From ab495df6066a1de1f0866cdbda02734c672172a8 Mon Sep 17 00:00:00 2001
From: "v.karaychentsev" <105486287+vk-aterise@users.noreply.github.com>
Date: Tue, 10 Feb 2026 18:35:30 +0300
Subject: [PATCH] add immich docker compose info and move db password to sops
 secrets file

---
 hosts/home-morefine/docker/immich/.env        | 21 +++++++++++++
 .../docker}/immich/docker-compose.yml         | 30 ++++++++++++-------
 .../docker/immich/secrets.sops.yaml           | 17 +++++++++++
 3 files changed, 57 insertions(+), 11 deletions(-)
 create mode 100644 hosts/home-morefine/docker/immich/.env
 rename {lab-home => hosts/home-morefine/docker}/immich/docker-compose.yml (83%)
 create mode 100644 hosts/home-morefine/docker/immich/secrets.sops.yaml

diff --git a/hosts/home-morefine/docker/immich/.env b/hosts/home-morefine/docker/immich/.env
new file mode 100644
index 0000000..f54a803
--- /dev/null
+++ b/hosts/home-morefine/docker/immich/.env
@@ -0,0 +1,21 @@
+# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
+
+# The location where your uploaded files are stored
+UPLOAD_LOCATION=/srv/photo/immich
+# The location where your database files are stored
+DB_DATA_LOCATION=/srv/rundata/immich/postgres
+MACHINE_LEARNING_CACHE=/srv/rundata/immich/ml-cache
+
+# TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
+TZ=Europe/Minsk
+
+# The Immich version to use. You can pin this to a specific version like "v1.71.0"
+IMMICH_VERSION=v2
+# IMMICH_VERSION=release
+
+#DB_PASSWORD=secrets.sops.yaml
+
+# The values below this line do not need to be changed
+###################################################################################
+DB_USERNAME=postgres
+DB_DATABASE_NAME=immich
diff --git a/lab-home/immich/docker-compose.yml b/hosts/home-morefine/docker/immich/docker-compose.yml
similarity index 83%
rename from lab-home/immich/docker-compose.yml
rename to hosts/home-morefine/docker/immich/docker-compose.yml
index c6a361e..e3e323b 100644
--- a/lab-home/immich/docker-compose.yml
+++ b/hosts/home-morefine/docker/immich/docker-compose.yml
@@ -11,7 +11,7 @@ services:
       - caddy_internal
       - immich_internal
     dns:
-      - 172.24.0.6 # pi-hole
+      - 192.168.1.131 # pi-hole
     image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
     # extends:
     #   file: hwaccel.transcoding.yml
@@ -60,25 +60,33 @@ services:
     restart: always
 
   database:
-    networks:
-      - immich_internal
     container_name: immich_postgres
-    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
     environment:
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_PASSWORD_FILE: /run/secrets/DB_PASSWORD
       POSTGRES_USER: ${DB_USERNAME}
       POSTGRES_DB: ${DB_DATABASE_NAME}
       POSTGRES_INITDB_ARGS: '--data-checksums'
-    volumes:
-    # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
-      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
+    networks:
+      - immich_internal
     restart: always
-
-# volumes:
-#   model-cache:
+    secrets:
+      - DB_PASSWORD
+    volumes:
+      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
+      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
 
 networks:
   immich_internal:
     name: immich_internal
   caddy_internal:
     external: true
+
+secrets:
+  DB_PASSWORD:
+    file: /run/secrets/immich/DB_PASSWORD
\ No newline at end of file
diff --git a/hosts/home-morefine/docker/immich/secrets.sops.yaml b/hosts/home-morefine/docker/immich/secrets.sops.yaml
new file mode 100644
index 0000000..54d1b21
--- /dev/null
+++ b/hosts/home-morefine/docker/immich/secrets.sops.yaml
@@ -0,0 +1,17 @@
+# Please use only the characters `A-Za-z0-9`, without special characters or spaces
+DB_PASSWORD: ENC[AES256_GCM,data:v7dxQRI94avPEMRG5Q==,iv:82ryEihn3Y0wyCwVHZcjQsG3W8ULgP7KPQe3EFulTn0=,tag:NX4L5cOyt6IO9vpyJyE5Ag==,type:str]
+sops:
+    age:
+        - recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcHR4eTZPKzJjSGo4QUFl
+            SjU0QlBYRWljc3hwUlVtTEE0U0tnMjk0am5FCmdaR0Qrd3ZXRlFUUlJwczRVc0Ns
+            UzZuNTBpNTRwb1QvMmxpZkNIN240QTAKLS0tIEtqU2V2anQreUN1d2NCajFBdUhr
+            NCtUYkI2ZnAxeFhEVWUzZHdrZEhOTjAKrh5PJRhltrzHeRXszUkNQCYL6B+1H/IO
+            Dyejx0yRMH+6cwEBJN3GntSQb/bIpti+GmuygVz4EAUQDB8tbMfwnA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-09T19:01:00Z"
+    mac: ENC[AES256_GCM,data:FGsmuyElgkdrvKCxjk2NqwC1DodHoBWNTsOtXTRN5EO1L6ADydhfTcRs/Smpy2gnvvT67Xav2N21+fCXdJArdYtRevsKuPTsX2FxxdfeiBIJxDq3ernb33iXxZd0Fs9H7Usfm7GdQJZtWUVwwLg5/JJ0I9tMzisj2xbC5Z0g4Wo=,iv:75+ytm9Qeo8KIw+ilRL73mWQuH42mAICOmcUQoB9+20=,tag:5SfMWP5tK5KjbMOY9nl12w==,type:str]
+    encrypted_regex: ^(DB_PASSWORD|API_KEY)$
+    version: 3.11.0