From acca7358f14ecfe58e304ca9ed13fb0faecffc1a Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Sat, 25 Nov 2023 22:04:47 +0100
Subject: [PATCH] Start working on immich (still WIP)

---
 bundles.yml               |   4 ++
 immich.nomad.hcl          | 146 ++++++++++++++++++++++++++++++++++++++
 init/vault-database       |   8 +++
 templates/nginx.conf.tpl  |  31 ++++++++
 variables.yml             |  81 +++++++++++++++++++++
 vault/policies/immich.hcl |   3 +
 6 files changed, 273 insertions(+)
 create mode 100644 bundles.yml
 create mode 100644 immich.nomad.hcl
 create mode 100755 init/vault-database
 create mode 100644 templates/nginx.conf.tpl
 create mode 100644 variables.yml
 create mode 100644 vault/policies/immich.hcl

diff --git a/bundles.yml b/bundles.yml
new file mode 100644
index 0000000..5b9120e
--- /dev/null
+++ b/bundles.yml
@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - url: ../common.git
diff --git a/immich.nomad.hcl b/immich.nomad.hcl
new file mode 100644
index 0000000..8ccf27a
--- /dev/null
+++ b/immich.nomad.hcl
@@ -0,0 +1,146 @@
+[[ $c := merge .immich . -]]
+
+job [[ .immich.instance | toJSON ]] {
+
+[[ template "common/job_start.tpl" . ]]
+
+[[ $c := merge .immich.server . -]]
+
+  group "immich" {
+
+    network {
+      mode = "bridge"
+    }
+
+    volume "data" {
+      type = [[ .immich.volumes.data.type | toJSON ]]
+      source = [[ .immich.volumes.data.source | toJSON ]]
+[[- if ne .immich.volumes.data.type "host" ]]
+      access_mode = "single-node-writer"
+      attachment_mode = "file-system"
+[[- end ]]
+    }
+
+#    volume "ml" {
+#      type = [[ .immich.volumes.ml.type | toJSON ]]
+#      source = [[ .immich.volumes.ml.source | toJSON ]]
+#[[- if ne .immich.volumes.ml.type "host" ]]
+#      access_mode = "single-node-writer"
+#      attachment_mode = "file-system"
+#[[- end ]]
+#    }
+
+#    volume "typesense" {
+#      type = [[ .immich.volumes.typesense.type | toJSON ]]
+#      source = [[ .immich.volumes.typesense.source | toJSON ]]
+#[[- if ne .immich.volumes.typesense.type "host" ]]
+#      access_mode = "single-node-writer"
+#      attachment_mode = "file-system"
+#[[- end ]]
+#    }
+
+    service {
+      name = "[[ .immich.instance ]][[ .consul.suffix ]]"
+      port = 8080
+
+[[ template "common/connect.tpl" $c ]]
+
+      tags = [
+        "[[ $c.traefik.instance ]].enable=[[ $c.traefik.enabled ]]"
+      ]
+    }
+
+[[ $c := merge .immich.server . -]]
+    task "server" {
+      driver = [[ $c.nomad.driver | toJSON ]]
+      leader = true
+
+      config {
+        image = [[ $c.image | toJSON ]]
+        #readonly_rootfs = true
+        command = "start.sh"
+        args = ["immich"]
+      }
+
+      vault {
+        policies = ["[[ .immich.instance ]][[ .consul.suffix ]]"]
+        env = false
+        disable_file = true
+      }
+
+      env {
+        REDIS_HOSTNAME = "localhost"
+        TYPESENSE_HOST = "localhost"
+        IMMICH_MEDIA_LOCATION = "/data"
+        TYPESENSE_ENABLED = "false"
+      }
+
+[[ template "common/file_env.tpl" $c.env ]]
+
+      volume_mount {
+        volume = "data"
+        destination = "/data"
+      }
+
+[[ template "common/resources.tpl" $c.resources ]]
+
+    }
+
+[[ $c := merge .immich.microservices . ]]
+    task "microservices" {
+      driver = [[ $c.nomad.driver | toJSON ]]
+
+      config {
+        image = [[ $c.image | toJSON ]]
+        #readonly_rootfs = true
+        command = "start.sh"
+        args = ["microservices"]
+      }
+
+      vault {
+        policies = ["[[ .immich.instance ]][[ .consul.suffix ]]"]
+        env = false
+        disable_file = true
+      }
+
+      env {
+        REDIS_HOSTNAME = "localhost"
+        TYPESENSE_HOST = "localhost"
+        IMMICH_MEDIA_LOCATION = "/data"
+        TYPESENSE_ENABLED = "false"
+      }
+
+[[ template "common/file_env.tpl" $c.env ]]
+
+      volume_mount {
+        volume = "data"
+        destination = "/data"
+      }
+
+[[ template "common/resources.tpl" $c.resources ]]
+    }
+
+#[[ $c := merge .immich.machine_learning . ]]
+#    task "machine-learning" {
+#      driver = [[ $c.nomad.driver | toJSON ]]
+#
+#      config {
+#        image = [[ $c.image | toJSON ]]
+#        readonly_rootfs = true
+#      }
+#
+#      env {
+#        MACHINE_LEARNING_HOST = "127.0.0.1"
+#      }
+#
+#
+#      volume_mount {
+#        volume = "ml"
+#        destination = "/cache"
+#      }
+#
+#    }
+
+[[ template "common/task.redis.tpl" ]]
+  }
+}
diff --git a/init/vault-database b/init/vault-database
new file mode 100755
index 0000000..b98fd01
--- /dev/null
+++ b/init/vault-database
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -euo pipefail
+
+[[- template "common/vault.mkpgrole.sh.tpl"
+  dict "ctx" .
