feat: Initial commit

2025-03-20 13:39:58 +01:00 · 2025-03-20 13:39:58 +01:00 · feb76efafc
commit feb76efafc
15 changed files with 538 additions and 0 deletions
--- a/README.md
+++ b/README.md
--- a/manifests/configmap.yaml
+++ b/manifests/configmap.yaml
@ -0,0 +1,210 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: immich-config
+  namespace: immich
+data:
+  immich.json: |
+    {
+      "backup": {
+        "database": {
+          "cronExpression": "0 02 * * *",
+          "enabled": true,
+          "keepLastAmount": 14
+        }
+      },
+      "ffmpeg": {
+        "accel": "disabled",
+        "accelDecode": false,
+        "acceptedAudioCodecs": [
+          "aac",
+          "mp3",
+          "libopus",
+          "pcm_s16le"
+        ],
+        "acceptedContainers": [
+          "mov",
+          "ogg",
+          "webm"
+        ],
+        "acceptedVideoCodecs": [
+          "h264"
+        ],
+        "bframes": -1,
+        "cqMode": "auto",
+        "crf": 23,
+        "gopSize": 0,
+        "maxBitrate": "0",
+        "preferredHwDevice": "auto",
+        "preset": "ultrafast",
+        "refs": 0,
+        "targetAudioCodec": "aac",
+        "targetResolution": "720",
+        "targetVideoCodec": "h264",
+        "temporalAQ": false,
+        "threads": 0,
+        "tonemap": "hable",
+        "transcode": "required",
+        "twoPass": false
+      },
+      "image": {
+        "colorspace": "p3",
+        "extractEmbedded": false,
+        "preview": {
+          "format": "jpeg",
+          "quality": 80,
+          "size": 1440
+        },
+        "thumbnail": {
+          "format": "webp",
+          "quality": 80,
+          "size": 250
+        }
+      },
+      "job": {
+        "backgroundTask": {
+          "concurrency": 5
+        },
+        "faceDetection": {
+          "concurrency": 2
+        },
+        "library": {
+          "concurrency": 5
+        },
+        "metadataExtraction": {
+          "concurrency": 5
+        },
+        "migration": {
+          "concurrency": 5
+        },
+        "notifications": {
+          "concurrency": 5
+        },
+        "search": {
+          "concurrency": 5
+        },
+        "sidecar": {
+          "concurrency": 5
+        },
+        "smartSearch": {
+          "concurrency": 2
+        },
+        "thumbnailGeneration": {
+          "concurrency": 3
+        },
+        "videoConversion": {
+          "concurrency": 1
+        }
+      },
+      "library": {
+        "scan": {
+          "cronExpression": "0 0 * * *",
+          "enabled": true
+        },
+        "watch": {
+          "enabled": false
+        }
+      },
+      "logging": {
+        "enabled": true,
+        "level": "log"
+      },
+      "machineLearning": {
+        "clip": {
+          "enabled": true,
+          "modelName": "ViT-B-32__openai"
+        },
+        "duplicateDetection": {
+          "enabled": true,
+          "maxDistance": 0.01
+        },
+        "enabled": true,
+        "facialRecognition": {
+          "enabled": true,
+          "maxDistance": 0.5,
+          "minFaces": 3,
+          "minScore": 0.7,
+          "modelName": "buffalo_l"
+        },
+        "urls": [
+          "http://immich-svc.immich.svc.cluster.local:3003"
+        ]
+      },
+      "map": {
+        "darkStyle": "https://tiles.immich.cloud/v1/style/dark.json",
+        "enabled": true,
+        "lightStyle": "https://tiles.immich.cloud/v1/style/light.json"
+      },
+      "metadata": {
+        "faces": {
+          "import": false
+        }
+      },
+      "newVersionCheck": {
+        "enabled": true
+      },
+      "notifications": {
+        "smtp": {
+          "enabled": false,
+          "from": "",
+          "replyTo": "",
+          "transport": {
+            "host": "",
+            "ignoreCert": false,
+            "password": "",
+            "port": 587,
+            "username": ""
+          }
+        }
+      },
+      "oauth": {
+        "autoLaunch": false,
+        "autoRegister": true,
+        "buttonText": "Login with OAuth",
+        "clientId": "",
+        "clientSecret": "",
+        "defaultStorageQuota": 0,
+        "enabled": false,
+        "issuerUrl": "",
+        "mobileOverrideEnabled": false,
+        "mobileRedirectUri": "",
+        "profileSigningAlgorithm": "none",
+        "scope": "openid email profile",
+        "signingAlgorithm": "RS256",
+        "storageLabelClaim": "preferred_username",
+        "storageQuotaClaim": "immich_quota"
+      },
+      "passwordLogin": {
+        "enabled": true
+      },
+      "reverseGeocoding": {
+        "enabled": true
+      },
+      "server": {
+        "externalDomain": "",
+        "loginPageMessage": "",
+        "publicUsers": true
+      },
+      "storageTemplate": {
+        "enabled": true,
+        "hashVerificationEnabled": true,
+        "template": "{{y}}/{{dd}}-{{MM}}/{{filename}}"
+      },
+      "templates": {
+        "email": {
+          "albumInviteTemplate": "",
+          "albumUpdateTemplate": "",
+          "welcomeTemplate": ""
+        }
+      },
+      "theme": {
+        "customCss": ""
+      },
+      "trash": {
+        "days": 30,
+        "enabled": true
+      },
+      "user": {
+        "deleteDelay": 7
+      }
+    }
--- a/manifests/database-backup.yaml
+++ b/manifests/database-backup.yaml
@ -0,0 +1,10 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: postiz-db-backup
+  namespace: postiz
+spec:
+  schedule: "0 0 0 * * *"
+  backupOwnerReference: self
+  cluster:
+    name: postiz-db
--- a/manifests/database-ondemand-backup.yaml
+++ b/manifests/database-ondemand-backup.yaml
@ -0,0 +1,8 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Backup
