Erich Blume
5f9bc20345
## Summary
- Widen `repo-creds-forge` URL prefix from `/eblume/` to host-wide `/` so it matches repos in all forge orgs (fixes `mirrors/` repos not getting SSH credentials)
- Update 8 ArgoCD app definitions from `eblume/<mirror>` → `mirrors/<mirror>` (immich-charts, cloudnative-pg-charts, external-secrets, connect-helm-charts)
- Fix stale alloy clone comment in Ansible defaults
- Bump immich v2.5.2 → v2.5.6 (bug-fix patches only)
- Update ArgoCD README bootstrap command and credential docs
## Context
Mirrors were migrated from `forge.ops.eblu.me/eblume/` to `forge.ops.eblu.me/mirrors/` in commit `
|
||
|---|---|---|
| .. | ||
| ingress-tailscale.yaml | ||
| kustomization.yaml | ||
| pv-nfs.yaml | ||
| pvc.yaml | ||
| README.md | ||
| values.yaml | ||
Immich
Self-hosted photo and video management solution with AI-powered search and face recognition.
Prerequisites
- NFS Share: Create
/volume1/photoson sifaka with NFS permissions for indri - PostgreSQL: The
immich-pgcluster (with pgvecto.rs) must be healthy - Secrets: Create the database password secret
Deployment Order
- Sync
blumeops-pg(to get CloudNativePG operator if not already running) - Sync
immich-storage(creates PV, PVC, and Tailscale Ingress) - Wait for
immich-pgcluster to be healthy - Create secrets (see below)
- Sync
immich(deploys the Helm chart) - Run
mise run provision-indri -- --tags caddyto update Caddy config
Secret Setup
The immich-db secret contains the database password, which is auto-generated by CloudNativePG
in the immich-pg-app secret. To create or regenerate the secret:
# Create namespace if needed
kubectl --context=minikube-indri create namespace immich
# Copy password from CNPG secret to immich namespace
kubectl --context=minikube-indri create secret generic immich-db -n immich \
--from-literal=password="$(kubectl --context=minikube-indri -n databases get secret immich-pg-app -o jsonpath='{.data.password}' | base64 -d)"
Note: This secret is not managed by ExternalSecrets since the source of truth is the CNPG-generated secret.
Access
- URL: https://photos.ops.eblu.me (after Caddy is updated)
- Tailscale: https://photos.tail8d86e.ts.net (direct)
First-Time Setup
- Navigate to https://photos.ops.eblu.me
- Create an admin account
- Configure external library (optional - for importing existing photos)
External Library (iCloud Photos)
To import existing photos from iCloud sync on indri:
- In Immich Admin > External Libraries, create a new library
- Set the import path to the location where iCloud photos sync
- Configure scan schedule or trigger manual scan
Architecture
┌─────────────────┐ ┌─────────────────┐
│ immich-server │────▶│ immich-pg │
│ (web/api) │ │ (PostgreSQL │
└────────┬────────┘ │ + pgvecto.rs) │
│ └─────────────────┘
│
┌────────▼────────┐ ┌─────────────────┐
│ immich-ml │ │ valkey │
│ (ML inference) │ │ (Redis cache) │
└─────────────────┘ └─────────────────┘
│
┌────────▼────────┐
│ sifaka NFS │
│ /volume1/photos│
└─────────────────┘
Helm Values
The Helm chart is configured via values.yaml. Key settings:
image.tag: Immich version (update manually)immich.persistence.library.existingClaim: Points toimmich-libraryPVCmachine-learning.enabled: AI features for face/object recognitionvalkey.enabled: Redis cache included in chart
Troubleshooting
# Check pods
kubectl -n immich get pods
# Check immich-pg cluster
kubectl -n databases get cluster immich-pg
# View server logs
kubectl -n immich logs -l app.kubernetes.io/name=immich-server
# View ML logs
kubectl -n immich logs -l app.kubernetes.io/name=immich-machine-learning
# Check PVC binding
kubectl -n immich get pvc