+       "config" (dict "role" .immich.instance "database" "postgres")
+]]
diff --git a/templates/nginx.conf.tpl b/templates/nginx.conf.tpl
new file mode 100644
index 0000000..83a87e7
--- /dev/null
+++ b/templates/nginx.conf.tpl
@@ -0,0 +1,31 @@
+map $http_upgrade $connection_upgrade {  
+    default upgrade;
+    ''      close;
+}
+
+server {
+  listen 127.0.0.1:3005;
+  server_name _;
+  server_tokens off;
+  root /usr/share/html;
+
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection $connection_upgrade;
+  proxy_set_header Host $host;
+  proxy_socket_keepalive on;
+  client_max_body_size 100m;
+
+  set_real_ip_from 127.0.0.1;
+  real_ip_header X-Forwarded-For;
+  real_ip_recursive on;
+
+  # Inform endpoint
+  location ~ ^/(inform|dl/firmware-cached).* {
+    if ($request_method !~ ^(GET|HEAD|POST)$ ) {
+      return 405;
+    }
+    proxy_pass http://localhost:8080;
+  }
+}
+
diff --git a/variables.yml b/variables.yml
new file mode 100644
index 0000000..1662f86
--- /dev/null
+++ b/variables.yml
@@ -0,0 +1,81 @@
+---
+
+immich:
+
+  instance: immich
+  version: v1.88.2
+
+  server:
+    image: ghcr.io/immich-app/immich-server:[[ .immich.version ]]
+
+    env:
+      DB_URL: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .immich.instance ]]" }}postgres://{{ .Data.username }}:{{ urlquery .Data.password }}@localhost:5432/[[ .immich.instance ]]{{ end }}'
+
+    resources:
+      cpu: 200
+      memory: 256
+
+    wait_for:
+      - service: master.[[ .consul.suffix ]]
+
+    consul:
+      connect:
+        upstreams:
+          - destination_name: postgres[[ .consul.suffix ]]
+            local_bind_port: 5432
+
+    traefik:
+      enabled: true
+
+  microservices:
+
+    image: ghcr.io/immich-app/immich-server:[[ .immich.version ]]
+
+    env:
+      DB_URL: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .immich.instance ]]" }}postgres://{{ .Data.username }}:{{ urlquery .Data.password }}@localhost:5432/[[ .immich.instance ]]{{ end }}'
+
+    resources:
+      cpu: 300
+      memory: 768
+
+  machine_learning:
+
+    image: ghcr.io/immich-app/immich-machine-learning:[[ .immich.version ]]
+
+    env: {}
+
+    resources:
+      cpu: 100
+      memory: 256
+
+  web:
+
+    image: ghcr.io/immich-app/immich-web:[[ .immich.version ]]
+
+    env: {}
+
+    resources:
+      cpu: 50
+      memory: 128
+
+  typesense:
+    image: typesense/typesense:latest
+
+    env: {}
+
+    resources:
+      cpu: 100
+      memory: 256
+
+  volumes:
+    data:
+      type: csi
+      source: '[[ .immich.instance ]]-data'
+
+    ml:
+      type: csi
+      source: '[[ .immich.instance ]]-ml'
+
+    typesense:
+      type: csi
+      source: '[[ .immich.instance ]]-typesense'
diff --git a/vault/policies/immich.hcl b/vault/policies/immich.hcl
new file mode 100644
index 0000000..b5340b0
--- /dev/null
+++ b/vault/policies/immich.hcl
@@ -0,0 +1,3 @@
+path "[[ .vault.prefix ]]database/creds/[[ .immich.instance ]]" {
+  capabilities = ["read"]
+}