immich/immich.nomad.hcl

[[ $c := merge .immich . -]]

job [[ .immich.instance | toJSON ]] {

[[ template "common/job_start.tpl" . ]]

[[ $c := merge .immich.server . -]]

  group "immich" {

    network {
      mode = "bridge"
    }

    volume "data" {
      type            = [[ .immich.volumes.data.type | toJSON ]]
      source          = [[ .immich.volumes.data.source | toJSON ]]
[[- if ne .immich.volumes.data.type "host" ]]
      access_mode     = "single-node-writer"
      attachment_mode = "file-system"
[[- end ]]
    }

[[- if .immich.typesense.enabled ]]
    volume "typesense" {
      type            = [[ .immich.volumes.typesense.type | toJSON ]]
      source          = [[ .immich.volumes.typesense.source | toJSON ]]
  [[- if ne .immich.volumes.typesense.type "host" ]]
      access_mode     = "single-node-writer"
      attachment_mode = "file-system"
  [[- end ]]
    }
[[- end ]]

    service {
      name = "[[ .immich.instance ]][[ .consul.suffix ]]"
      port = 3001

[[ template "common/connect.tpl" $c ]]

      check {
        type     = "http"
        path     = "/api/server-info/ping"
        expose   = true
        interval = "30s"
        timeout  = "15s"
        check_restart {
          limit = 10
          grace = "300s"
        }
      }

      tags = [
        "[[ $c.traefik.instance ]].enable=[[ $c.traefik.enabled ]]",

        # Define a middleware to set custom CSP headers
        "[[ $c.traefik.instance ]].http.middlewares.[[ .immich.instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
        "[[ $c.traefik.instance ]].http.middlewares.[[ .immich.instance ]]-headers[[ .consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https",

[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
        # Immich exposed by traefik on a subpath. Define a middleware to strip the prefix before passing the request to the backend
        "[[ $c.traefik.instance ]].http.middlewares.[[ .immich.instance ]]-prefix[[ .consul.suffix ]].stripprefix.prefixes=[[ (urlParse .immich.public_url).Path ]]",
[[- end ]]

[[- $s := merge .immich.server.share . ]]
        # We use a distinct routers for /share so we can apply different middlewares (eg, /share is public while everything else is private)
        "[[ $s.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path ]]/share/`)",
        "[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
        "[[ $s.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ .immich.instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $s.traefik ]]",
[[- else ]]
        "[[ $s.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $s.traefik ]]",
[[- end ]]

        # Main app router
        "[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
  [[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
        "[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
        "[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ .immich.instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",
[[- else ]]
        "[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",
[[- end ]]
      ]
    }

    # Wait for external services to be ready before continuing
[[ template "common/task.wait_for.tpl" $c ]]

[[ $c := merge .immich.server . -]]
    # The main immich API server
    task "server" {
      driver = [[ $c.nomad.driver | toJSON ]]
      leader = true
      # Run as an unprivileged user
      user   = 3001

      config {
        image           = [[ $c.image | toJSON ]]
        readonly_rootfs = true
        command         = "start.sh"
        args            = ["immich"]
        pids_limit      = 100
      }

      vault {
        policies     = ["[[ .immich.instance ]][[ .consul.suffix ]]"]
        env          = false
        disable_file = true
      }

      env {
        REDIS_HOSTNAME        = "127.0.0.1"
        TYPESENSE_HOST        = "127.0.0.1"
        IMMICH_MEDIA_LOCATION = "/data"
      }

[[ template "common/file_env.tpl" $c.env ]]

      volume_mount {
        volume = "data"
        destination = "/data"
      }

[[ template "common/resources.tpl" $c.resources ]]

    }

[[ $c := merge .immich.microservices . ]]

    # microservices is tha task worker, doing all the processing async
    task "microservices" {
      driver = [[ $c.nomad.driver | toJSON ]]
      # Run as an unpriviliged user
      user   = 3001

      lifecycle {
        hook    = "prestart"
        sidecar = true
      }

      config {
        image           = [[ $c.image | toJSON ]]
        readonly_rootfs = true
        command         = "start.sh"
        args            = ["microservices"]
        pids_limit      = 100
      }

      vault {
        policies     = ["[[ .immich.instance ]][[ .consul.suffix ]]"]
        env          = false
        disable_file = true
      }

      env {
        REDIS_HOSTNAME        = "127.0.0.1"
        TYPESENSE_HOST        = "127.0.0.1"
        IMMICH_MEDIA_LOCATION = "/data"
      }

[[ template "common/file_env.tpl" $c.env ]]

      volume_mount {
        volume      = "data"
        destination = "/data"
      }

[[ template "common/resources.tpl" $c.resources ]]
    }

[[- if .immich.typesense.enabled ]]
  [[ $c := merge .immich.typesense . ]]

    # Typesense is a vector database used to get fast search responses
    task "typesense" {
      driver = [[ $c.nomad.driver | toJSON ]]
      # Also run as an unprivileged user
      user   = 3001

      lifecycle {
        hook    = "prestart"
        sidecar = true
      }

      config {
        image           = [[ $c.image | toJSON ]]
        readonly_rootfs = true
        args = [
          "--api-address=127.0.0.1",
          "--peering-address=127.0.0.1"
        ]
        pids_limit      = 500
      }

      vault {
        policies     = ["[[ .immich.instance ]][[ .consul.suffix ]]"]
        env          = false
        disable_file = true
      }

      env {
        TYPESENSE_DATA_DIR = "/data"
      }

  [[ template "common/file_env.tpl" $c.env ]]

      volume_mount {
        volume      = "typesense"
        destination = "/data"
      }

  [[ template "common/resources.tpl" $c.resources ]]
    }
[[- end ]]

[[ template "common/task.redis.tpl" dict "resources" .immich.redis.resources ]]
  }

[[- if .immich.machine_learning.enabled ]]

  [[- $c := merge .immich.machine_learning . ]]
  # Used for face recognition, tags etc.
  group "machine-learning" {

    network {
      mode = "bridge"
    }

    volume "ml" {
      type            = [[ .immich.volumes.ml.type | toJSON ]]
      source          = [[ .immich.volumes.ml.source | toJSON ]]
  [[- if ne .immich.volumes.ml.type "host" ]]
      access_mode     = "single-node-writer"
      attachment_mode = "file-system"
  [[- end ]]
    }

    service {
      name = "[[ .immich.instance ]]-ml[[ .consul.suffix ]]"
      port = 3003
  [[ template "common/connect.tpl" $c ]]
    }

  [[ $c := merge .immich.machine_learning . ]]
    task "machine-learning" {
      driver = [[ $c.nomad.driver | toJSON ]]
      user   = 3001

      config {
        image           = [[ $c.image | toJSON ]]
        readonly_rootfs = true
        pids_limit      = 200
      }

      env {
        TMPDIR                = "/local"
        MPLCONFIGDIR          = "/local"
        MACHINE_LEARNING_HOST = "127.0.0.1"
  [[ template "common/proxy_env.tpl" $c ]]
      }

      volume_mount {
        volume      = "ml"
        destination = "/cache"
      }

[[ template "common/resources.tpl" $c.resources ]]
    }
  }
[[- end ]]
}
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`[[ $c := merge .immich . -]]`

			`job [[ .immich.instance \| toJSON ]] {`

			`[[ template "common/job_start.tpl" . ]]`

			`[[ $c := merge .immich.server . -]]`

			`group "immich" {`

			`network {`
			`mode = "bridge"`
			`}`

			`volume "data" {`
Immich working now 2023-11-27 23:07:31 +01:00			`type = [[ .immich.volumes.data.type \| toJSON ]]`
			`source = [[ .immich.volumes.data.source \| toJSON ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`[[- if ne .immich.volumes.data.type "host" ]]`
Immich working now 2023-11-27 23:07:31 +01:00			`access_mode = "single-node-writer"`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`attachment_mode = "file-system"`
			`[[- end ]]`
			`}`

Immich working now 2023-11-27 23:07:31 +01:00			`[[- if .immich.typesense.enabled ]]`
			`volume "typesense" {`
			`type = [[ .immich.volumes.typesense.type \| toJSON ]]`
			`source = [[ .immich.volumes.typesense.source \| toJSON ]]`
			`[[- if ne .immich.volumes.typesense.type "host" ]]`
			`access_mode = "single-node-writer"`
			`attachment_mode = "file-system"`
			`[[- end ]]`
			`}`
			`[[- end ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
			`service {`
			`name = "[[ .immich.instance ]][[ .consul.suffix ]]"`
Immich working now 2023-11-27 23:07:31 +01:00			`port = 3001`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
			`[[ template "common/connect.tpl" $c ]]`

Immich working now 2023-11-27 23:07:31 +01:00			`check {`
			`type = "http"`
			`path = "/api/server-info/ping"`
			`expose = true`
			`interval = "30s"`
			`timeout = "15s"`
			`check_restart {`
			`limit = 10`
			`grace = "300s"`
			`}`
			`}`

Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`tags = [`
Immich working now 2023-11-27 23:07:31 +01:00			`"[[ $c.traefik.instance ]].enable=[[ $c.traefik.enabled ]]",`

			`# Define a middleware to set custom CSP headers`
			`"[[ $c.traefik.instance ]].http.middlewares.[[ .immich.instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",`
			`"[[ $c.traefik.instance ]].http.middlewares.[[ .immich.instance ]]-headers[[ .consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https",`

			`[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]`
			`# Immich exposed by traefik on a subpath. Define a middleware to strip the prefix before passing the request to the backend`
			`"[[ $c.traefik.instance ]].http.middlewares.[[ .immich.instance ]]-prefix[[ .consul.suffix ]].stripprefix.prefixes=[[ (urlParse .immich.public_url).Path ]]",`
			`[[- end ]]`

			`[[- $s := merge .immich.server.share . ]]`
			`# We use a distinct routers for /share so we can apply different middlewares (eg, /share is public while everything else is private)`
			"[[ $s.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path ]]/share/`)",
Add missing entrypoint for /share router 2023-11-29 22:26:06 +01:00			`"[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",`
Immich working now 2023-11-27 23:07:31 +01:00			`[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]`
			`"[[ $s.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ .immich.instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $s.traefik ]]",`
			`[[- else ]]`
			`"[[ $s.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $s.traefik ]]",`
			`[[- end ]]`

			`# Main app router`
			"[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
			[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
			`"[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",`
			`[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]`
			`"[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ .immich.instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",`
			`[[- else ]]`
			`"[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",`
			`[[- end ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`]`
			`}`

Immich working now 2023-11-27 23:07:31 +01:00			`# Wait for external services to be ready before continuing`
			`[[ template "common/task.wait_for.tpl" $c ]]`

Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`[[ $c := merge .immich.server . -]]`
Immich working now 2023-11-27 23:07:31 +01:00			`# The main immich API server`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`task "server" {`
			`driver = [[ $c.nomad.driver \| toJSON ]]`
			`leader = true`
Immich working now 2023-11-27 23:07:31 +01:00			`# Run as an unprivileged user`
			`user = 3001`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
			`config {`
Immich working now 2023-11-27 23:07:31 +01:00			`image = [[ $c.image \| toJSON ]]`
			`readonly_rootfs = true`
			`command = "start.sh"`
			`args = ["immich"]`
			`pids_limit = 100`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`}`

			`vault {`
Immich working now 2023-11-27 23:07:31 +01:00			`policies = ["[[ .immich.instance ]][[ .consul.suffix ]]"]`
			`env = false`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`disable_file = true`
			`}`

			`env {`
Immich working now 2023-11-27 23:07:31 +01:00			`REDIS_HOSTNAME = "127.0.0.1"`
			`TYPESENSE_HOST = "127.0.0.1"`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`IMMICH_MEDIA_LOCATION = "/data"`
			`}`

			`[[ template "common/file_env.tpl" $c.env ]]`

			`volume_mount {`
			`volume = "data"`
			`destination = "/data"`
			`}`

			`[[ template "common/resources.tpl" $c.resources ]]`

			`}`

			`[[ $c := merge .immich.microservices . ]]`
Immich working now 2023-11-27 23:07:31 +01:00
			`# microservices is tha task worker, doing all the processing async`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`task "microservices" {`
			`driver = [[ $c.nomad.driver \| toJSON ]]`
Immich working now 2023-11-27 23:07:31 +01:00			`# Run as an unpriviliged user`
			`user = 3001`

