immich/immich.nomad.hcl

[[ $c := merge .immich . -]]

job [[ .instance | toJSON ]] {

[[ template "common/job_start" . ]]

[[ $c := merge .immich.server .immich . -]]

  group "immich" {

    network {
      mode = "bridge"
    }

[[ template "common/volumes" $c.volumes ]]

    service {
      name = "[[ .instance ]][[ .consul.suffix ]]"
      port = 3001

[[ template "common/connect" $c ]]

      check {
        type     = "http"
        path     = "/api/server-info/ping"
        expose   = true
        interval = "30s"
        timeout  = "15s"
        check_restart {
          limit = 10
          grace = "300s"
        }
      }

      tags = [
        "[[ $c.traefik.instance ]].enable=[[ $c.traefik.enabled ]]",

        # Define a middleware to set custom CSP headers
        "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
        "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https",

[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
        # Immich exposed by traefik on a subpath. Define a middleware to strip the prefix before passing the request to the backend
        "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-prefix[[ .consul.suffix ]].stripprefix.prefixes=[[ (urlParse .immich.public_url).Path ]]",
[[- end ]]

[[- $s := merge .immich.server.share .immich.server .immich . ]]
        # We use a distinct routers for /share so we can apply different middlewares (eg, /share is public while everything else is private)
        "[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path ]]/share/`)",
        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
        "[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ .instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $s.traefik ]]",
[[- else ]]
        "[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $s.traefik ]]",
[[- end ]]

        # Main app router
        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
  [[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ .instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",
[[- else ]]
        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",
[[- end ]]
      ]
    }

[[ template "common/task.wait_for" $c ]]
[[ template "common/task.pgpooler" $c ]]

    # The main immich API server
    task "server" {
      driver = [[ $c.nomad.driver | toJSON ]]
      leader = true
      # Run as an unprivileged user
      user   = 3001

      config {
        image           = [[ $c.image | toJSON ]]
        readonly_rootfs = true
        command         = "start.sh"
        args            = ["immich"]
        pids_limit      = 100
      }

[[ template "common/vault.policies" $c ]]

      env {
        REDIS_HOSTNAME        = "127.0.0.1"
        IMMICH_MEDIA_LOCATION = "/data"
      }

[[ template "common/file_env" $c.env ]]

      template {
        data =<<_EOT
DB_URL=postgres://
[[- if ne $c.postgres.pooler.engine "none" -]]
[[ .instance ]]:{{ env "NOMAD_ALLOC_ID" }}@127.0.0.1:6432/[[ $c.postgres.database ]]
[[- else -]]
[[ $c.postgres.user ]]:[[ $c.postgres.password ]]@[[ $c.postgres.host ]]:[[ $c.postgres.port ]]/[[ $c.postgres.database ]]
[[- end ]]
_EOT
        destination = "secrets/.db.env"
        perms       = 400
        env         = true
      }

      volume_mount {
        volume = "data"
        destination = "/data"
      }

[[ template "common/resources" $c.resources ]]

    }

[[ $c := merge .immich.microservices .immich . ]]

    # microservices is tha task worker, doing all the processing async
    task "microservices" {
      driver = [[ $c.nomad.driver | toJSON ]]
      # Run as an unpriviliged user
      user   = 3001

      config {
        image           = [[ $c.image | toJSON ]]
        readonly_rootfs = true
        command         = "start.sh"
        args            = ["microservices"]
        pids_limit      = 100
      }

[[ template "common/vault.policies" $c ]]

      env {
        REDIS_HOSTNAME        = "127.0.0.1"
        IMMICH_MEDIA_LOCATION = "/data"
      }

[[ template "common/file_env" $c.env ]]

      template {
        data =<<_EOT
DB_URL=postgres://
[[- if ne $c.postgres.pooler.engine "none" -]]
[[ .instance ]]:{{ env "NOMAD_ALLOC_ID" }}@127.0.0.1:6432/[[ $c.postgres.database ]]
[[- else -]]
[[ $c.postgres.user ]]:[[ $c.postgres.password ]]@[[ $c.postgres.host ]]:[[ $c.postgres.port ]]/[[ $c.postgres.database ]]
[[- end ]]
_EOT
        destination = "secrets/.db.env"
        perms       = 400
        env         = true
      }

      volume_mount {
        volume      = "data"
        destination = "/data"
      }

[[ template "common/resources" $c.resources ]]
    }

[[ template "common/task.redis" dict "resources" .immich.redis.resources ]]
  }

[[- if .immich.machine_learning.enabled ]]

  [[- $c := merge .immich.machine_learning .immich . ]]
  # Used for face recognition, tags etc.
  group "machine-learning" {

    network {
      mode = "bridge"
    }

[[ template "common/volumes" $c.volumes ]]

    service {
      name = "[[ .instance ]]-ml[[ .consul.suffix ]]"
      port = 3003
  [[ template "common/connect" $c ]]
    }

