Cleanup
This commit is contained in:
parent
89463ca1f8
commit
cee72bbbd6
|
|
@ -1,3 +1,3 @@
|
|||
Kind = "service-defaults"
|
||||
Name = "[[ .immich.instance ]]-ml[[ .consul.suffix ]]"
|
||||
Name = "[[ .instance ]]-ml[[ .consul.suffix ]]"
|
||||
Protocol = "http"
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
Kind = "service-defaults"
|
||||
Name = "[[ .immich.instance ]][[ .consul.suffix ]]"
|
||||
Name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||
Protocol = "http"
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
Kind = "service-intentions"
|
||||
Name = "[[ .immich.instance ]]-ml[[ .consul.suffix ]]"
|
||||
Name = "[[ .instance ]]-ml[[ .consul.suffix ]]"
|
||||
Sources = [
|
||||
{
|
||||
Name = "[[ .immich.instance ]]"
|
||||
Name = "[[ .instance ]]"
|
||||
Permissions = [
|
||||
{
|
||||
Action = "allow"
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
Kind = "service-intentions"
|
||||
Name = "[[ .immich.instance ]][[ .consul.suffix ]]"
|
||||
Name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||
Sources = [
|
||||
{
|
||||
Name = "[[ .traefik.instance ]]"
|
||||
Name = "[[ (merge .immich .).traefik.instance ]]"
|
||||
Permissions = [
|
||||
{
|
||||
Action = "allow"
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
[[ $c := merge .immich . -]]
|
||||
|
||||
job [[ .immich.instance | toJSON ]] {
|
||||
job [[ .instance | toJSON ]] {
|
||||
|
||||
[[ template "common/job_start" . ]]
|
||||
|
||||
|
|
@ -15,7 +15,7 @@ job [[ .immich.instance | toJSON ]] {
|
|||
[[ template "common/volumes" $c.volumes ]]
|
||||
|
||||
service {
|
||||
name = "[[ .immich.instance ]][[ .consul.suffix ]]"
|
||||
name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||
port = 3001
|
||||
|
||||
[[ template "common/connect" $c ]]
|
||||
|
|
@ -36,32 +36,32 @@ job [[ .immich.instance | toJSON ]] {
|
|||
"[[ $c.traefik.instance ]].enable=[[ $c.traefik.enabled ]]",
|
||||
|
||||
# Define a middleware to set custom CSP headers
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .immich.instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .immich.instance ]]-headers[[ .consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https",
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.contentsecuritypolicy=[[ range $k, $v := $c.traefik.csp ]][[ $k ]] [[ $v ]];[[ end ]]",
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-headers[[ .consul.suffix ]].headers.customrequestheaders.X-Forwarded-Proto=https",
|
||||
|
||||
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
|
||||
# Immich exposed by traefik on a subpath. Define a middleware to strip the prefix before passing the request to the backend
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .immich.instance ]]-prefix[[ .consul.suffix ]].stripprefix.prefixes=[[ (urlParse .immich.public_url).Path ]]",
|
||||
"[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-prefix[[ .consul.suffix ]].stripprefix.prefixes=[[ (urlParse .immich.public_url).Path ]]",
|
||||
[[- end ]]
|
||||
|
||||
[[- $s := merge .immich.server.share . ]]
|
||||
# We use a distinct routers for /share so we can apply different middlewares (eg, /share is public while everything else is private)
|
||||
"[[ $s.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path ]]/share/`)",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||
"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path ]]/share/`)",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
|
||||
"[[ $s.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ .immich.instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $s.traefik ]]",
|
||||
"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ .instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $s.traefik ]]",
|
||||
[[- else ]]
|
||||
"[[ $s.traefik.instance ]].http.routers.[[ .immich.instance ]]-share[[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $s.traefik ]]",
|
||||
"[[ $s.traefik.instance ]].http.routers.[[ .instance ]]-share[[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $s.traefik ]]",
|
||||
[[- end ]]
|
||||
|
||||
# Main app router
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
|
||||
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||
[[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ .immich.instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ .instance ]]-prefix[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",
|
||||
[[- else ]]
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .immich.instance ]][[ .consul.suffix ]].middlewares=[[ .immich.instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",
|
||||
"[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-headers[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c.traefik ]]",
|
||||
[[- end ]]
|
||||
]
|
||||
}
|
||||
|
|
@ -86,7 +86,7 @@ job [[ .immich.instance | toJSON ]] {
|
|||
}
|
||||
|
||||
vault {
|
||||
policies = ["[[ .immich.instance ]][[ .consul.suffix ]]"]
|
||||
policies = ["[[ .instance ]][[ .consul.suffix ]]"]
|
||||
env = false
|
||||
disable_file = true
|
||||
}
|
||||
|
|
@ -129,7 +129,7 @@ job [[ .immich.instance | toJSON ]] {
|
|||
}
|
||||
|
||||
vault {
|
||||
policies = ["[[ .immich.instance ]][[ .consul.suffix ]]"]
|
||||
policies = ["[[ .instance ]][[ .consul.suffix ]]"]
|
||||
env = false
|
||||
disable_file = true
|
||||
}
|
||||
|
|
@ -165,7 +165,7 @@ job [[ .immich.instance | toJSON ]] {
|
|||
[[ template "common/volumes" $c.volumes ]]
|
||||
|
||||
service {
|
||||
name = "[[ .immich.instance ]]-ml[[ .consul.suffix ]]"
|
||||
name = "[[ .instance ]]-ml[[ .consul.suffix ]]"
|
||||
port = 3003
|
||||
[[ template "common/connect" $c ]]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
[[- template "common/vault.mkpgrole.sh.tpl"
|
||||
[[- template "common/vault.mkpgrole.sh"
|
||||
dict "ctx" .