			`lifecycle {`
			`hook = "prestart"`
			`sidecar = true`
			`}`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
			`config {`
Immich working now 2023-11-27 23:07:31 +01:00			`image = [[ $c.image \| toJSON ]]`
			`readonly_rootfs = true`
			`command = "start.sh"`
			`args = ["microservices"]`
			`pids_limit = 100`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`}`

			`vault {`
Immich working now 2023-11-27 23:07:31 +01:00			`policies = ["[[ .immich.instance ]][[ .consul.suffix ]]"]`
			`env = false`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`disable_file = true`
			`}`

			`env {`
Immich working now 2023-11-27 23:07:31 +01:00			`REDIS_HOSTNAME = "127.0.0.1"`
			`TYPESENSE_HOST = "127.0.0.1"`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`IMMICH_MEDIA_LOCATION = "/data"`
			`}`

			`[[ template "common/file_env.tpl" $c.env ]]`

			`volume_mount {`
Immich working now 2023-11-27 23:07:31 +01:00			`volume = "data"`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`destination = "/data"`
			`}`

			`[[ template "common/resources.tpl" $c.resources ]]`
			`}`

Immich working now 2023-11-27 23:07:31 +01:00			`[[- if .immich.typesense.enabled ]]`
			`[[ $c := merge .immich.typesense . ]]`

			`# Typesense is a vector database used to get fast search responses`
			`task "typesense" {`
			`driver = [[ $c.nomad.driver \| toJSON ]]`
			`# Also run as an unprivileged user`
			`user = 3001`

			`lifecycle {`
			`hook = "prestart"`
			`sidecar = true`
			`}`

			`config {`
			`image = [[ $c.image \| toJSON ]]`
			`readonly_rootfs = true`
			`args = [`
			`"--api-address=127.0.0.1",`
			`"--peering-address=127.0.0.1"`
			`]`
			`pids_limit = 500`
			`}`

			`vault {`
			`policies = ["[[ .immich.instance ]][[ .consul.suffix ]]"]`
			`env = false`
			`disable_file = true`
			`}`

			`env {`
			`TYPESENSE_DATA_DIR = "/data"`
			`}`

			`[[ template "common/file_env.tpl" $c.env ]]`

			`volume_mount {`
			`volume = "typesense"`
			`destination = "/data"`
			`}`

			`[[ template "common/resources.tpl" $c.resources ]]`
			`}`
			`[[- end ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
More mem for typesense and redis 2023-11-30 20:45:32 +01:00			`[[ template "common/task.redis.tpl" dict "resources" .immich.redis.resources ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`}`
Immich working now 2023-11-27 23:07:31 +01:00
			`[[- if .immich.machine_learning.enabled ]]`

			`[[- $c := merge .immich.machine_learning . ]]`
			`# Used for face recognition, tags etc.`
			`group "machine-learning" {`

			`network {`
			`mode = "bridge"`
			`}`

			`volume "ml" {`
			`type = [[ .immich.volumes.ml.type \| toJSON ]]`
			`source = [[ .immich.volumes.ml.source \| toJSON ]]`
			`[[- if ne .immich.volumes.ml.type "host" ]]`
			`access_mode = "single-node-writer"`
			`attachment_mode = "file-system"`
			`[[- end ]]`
			`}`

			`service {`
			`name = "[[ .immich.instance ]]-ml[[ .consul.suffix ]]"`
			`port = 3003`
			`[[ template "common/connect.tpl" $c ]]`
			`}`

			`[[ $c := merge .immich.machine_learning . ]]`
			`task "machine-learning" {`
			`driver = [[ $c.nomad.driver \| toJSON ]]`
			`user = 3001`

			`config {`
			`image = [[ $c.image \| toJSON ]]`
			`readonly_rootfs = true`
			`pids_limit = 200`
			`}`

			`env {`
			`TMPDIR = "/local"`
			`MPLCONFIGDIR = "/local"`
			`MACHINE_LEARNING_HOST = "127.0.0.1"`
			`[[ template "common/proxy_env.tpl" $c ]]`
			`}`

			`volume_mount {`
			`volume = "ml"`
			`destination = "/cache"`
			`}`

			`[[ template "common/resources.tpl" $c.resources ]]`
			`}`
			`}`
			`[[- end ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`}`