blumeops/argocd/manifests/databases/immich-pg.yaml

# PostgreSQL Cluster for Immich
# Uses VectorChord (successor to pgvecto.rs) for AI-powered vector search
# See: https://github.com/immich-app/immich/discussions/9060
# Managed by CloudNativePG operator
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: immich-pg
  namespace: databases
spec:
  instances: 1
  # VectorChord image for PostgreSQL 17 with VectorChord 0.5.0
  # Immich v2.4.1 requires VectorChord >=0.3 <0.6
  # See: https://github.com/tensorchord/VectorChord
  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.5.0

  storage:
    size: 10Gi
    storageClass: standard

  # Bootstrap creates initial database and owner
  bootstrap:
    initdb:
      database: immich
      owner: immich
      postInitSQL:
        # Extensions required by Immich
        - CREATE EXTENSION IF NOT EXISTS vector;
        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
        - CREATE EXTENSION IF NOT EXISTS cube CASCADE;
        - CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;

  # Managed roles
  # Note: connectionLimit, ensure, inherit are CNPG defaults added to prevent ArgoCD drift
  managed:
    roles:
      # borgmatic read-only user for backups
      - name: borgmatic
        login: true
        connectionLimit: -1
        ensure: present
        inherit: true
        inRoles:
          - pg_read_all_data
        passwordSecret:
          name: immich-pg-borgmatic

  # Resource limits for minikube environment
  resources:
    requests:
      memory: "256Mi"
      cpu: "100m"
    limits:
      memory: "1Gi"
      cpu: "500m"

  # PostgreSQL configuration
  postgresql:
    # VectorChord requires vchord.so in shared_preload_libraries
    shared_preload_libraries:
      - "vchord.so"
    parameters:
      max_connections: "50"
      shared_buffers: "128MB"
      password_encryption: "scram-sha-256"
    pg_hba:
      # Allow connections from k8s pods
      - host all all 0.0.0.0/0 scram-sha-256
      - host all all ::/0 scram-sha-256
Add Immich photo management + migrate forge URLs (#62) ## Summary - Migrate all ArgoCD app repo URLs from `indri.tail8d86e.ts.net:2200` to `forge.ops.eblu.me:2222` - Add Immich self-hosted photo management service with: - Helm chart deployment via ArgoCD - PostgreSQL cluster with pgvecto.rs for AI vector search (immich-pg) - NFS storage on sifaka for photo library (2Ti) - Tailscale Ingress + Caddy proxy for `photos.ops.eblu.me` - Machine learning service for face/object recognition ## Deployment and Testing - [x] Update ArgoCD repo-creds-forge secret with new URL (one-time manual step) - [ ] Sync `apps` to pick up new applications - [ ] Sync all existing apps to verify new forge URL works - [ ] Sync `blumeops-pg` to deploy immich-pg cluster - [ ] Wait for immich-pg to be healthy - [ ] Create immich-db secret from auto-generated password - [ ] Sync `immich-storage` (PV, PVC, Ingress) - [ ] Sync `immich` (Helm chart) - [ ] Run `mise run provision-indri -- --tags caddy` to add photos.ops.eblu.me - [ ] Verify Immich UI is accessible 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/62 2026-01-26 11:20:11 -08:00			`# PostgreSQL Cluster for Immich`
			`# Uses VectorChord (successor to pgvecto.rs) for AI-powered vector search`
			`# See: https://github.com/immich-app/immich/discussions/9060`
			`# Managed by CloudNativePG operator`
			`apiVersion: postgresql.cnpg.io/v1`
			`kind: Cluster`
			`metadata:`
			`name: immich-pg`
			`namespace: databases`
			`spec:`
			`instances: 1`
			`# VectorChord image for PostgreSQL 17 with VectorChord 0.5.0`
			`# Immich v2.4.1 requires VectorChord >=0.3 <0.6`
			`# See: https://github.com/tensorchord/VectorChord`
			`imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.5.0`

			`storage:`
			`size: 10Gi`
			`storageClass: standard`

			`# Bootstrap creates initial database and owner`
			`bootstrap:`
			`initdb:`
			`database: immich`
			`owner: immich`
			`postInitSQL:`
			`# Extensions required by Immich`
			`- CREATE EXTENSION IF NOT EXISTS vector;`
			`- CREATE EXTENSION IF NOT EXISTS vchord CASCADE;`
			`- CREATE EXTENSION IF NOT EXISTS cube CASCADE;`
			`- CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;`

Add borgmatic backups for authentik and immich databases Closes the gap where only miniflux and teslamate were backed up. Authentik (blumeops-pg) just needed a config entry. Immich (immich-pg) required a new borgmatic managed role, ExternalSecret, Tailscale service, and Caddy L4 proxy on port 5433. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-27 16:52:41 -07:00			`# Managed roles`
			`# Note: connectionLimit, ensure, inherit are CNPG defaults added to prevent ArgoCD drift`
			`managed:`
			`roles:`
			`# borgmatic read-only user for backups`
			`- name: borgmatic`
			`login: true`
			`connectionLimit: -1`
			`ensure: present`
			`inherit: true`
			`inRoles:`
			`- pg_read_all_data`
			`passwordSecret:`
			`name: immich-pg-borgmatic`

Add Immich photo management + migrate forge URLs (#62) ## Summary - Migrate all ArgoCD app repo URLs from `indri.tail8d86e.ts.net:2200` to `forge.ops.eblu.me:2222` - Add Immich self-hosted photo management service with: - Helm chart deployment via ArgoCD - PostgreSQL cluster with pgvecto.rs for AI vector search (immich-pg) - NFS storage on sifaka for photo library (2Ti) - Tailscale Ingress + Caddy proxy for `photos.ops.eblu.me` - Machine learning service for face/object recognition ## Deployment and Testing - [x] Update ArgoCD repo-creds-forge secret with new URL (one-time manual step) - [ ] Sync `apps` to pick up new applications - [ ] Sync all existing apps to verify new forge URL works - [ ] Sync `blumeops-pg` to deploy immich-pg cluster - [ ] Wait for immich-pg to be healthy - [ ] Create immich-db secret from auto-generated password - [ ] Sync `immich-storage` (PV, PVC, Ingress) - [ ] Sync `immich` (Helm chart) - [ ] Run `mise run provision-indri -- --tags caddy` to add photos.ops.eblu.me - [ ] Verify Immich UI is accessible 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/62 2026-01-26 11:20:11 -08:00			`# Resource limits for minikube environment`
			`resources:`
			`requests:`
			`memory: "256Mi"`
			`cpu: "100m"`
			`limits:`
			`memory: "1Gi"`
			`cpu: "500m"`

			`# PostgreSQL configuration`
			`postgresql:`
			`# VectorChord requires vchord.so in shared_preload_libraries`
			`shared_preload_libraries:`
			`- "vchord.so"`
			`parameters:`
			`max_connections: "50"`
			`shared_buffers: "128MB"`
			`password_encryption: "scram-sha-256"`
			`pg_hba:`
			`# Allow connections from k8s pods`
			`- host all all 0.0.0.0/0 scram-sha-256`
			`- host all all ::/0 scram-sha-256`