
+    chart: immich/immich
+    values:
+      - immich/values.yaml.gotmpl
+      
   # website
   - name: incngrnt-web
     namespace: incngrnt-web

immich/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: immich-data
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 50Gi
+

immich/values.yaml.gotmpl

@@ -0,0 +1,28 @@
+env:
+  DB_HOSTNAME: {{ exec "kubectl" (list "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }}
+  DB_USERNAME: {{ exec "kubectl" (list "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.user | base64decode }}'") }}
+  DB_DATABASE_NAME: {{ exec "kubectl" (list "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.dbname | base64decode }}'") }}
+  DB_PASSWORD: {{ exec "kubectl" (list "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.password | base64decode }}'") }}
+  DB_VECTOR_EXTENSION: pgvector
+
+immich:
+  persistence:
+    library: 
+      existingClaim: immich-data
+  
+redis:
+  enabled: true
+
+
+server:
+  ingress:
+    main:
+      enabled: true
+      annotations:
+        "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
+      hosts:
+        - host: photos.incngrnt.ca
+          paths:
+            - path: "/"
+              pathType: Prefix
+    

postgres/values.yaml

@@ -6,13 +6,14 @@ patroni:
     postgresql:
       pg_hba:
         - "host all all all scram-sha-256"
-
+    shared_preload_libraries: pgvector
 users:
   - name: grant
     databases:
       - postgres
       - synapse
-      - gitea     
+      - gitea
+      - immich
     options: "SUPERUSER LOGIN"
   - name: synapse
     databases:
@@ -22,6 +23,9 @@ users:
     databases:
       - gitea
     options: "LOGIN"      
-    
+  - name: immich
+    databases:
+      - immich
+    options: "LOGIN"