|
||||
"config" (dict "role" .immich.instance "database" "postgres")
|
||||
"config" (dict "role" .instance "database" "postgres")
|
||||
]]
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "immich" .immich.instance) ]]
|
||||
[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "immich" .instance) ]]
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
---
|
||||
|
||||
# Name of this instance of immich
|
||||
instance: immich
|
||||
|
||||
immich:
|
||||
|
||||
# Name of this instance of immich
|
||||
instance: immich
|
||||
|
||||
# Immich version
|
||||
version: v1.91.3
|
||||
version: v1.91.4
|
||||
|
||||
# API server settings
|
||||
server:
|
||||
|
|
@ -16,7 +16,7 @@ immich:
|
|||
|
||||
# Additional env to set ni the container
|
||||
env:
|
||||
DB_URL: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .immich.instance ]]" }}postgres://{{ .Data.username }}:{{ urlquery .Data.password }}@localhost:5432/[[ .immich.instance ]]{{ end }}'
|
||||
DB_URL: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}postgres://{{ .Data.username }}:{{ urlquery .Data.password }}@localhost:5432/[[ .instance ]]{{ end }}'
|
||||
NODE_OPTIONS: --max-old-space-size={{ env "NOMAD_MEMORY_LIMIT" }}
|
||||
|
||||
# Resource allocation
|
||||
|
|
@ -28,13 +28,13 @@ immich:
|
|||
# Wait for services to be ready before starting
|
||||
wait_for:
|
||||
- service: master.postgres[[ .consul.suffix ]]
|
||||
- service: '[[ .immich.instance ]]-ml[[ .consul.suffix ]]'
|
||||
- service: '[[ .instance ]]-ml[[ .consul.suffix ]]'
|
||||
|
||||
consul:
|
||||
connect:
|
||||
# Connect to some services through the mesh
|
||||
upstreams:
|
||||
- destination_name: '[[ .immich.instance ]]-ml[[ .consul.suffix ]]'
|
||||
- destination_name: '[[ .instance ]]-ml[[ .consul.suffix ]]'
|
||||
local_bind_port: 3003
|
||||
- destination_name: postgres[[ .consul.suffix ]]
|
||||
local_bind_port: 5432
|
||||
|
|
@ -76,7 +76,7 @@ immich:
|
|||
volumes:
|
||||
data:
|
||||
type: csi
|
||||
source: '[[ .immich.instance ]]-data'
|
||||
source: '[[ .instance ]]-data'
|
||||
|
||||
# The microservices do the bulk of media handling (thumbnails etc.)
|
||||
microservices:
|
||||
|
|
@ -86,7 +86,7 @@ immich:
|
|||
|
||||
# Env vars to set in the container
|
||||
env:
|
||||
DB_URL: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .immich.instance ]]" }}postgres://{{ .Data.username }}:{{ urlquery .Data.password }}@localhost:5432/[[ .immich.instance ]]{{ end }}'
|
||||
DB_URL: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}postgres://{{ .Data.username }}:{{ urlquery .Data.password }}@localhost:5432/[[ .instance ]]{{ end }}'
|
||||
NODE_OPTIONS: --max-old-space-size={{ env "NOMAD_MEMORY_LIMIT" }}
|
||||
|
||||
# Resource allocation
|
||||
|
|
@ -116,7 +116,7 @@ immich:
|
|||
# Volume used for models cache
|
||||
ml:
|
||||
type: csi
|
||||
source: '[[ .immich.instance ]]-ml'
|
||||
source: '[[ .instance ]]-ml'
|
||||
|
||||
# Redis task will use a common template
|
||||
# We just set custom resources allocation
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
path "[[ .vault.prefix ]]database/creds/[[ .immich.instance ]]" {
|
||||
path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "[[ .vault.prefix ]]kv/data/service/[[ .immich.instance ]]" {
|
||||
path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue