Cleanup
This commit is contained in:
parent
c76e76970d
commit
4cbaee8c84
|
@ -75,17 +75,18 @@ job "immich" {
|
||||||
tags = [
|
tags = [
|
||||||
|
|
||||||
"traefik.enable=true",
|
"traefik.enable=true",
|
||||||
"traefik.http.routers.immich.rule=Host(`immich.example.org`)",
|
|
||||||
"traefik.http.routers.immich.entrypoints=https",
|
"traefik.http.routers.immich.entrypoints=https",
|
||||||
"traefik.http.middlewares.immich-csp.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
"traefik.http.routers.immich.rule=Host(`immich.example.org`)",
|
||||||
"traefik.http.routers.immich.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,immich-csp",
|
"traefik.http.middlewares.csp-immich.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||||
|
"traefik.http.routers.immich.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-immich",
|
||||||
|
|
||||||
"traefik.http.routers.immich-share.rule=Host(`immich.example.org`) && PathRegexp(`^/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)",
|
|
||||||
|
"traefik.http.routers.share.rule=Host(`immich.example.org`) && PathRegexp(`^/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/.*)`)",
|
||||||
|
|
||||||
"traefik.enable=true",
|
"traefik.enable=true",
|
||||||
"traefik.http.routers.immich-share.entrypoints=https",
|
"traefik.http.routers.immich-share.entrypoints=https",
|
||||||
"traefik.http.middlewares.immich-csp.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
"traefik.http.middlewares.csp-immich-share.headers.contentsecuritypolicy=connect-src 'self' https://maputnik.github.io https://*.cofractal.com https://fonts.openmaptiles.org;default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
|
||||||
"traefik.http.routers.immich-share.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,immich-csp",
|
"traefik.http.routers.immich-share.middlewares=security-headers@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-immich-share",
|
||||||
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -165,7 +166,7 @@ _EOT
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
DB_URL=postgres://{{ with secret "database/creds/immich" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/immich" }}{{ .Data.password }}{{ end }}@127.0.0.1:5432/immich
|
DB_URL=postgres://{{ with secret "/database/creds/immich" }}{{ .Data.username }}{{ end }}:{{ with secret "/database/creds/immich" }}{{ .Data.password }}{{ end }}@127.0.0.1:5432/immich
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.db.env"
|
destination = "secrets/.db.env"
|
||||||
perms = 400
|
perms = 400
|
||||||
|
@ -231,7 +232,7 @@ _EOT
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
DB_URL=postgres://{{ with secret "database/creds/immich" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/immich" }}{{ .Data.password }}{{ end }}@127.0.0.1:5432/immich
|
DB_URL=postgres://{{ with secret "/database/creds/immich" }}{{ .Data.username }}{{ end }}:{{ with secret "/database/creds/immich" }}{{ .Data.password }}{{ end }}@127.0.0.1:5432/immich
|
||||||
_EOT
|
_EOT
|
||||||
destination = "secrets/.db.env"
|
destination = "secrets/.db.env"
|
||||||
perms = 400
|
perms = 400
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
vault write database/roles/immich \
|
vault write /database/roles/immich \
|
||||||
db_name="postgres" \
|
db_name="postgres" \
|
||||||
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
||||||
GRANT \"immich\" TO \"{{name}}\"; \
|
GRANT \"immich\" TO \"{{name}}\"; \
|
||||||
|
|
|
@ -1,19 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ "immich" != "immich" ]; then
|
|
||||||
for DIR in vault consul nomad; do
|
|
||||||
if [ -d output/${DIR} ]; then
|
|
||||||
for FILE in $(find output/${DIR} -name "*immich*.hcl" -type f); do
|
|
||||||
NEW_FILE=$(echo "${FILE}" | sed -E "s/immich/immich/g")
|
|
||||||
mv "${FILE}" "${NEW_FILE}"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
path "database/creds/immich" {
|
path "/database/creds/immich" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
path "kv/data/service/immich" {
|
path "/kv/data/service/immich" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
|
@ -35,8 +35,9 @@ job "[[ .instance ]]" {
|
||||||
tags = [
|
tags = [
|
||||||
[[ template "common/traefik_tags" $c ]]
|
[[ template "common/traefik_tags" $c ]]
|
||||||
[[- $s := merge $c.share $c ]]
|
[[- $s := merge $c.share $c ]]
|
||||||
"[[ $s.traefik.instance ]].http.routers.[[ $s.traefik.router ]].rule=Host(`[[ (urlParse $s.public_url).Hostname ]]`) && PathRegexp(`^[[ (urlParse $s.public_url).Path ]]/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/)",
|
|
||||||
[[ template "common/traefik_tags" merge $s ]]
|
"[[ $s.traefik.instance ]].http.routers.[[ $s.traefik.router ]].rule=Host(`[[ (urlParse $s.public_url).Hostname ]]`) && PathRegexp(`^[[ (urlParse $s.public_url).Path ]]/(share/|_app/immutable/|custom\\.css|api/(asset|server-info)/.*)`)",
|
||||||
|
[[ template "common/traefik_tags" $s ]]
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,4 @@
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
[[- template "common/vault.mkpgrole.sh"
|
[[ template "common/vault.mkpgrole.sh" merge .immich . ]]
|
||||||
dict "ctx" .
|
|
||||||
"config" (dict "role" .instance "database" "postgres")
|
|
||||||
]]
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "immich" .instance) ]]
|
|
|
@ -10,8 +10,8 @@ immich:
|
||||||
|
|
||||||
postgres:
|
postgres:
|
||||||
database: '[[ .instance ]]'
|
database: '[[ .instance ]]'
|
||||||
user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
|
||||||
password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
|
||||||
|
|
||||||
# API server settings
|
# API server settings
|
||||||
server:
|
server:
|
||||||
|
@ -64,7 +64,7 @@ immich:
|
||||||
share:
|
share:
|
||||||
traefik:
|
traefik:
|
||||||
auto_rule: false
|
auto_rule: false
|
||||||
router: '[[ .instance ]]-share[[ .consul.suffix ]]'
|
router: share
|
||||||
|
|
||||||
# Volumes used for data storage
|
# Volumes used for data storage
|
||||||
volumes:
|
volumes:
|
||||||
|
@ -81,7 +81,6 @@ immich:
|
||||||
|
|
||||||
# Env vars to set in the container
|
# Env vars to set in the container
|
||||||
env:
|
env:
|
||||||
#DB_URL: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}postgres://{{ .Data.username }}:{{ urlquery .Data.password }}@localhost:5432/[[ .instance ]]{{ end }}'
|
|
||||||
NODE_OPTIONS: --max-old-space-size={{ env "NOMAD_MEMORY_LIMIT" }}
|
NODE_OPTIONS: --max-old-space-size={{ env "NOMAD_MEMORY_LIMIT" }}
|
||||||
|
|
||||||
vault:
|
vault:
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
|
path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
|
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue