add immich docker compose info and move db password to sops secrets file

2026-02-10 18:35:30 +03:00
parent d457efd566
commit ab495df606
3 changed files with 57 additions and 11 deletions
--- a/hosts/home-morefine/docker/immich/.env
+++ b/hosts/home-morefine/docker/immich/.env
@@ -0,0 +1,21 @@
+# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
+
+# The location where your uploaded files are stored
+UPLOAD_LOCATION=/srv/photo/immich
+# The location where your database files are stored
+DB_DATA_LOCATION=/srv/rundata/immich/postgres
+MACHINE_LEARNING_CACHE=/srv/rundata/immich/ml-cache
+
+# TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
+TZ=Europe/Minsk
+
+# The Immich version to use. You can pin this to a specific version like "v1.71.0"
+IMMICH_VERSION=v2
+# IMMICH_VERSION=release
+
+#DB_PASSWORD=secrets.sops.yaml
+
+# The values below this line do not need to be changed
+###################################################################################
+DB_USERNAME=postgres
+DB_DATABASE_NAME=immich
--- a/hosts/home-morefine/docker/immich/docker-compose.yml
+++ b/hosts/home-morefine/docker/immich/docker-compose.yml
@@ -0,0 +1,92 @@
+#
+# Immich install guide: https://immich.app/docs/install/docker-compose
+#
+
+name: immich
+
+services:
+  immich-server:
+    container_name: immich_server
+    networks:
+      - caddy_internal
+      - immich_internal
+    dns:
+      - 192.168.1.131 # pi-hole
+    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
+    # extends:
+    #   file: hwaccel.transcoding.yml
+    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
+    volumes:
+      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
+      - ${UPLOAD_LOCATION}:/usr/src/app/upload
+      - /home/photo:/mnt/media/photo
+      - /etc/localtime:/etc/localtime:ro
+    env_file:
+      - .env
+    ports:
+      - '10.8.0.3:2283:2283'
+    depends_on:
+      - redis
+      - database
+    restart: always
+    healthcheck:
+      disable: false
+
+  immich-machine-learning:
+    networks:
+      - immich_internal
+    container_name: immich_machine_learning
+    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
+    # Example tag: ${IMMICH_VERSION:-release}-cuda
+    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
+    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
+    #   file: hwaccel.ml.yml
+    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
+    volumes:
+      - ./model-cache:/cache
+    env_file:
+      - .env
+    restart: always
+    healthcheck:
+      disable: false
+
+  redis:
+    networks:
+      - immich_internal
+    container_name: immich_redis
+    image: docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
+    healthcheck:
+      test: redis-cli ping || exit 1
+    restart: always
+
+  database:
+    container_name: immich_postgres
+    environment:
+      POSTGRES_PASSWORD_FILE: /run/secrets/DB_PASSWORD
+      POSTGRES_USER: ${DB_USERNAME}
+      POSTGRES_DB: ${DB_DATABASE_NAME}
+      POSTGRES_INITDB_ARGS: '--data-checksums'
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
+    networks:
+      - immich_internal
+    restart: always
+    secrets:
+      - DB_PASSWORD
+    volumes:
+      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
+      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
+
+networks:
+  immich_internal:
+    name: immich_internal
+  caddy_internal:
+    external: true
+
+secrets:
+  DB_PASSWORD:
+    file: /run/secrets/immich/DB_PASSWORD
--- a/hosts/home-morefine/docker/immich/secrets.sops.yaml
+++ b/hosts/home-morefine/docker/immich/secrets.sops.yaml
@@ -0,0 +1,17 @@
+# Please use only the characters `A-Za-z0-9`, without special characters or spaces
+DB_PASSWORD: ENC[AES256_GCM,data:v7dxQRI94avPEMRG5Q==,iv:82ryEihn3Y0wyCwVHZcjQsG3W8ULgP7KPQe3EFulTn0=,tag:NX4L5cOyt6IO9vpyJyE5Ag==,type:str]
+sops:
+    age:
+        - recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcHR4eTZPKzJjSGo4QUFl
+            SjU0QlBYRWljc3hwUlVtTEE0U0tnMjk0am5FCmdaR0Qrd3ZXRlFUUlJwczRVc0Ns
+            UzZuNTBpNTRwb1QvMmxpZkNIN240QTAKLS0tIEtqU2V2anQreUN1d2NCajFBdUhr
+            NCtUYkI2ZnAxeFhEVWUzZHdrZEhOTjAKrh5PJRhltrzHeRXszUkNQCYL6B+1H/IO
+            Dyejx0yRMH+6cwEBJN3GntSQb/bIpti+GmuygVz4EAUQDB8tbMfwnA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-09T19:01:00Z"
+    mac: ENC[AES256_GCM,data:FGsmuyElgkdrvKCxjk2NqwC1DodHoBWNTsOtXTRN5EO1L6ADydhfTcRs/Smpy2gnvvT67Xav2N21+fCXdJArdYtRevsKuPTsX2FxxdfeiBIJxDq3ernb33iXxZd0Fs9H7Usfm7GdQJZtWUVwwLg5/JJ0I9tMzisj2xbC5Z0g4Wo=,iv:75+ytm9Qeo8KIw+ilRL73mWQuH42mAICOmcUQoB9+20=,tag:5SfMWP5tK5KjbMOY9nl12w==,type:str]
+    encrypted_regex: ^(DB_PASSWORD|API_KEY)$
+    version: 3.11.0