Erich Blume
18fe172a54
Resolves 4 unmuted Prowler core_seccomp_profile_docker_default findings on alloy, immich-server, immich-machine-learning, and immich-valkey. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| deployment-ml.yaml | ||
| deployment-server.yaml | ||
| deployment-valkey.yaml | ||
| ingress-tailscale.yaml | ||
| kustomization.yaml | ||
| pv-nfs.yaml | ||
| pvc-ml-cache.yaml | ||
| pvc.yaml | ||
| README.md | ||
| service-ml.yaml | ||
| service-valkey.yaml | ||
| service.yaml | ||
Immich
Self-hosted photo and video management solution with AI-powered search and face recognition.
Prerequisites
- NFS Share: Create
/volume1/photoson sifaka with NFS permissions for indri - PostgreSQL: The
immich-pgcluster (with pgvecto.rs) must be healthy - Secrets: Create the database password secret
Deployment Order
- Sync
blumeops-pg(to get CloudNativePG operator if not already running) - Wait for
immich-pgcluster to be healthy - Create secrets (see below)
- Sync
immich(deploys all resources: storage, services, deployments) - Run
mise run provision-indri -- --tags caddyto update Caddy config
Components
| Component | Deployment | Service | Port |
|---|---|---|---|
| Server (web/API) | immich-server |
immich-server |
2283 |
| Machine Learning | immich-machine-learning |
immich-machine-learning |
3003 |
| Valkey (Redis) | immich-valkey |
immich-valkey |
6379 |
Secret Setup
The immich-db secret contains the database password, which is auto-generated by CloudNativePG
in the immich-pg-app secret. To create or regenerate the secret:
# Create namespace if needed
kubectl --context=minikube-indri create namespace immich
# Copy password from CNPG secret to immich namespace
kubectl --context=minikube-indri create secret generic immich-db -n immich \
--from-literal=password="$(kubectl --context=minikube-indri -n databases get secret immich-pg-app -o jsonpath='{.data.password}' | base64 -d)"
Note: This secret is not managed by ExternalSecrets since the source of truth is the CNPG-generated secret.
Access
- URL: https://photos.ops.eblu.me (after Caddy is updated)
- Tailscale: https://photos.tail8d86e.ts.net (direct)
First-Time Setup
- Navigate to https://photos.ops.eblu.me
- Create an admin account
- Configure external library (optional - for importing existing photos)
External Library (iCloud Photos)
To import existing photos from iCloud sync on indri:
- In Immich Admin > External Libraries, create a new library
- Set the import path to the location where iCloud photos sync
- Configure scan schedule or trigger manual scan
Architecture
┌─────────────────┐ ┌─────────────────┐
│ immich-server │────▶│ immich-pg │
│ (web/api) │ │ (PostgreSQL │
└────────┬────────┘ │ + pgvecto.rs) │
│ └─────────────────┘
│
┌────────▼────────┐ ┌─────────────────┐
│ immich-ml │ │ valkey │
│ (ML inference) │ │ (Redis cache) │
└─────────────────┘ └─────────────────┘
│
┌────────▼────────┐
│ sifaka NFS │
│ /volume1/photos│
└─────────────────┘
Version Management
Image versions are controlled via kustomization.yaml:
images:
- name: ghcr.io/immich-app/immich-server
newTag: v2.6.3
- name: ghcr.io/immich-app/immich-machine-learning
newTag: v2.6.3
- name: docker.io/valkey/valkey
newTag: "8.1-alpine"
To upgrade, update newTag values and sync via ArgoCD.
Troubleshooting
# Check pods
kubectl --context=minikube-indri -n immich get pods
# Check immich-pg cluster
kubectl --context=minikube-indri -n databases get cluster immich-pg
# View server logs
kubectl --context=minikube-indri -n immich logs -l app=immich,component=server
# View ML logs
kubectl --context=minikube-indri -n immich logs -l app=immich,component=machine-learning
# Check PVC binding
kubectl --context=minikube-indri -n immich get pvc