Erich Blume
8621996343
## Summary - Migrate all ArgoCD app repo URLs from `indri.tail8d86e.ts.net:2200` to `forge.ops.eblu.me:2222` - Add Immich self-hosted photo management service with: - Helm chart deployment via ArgoCD - PostgreSQL cluster with pgvecto.rs for AI vector search (immich-pg) - NFS storage on sifaka for photo library (2Ti) - Tailscale Ingress + Caddy proxy for `photos.ops.eblu.me` - Machine learning service for face/object recognition ## Deployment and Testing - [x] Update ArgoCD repo-creds-forge secret with new URL (one-time manual step) - [ ] Sync `apps` to pick up new applications - [ ] Sync all existing apps to verify new forge URL works - [ ] Sync `blumeops-pg` to deploy immich-pg cluster - [ ] Wait for immich-pg to be healthy - [ ] Create immich-db secret from auto-generated password - [ ] Sync `immich-storage` (PV, PVC, Ingress) - [ ] Sync `immich` (Helm chart) - [ ] Run `mise run provision-indri -- --tags caddy` to add photos.ops.eblu.me - [ ] Verify Immich UI is accessible 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/62 |
||
|---|---|---|
| .. | ||
| ingress-tailscale.yaml | ||
| kustomization.yaml | ||
| pv-nfs.yaml | ||
| pvc.yaml | ||
| README.md | ||
| secret-db.yaml.tpl | ||
| values.yaml | ||
Immich
Self-hosted photo and video management solution with AI-powered search and face recognition.
Prerequisites
- NFS Share: Create
/volume1/photoson sifaka with NFS permissions for indri - PostgreSQL: The
immich-pgcluster (with pgvecto.rs) must be healthy - Secrets: Create the database password secret
Deployment Order
- Sync
blumeops-pg(to get CloudNativePG operator if not already running) - Sync
immich-storage(creates PV, PVC, and Tailscale Ingress) - Wait for
immich-pgcluster to be healthy - Create secrets (see below)
- Sync
immich(deploys the Helm chart) - Run
mise run provision-indri -- --tags caddyto update Caddy config
Secret Setup
# Create namespace
kubectl create namespace immich
# Get the auto-generated immich password from CloudNativePG
kubectl -n databases get secret immich-pg-app -o jsonpath='{.data.password}' | base64 -d
# Store that password in 1Password under blumeops/immich-pg, then:
op inject -i argocd/manifests/immich/secret-db.yaml.tpl | kubectl apply -f -
Access
- URL: https://photos.ops.eblu.me (after Caddy is updated)
- Tailscale: https://photos.tail8d86e.ts.net (direct)
First-Time Setup
- Navigate to https://photos.ops.eblu.me
- Create an admin account
- Configure external library (optional - for importing existing photos)
External Library (iCloud Photos)
To import existing photos from iCloud sync on indri:
- In Immich Admin > External Libraries, create a new library
- Set the import path to the location where iCloud photos sync
- Configure scan schedule or trigger manual scan
Architecture
┌─────────────────┐ ┌─────────────────┐
│ immich-server │────▶│ immich-pg │
│ (web/api) │ │ (PostgreSQL │
└────────┬────────┘ │ + pgvecto.rs) │
│ └─────────────────┘
│
┌────────▼────────┐ ┌─────────────────┐
│ immich-ml │ │ valkey │
│ (ML inference) │ │ (Redis cache) │
└─────────────────┘ └─────────────────┘
│
┌────────▼────────┐
│ sifaka NFS │
│ /volume1/photos│
└─────────────────┘
Helm Values
The Helm chart is configured via values.yaml. Key settings:
image.tag: Immich version (update manually)immich.persistence.library.existingClaim: Points toimmich-libraryPVCmachine-learning.enabled: AI features for face/object recognitionvalkey.enabled: Redis cache included in chart
Troubleshooting
# Check pods
kubectl -n immich get pods
# Check immich-pg cluster
kubectl -n databases get cluster immich-pg
# View server logs
kubectl -n immich logs -l app.kubernetes.io/name=immich-server
# View ML logs
kubectl -n immich logs -l app.kubernetes.io/name=immich-machine-learning
# Check PVC binding
kubectl -n immich get pvc