  [[ $c := merge .immich.machine_learning .immich . ]]
    task "machine-learning" {
      driver = [[ $c.nomad.driver | toJSON ]]
      user   = 3001

      config {
        image           = [[ $c.image | toJSON ]]
        readonly_rootfs = true
        pids_limit      = 200
      }

      env {
        TMPDIR                = "/local"
        MPLCONFIGDIR          = "/local"
        MACHINE_LEARNING_HOST = "127.0.0.1"
  [[ template "common/proxy_env" $c ]]
      }

      volume_mount {
        volume      = "ml"
        destination = "/cache"
      }

[[ template "common/resources" $c.resources ]]
    }
  }
[[- end ]]
}
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`[[ $c := merge .immich . -]]`

Cleanup 2023-12-21 22:37:48 +01:00			`job [[ .instance \| toJSON ]] {`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/job_start" . ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
Support pgbouncer 2024-01-09 11:32:44 +01:00			`[[ $c := merge .immich.server .immich . -]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
			`group "immich" {`

			`network {`
			`mode = "bridge"`
			`}`

Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/volumes" $c.volumes ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
			`service {`
Cleanup 2023-12-21 22:37:48 +01:00			`name = "[[ .instance ]][[ .consul.suffix ]]"`
Immich working now 2023-11-27 23:07:31 +01:00			`port = 3001`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/connect" $c ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
Immich working now 2023-11-27 23:07:31 +01:00			`check {`
			`type = "http"`
			`path = "/api/server-info/ping"`
			`expose = true`
			`interval = "30s"`
			`timeout = "15s"`
			`check_restart {`
			`limit = 10`
			`grace = "300s"`
			`}`
			`}`

Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`tags = [`
Immich working now 2023-11-27 23:07:31 +01:00			`"[[ $c.traefik.instance ]].enable=[[ $c.traefik.enabled ]]",`

			`# Define a middleware to set custom CSP headers`
Cleanup 2023-12-21 22:37:48 +01:00			`"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",`
			`"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https",`
Immich working now 2023-11-27 23:07:31 +01:00
			`[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]`
			`# Immich exposed by traefik on a subpath. Define a middleware to strip the prefix before passing the request to the backend`
Cleanup 2023-12-21 22:37:48 +01:00			`"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-prefix[[ .consul.suffix ]].stripprefix.prefixes=[[ (urlParse .immich.public_url).Path ]]",`
Immich working now 2023-11-27 23:07:31 +01:00			`[[- end ]]`

Support pgbouncer 2024-01-09 11:32:44 +01:00			`[[- $s := merge .immich.server.share .immich.server .immich . ]]`
Immich working now 2023-11-27 23:07:31 +01:00			`# We use a distinct routers for /share so we can apply different middlewares (eg, /share is public while everything else is private)`
Cleanup 2023-12-21 22:37:48 +01:00			"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path ]]/share/`)",
			`"[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",`
Immich working now 2023-11-27 23:07:31 +01:00			`[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]`
Cleanup 2023-12-21 22:37:48 +01:00			`"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ .instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $s.traefik ]]",`
Immich working now 2023-11-27 23:07:31 +01:00			`[[- else ]]`
Cleanup 2023-12-21 22:37:48 +01:00			`"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $s.traefik ]]",`
Immich working now 2023-11-27 23:07:31 +01:00			`[[- end ]]`

			`# Main app router`
Cleanup 2023-12-21 22:37:48 +01:00			"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
Immich working now 2023-11-27 23:07:31 +01:00			[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
Cleanup 2023-12-21 22:37:48 +01:00			`"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",`
Immich working now 2023-11-27 23:07:31 +01:00			`[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]`
Cleanup 2023-12-21 22:37:48 +01:00			`"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ .instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",`
Immich working now 2023-11-27 23:07:31 +01:00			`[[- else ]]`
Cleanup 2023-12-21 22:37:48 +01:00			`"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",`
Immich working now 2023-11-27 23:07:31 +01:00			`[[- end ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`]`
			`}`

Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/task.wait_for" $c ]]`
Update pgpooler template and use default pooler mode 2024-01-15 17:05:33 +01:00			`[[ template "common/task.pgpooler" $c ]]`
Immich working now 2023-11-27 23:07:31 +01:00
			`# The main immich API server`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`task "server" {`
			`driver = [[ $c.nomad.driver \| toJSON ]]`
			`leader = true`
Immich working now 2023-11-27 23:07:31 +01:00			`# Run as an unprivileged user`
			`user = 3001`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
			`config {`
Immich working now 2023-11-27 23:07:31 +01:00			`image = [[ $c.image \| toJSON ]]`
			`readonly_rootfs = true`
			`command = "start.sh"`
			`args = ["immich"]`
			`pids_limit = 100`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`}`

Support pgbouncer 2024-01-09 11:32:44 +01:00			`[[ template "common/vault.policies" $c ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
			`env {`
Immich working now 2023-11-27 23:07:31 +01:00			`REDIS_HOSTNAME = "127.0.0.1"`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`IMMICH_MEDIA_LOCATION = "/data"`
			`}`

Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/file_env" $c.env ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
Support pgbouncer 2024-01-09 11:32:44 +01:00			`template {`
			`data =<<_EOT`
			`DB_URL=postgres://`
Update postgres pooler 2024-01-12 22:52:34 +01:00			`[[- if ne $c.postgres.pooler.engine "none" -]]`
Support pgbouncer 2024-01-09 11:32:44 +01:00			`[[ .instance ]]:{{ env "NOMAD_ALLOC_ID" }}@127.0.0.1:6432/[[ $c.postgres.database ]]`
			`[[- else -]]`
			`[[ $c.postgres.user ]]:[[ $c.postgres.password ]]@[[ $c.postgres.host ]]:[[ $c.postgres.port ]]/[[ $c.postgres.database ]]`
			`[[- end ]]`
			`_EOT`
			`destination = "secrets/.db.env"`
			`perms = 400`
			`env = true`
			`}`

Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`volume_mount {`
			`volume = "data"`
			`destination = "/data"`
			`}`

Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/resources" $c.resources ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
			`}`

Support pgbouncer 2024-01-09 11:32:44 +01:00			`[[ $c := merge .immich.microservices .immich . ]]`
Immich working now 2023-11-27 23:07:31 +01:00
			`# microservices is tha task worker, doing all the processing async`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`task "microservices" {`
			`driver = [[ $c.nomad.driver \| toJSON ]]`
Immich working now 2023-11-27 23:07:31 +01:00			`# Run as an unpriviliged user`
			`user = 3001`

Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`config {`
Immich working now 2023-11-27 23:07:31 +01:00			`image = [[ $c.image \| toJSON ]]`
			`readonly_rootfs = true`
			`command = "start.sh"`
			`args = ["microservices"]`
			`pids_limit = 100`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`}`

Support pgbouncer 2024-01-09 11:32:44 +01:00			`[[ template "common/vault.policies" $c ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
			`env {`
Immich working now 2023-11-27 23:07:31 +01:00			`REDIS_HOSTNAME = "127.0.0.1"`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`IMMICH_MEDIA_LOCATION = "/data"`
			`}`

Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/file_env" $c.env ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00
Support pgbouncer 2024-01-09 11:32:44 +01:00			`template {`
			`data =<<_EOT`
			`DB_URL=postgres://`
Update postgres pooler 2024-01-12 22:52:34 +01:00			`[[- if ne $c.postgres.pooler.engine "none" -]]`
Support pgbouncer 2024-01-09 11:32:44 +01:00			`[[ .instance ]]:{{ env "NOMAD_ALLOC_ID" }}@127.0.0.1:6432/[[ $c.postgres.database ]]`
			`[[- else -]]`
			`[[ $c.postgres.user ]]:[[ $c.postgres.password ]]@[[ $c.postgres.host ]]:[[ $c.postgres.port ]]/[[ $c.postgres.database ]]`
			`[[- end ]]`
			`_EOT`
			`destination = "secrets/.db.env"`
			`perms = 400`
			`env = true`
			`}`

Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`volume_mount {`
Immich working now 2023-11-27 23:07:31 +01:00			`volume = "data"`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`destination = "/data"`
			`}`

Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/resources" $c.resources ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`}`

Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/task.redis" dict "resources" .immich.redis.resources ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`}`
Immich working now 2023-11-27 23:07:31 +01:00
			`[[- if .immich.machine_learning.enabled ]]`

Support pgbouncer 2024-01-09 11:32:44 +01:00			`[[- $c := merge .immich.machine_learning .immich . ]]`
Immich working now 2023-11-27 23:07:31 +01:00			`# Used for face recognition, tags etc.`
			`group "machine-learning" {`

			`network {`
			`mode = "bridge"`
			`}`

Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/volumes" $c.volumes ]]`
Immich working now 2023-11-27 23:07:31 +01:00
			`service {`
Cleanup 2023-12-21 22:37:48 +01:00			`name = "[[ .instance ]]-ml[[ .consul.suffix ]]"`
Immich working now 2023-11-27 23:07:31 +01:00			`port = 3003`
Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/connect" $c ]]`
Immich working now 2023-11-27 23:07:31 +01:00			`}`

Support pgbouncer 2024-01-09 11:32:44 +01:00			`[[ $c := merge .immich.machine_learning .immich . ]]`
Immich working now 2023-11-27 23:07:31 +01:00			`task "machine-learning" {`
			`driver = [[ $c.nomad.driver \| toJSON ]]`
			`user = 3001`

			`config {`
			`image = [[ $c.image \| toJSON ]]`
			`readonly_rootfs = true`
			`pids_limit = 200`
			`}`

			`env {`
			`TMPDIR = "/local"`
			`MPLCONFIGDIR = "/local"`
			`MACHINE_LEARNING_HOST = "127.0.0.1"`
Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/proxy_env" $c ]]`
Immich working now 2023-11-27 23:07:31 +01:00			`}`

			`volume_mount {`
			`volume = "ml"`
			`destination = "/cache"`
			`}`

Update to 1.91.0 And remove typesense 2023-12-15 22:00:56 +01:00			`[[ template "common/resources" $c.resources ]]`
Immich working now 2023-11-27 23:07:31 +01:00			`}`
			`}`
			`[[- end ]]`
Start working on immich (still WIP) 2023-11-25 22:04:47 +01:00			`}`