+metadata:
+  name: immich-db-ondemand-backup-280225
+  namespace: immich
+spec:
+  cluster:
+    name: immich-db
--- a/manifests/database-recovery.yaml
+++ b/manifests/database-recovery.yaml
@ -0,0 +1,55 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich-db
+  namespace: immich
+
+spec:
+  imageName: ghcr.io/tensorchord/cloudnative-pgvecto.rs:16.5-v0.3.0
+  instances: 1
+
+  storage:
+    size: 1Gi
+    storageClass: local-path
+
+  bootstrap:
+    recovery:
+      source: immich-db
+
+  postgresql:
+    pg_hba:
+      - host all all all md5
+    shared_preload_libraries:
+      - "vectors.so"
+    parameters:
+      max_wal_size: "2GB"
+      shared_buffers: "512MB"
+      wal_compression: "on"
+
+  externalClusters:
+    - name: immich-db
+      barmanObjectStore:
+        serverName: immich-db
+        destinationPath: "s3://halis/cloudnativepg"
+        endpointURL: https://s3.halia.dev
+        s3Credentials:
+          accessKeyId:
+            name: s3-secret
+            key: AWS_ACCESS_KEY_ID
+          secretAccessKey:
+            name: s3-secret
+            key: AWS_SECRET_ACCESS_KEY
+          region:
+            name: s3-secret
+            key: AWS_REGION
+        wal:
+          compression: gzip
+          maxParallel: 8
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 512Mi
+    limits:
+      cpu: 500m
+      memory: 1Gi
--- a/manifests/database.yaml
+++ b/manifests/database.yaml
@ -0,0 +1,52 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postiz-db
+  namespace: postiz
+
+spec:
+  instances: 3
+
+  storage:
+    size: 1Gi
+    storageClass: local-path
+
+  bootstrap:
+    initdb:
+      database: postiz
+      owner: postiz
+      secret:
+        name: postiz-db
+
+  postgresql:
+    pg_hba:
+      - host all all all md5
+
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://halis/cloudnativepg"
+      endpointURL: https://s3.halia.dev
+      s3Credentials:
+        accessKeyId:
+          name: s3-secret
+          key: AWS_ACCESS_KEY_ID
+        secretAccessKey:
+          name: s3-secret
+          key: AWS_SECRET_ACCESS_KEY
+        region:
+          name: s3-secret
+          key: AWS_REGION
+      wal:
+        compression: gzip
+        maxParallel: 8
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 512Mi
+    limits:
+      cpu: 500m
+      memory: 1Gi
+
+  monitoring:
+    enablePodMonitor: true
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+    name: postiz
+    namespace: postiz
+spec:
+    replicas: 1
+    selector:
+        matchLabels:
+            app: postiz
+    template:
+        metadata:
+            labels:
+                app: postiz
+        spec:
+            containers:
+              - name: postiz-web
+                image: ghcr.io/gitroomhq/postiz-app:v1.36.1-arm64
+                ports:
+                  - containerPort: 5000
+                envFrom:
+                  - secretRef:
+                      name: postiz-providers
+                env:
+                  - name: MAIN_URL
+                    value: "https://postiz.halis.io"
+                  - name: FRONTEND_URL
+                    value: "https://postiz.halis.io"
+                  - name: NEXT_PUBLIC_BACKEND_URL
+                    value: "https://postiz.halis.io/api"
+                  - name: JWT_SECRET
+                    valueFrom:
+                      secretKeyRef:
+                        name: postiz-secrets
+                        key: JWT_SECRET
+                  - name: DB_USER
+                    valueFrom:
+                      secretKeyRef:
+                        name: postiz-db
+                        key: username
+                  - name: DB_PASS
+                    valueFrom:
+                      secretKeyRef:
+                        name: postiz-db
+                        key: password
+                  - name: DATABASE_URL
+                    value: "postgresql://$(DB_USER):$(DB_PASS)@postiz-db-rw.postiz.svc.cluster.local:5432/postiz"
+                  - name: REDIS_URL
+                    value: "redis://redis-svc.postiz.svc.cluster.local:6379"
+                  - name: BACKEND_INTERNAL_URL
+                    value: "http://localhost:3000"
+                  - name: IS_GENERAL
+                    value: "true"
+                  - name: STORAGE_PROVIDER
+                    value: "local"
+                  - name: UPLOAD_DIRECTORY
+                    value: "/uploads"
+                  - name: NEXT_PUBLIC_UPLOAD_DIRECTORY
+                    value: "/uploads"
+                volumeMounts:
+                  - mountPath: "/uploads"
+                    name: postiz-data
+              - name: redis
+                image: redis:7.4.2
+                ports:
+                  - containerPort: 6379
+            volumes:
+              - name: postiz-data
+                persistentVolumeClaim:
+                  claimName: postiz-pvc
--- a/manifests/ingress.yaml
+++ b/manifests/ingress.yaml
@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: postiz-ingress
+  namespace: postiz
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    kubernetes.io/ingress.class: nginx-external
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+spec:
+  tls:
+  - hosts:
+    - postiz.halis.io
+    secretName: postiz-halis-io-tls
+  ingressClassName: nginx-external
+  rules:
+  - host: postiz.halis.io
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: postiz-svc
+              port:
+                number: 80
--- a/manifests/kustomization.yaml
+++ b/manifests/kustomization.yaml
@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - secrets.yaml
+  - database.yaml
+  - deployment.yaml
+  - database-backup.yaml
+  - service.yaml
+  - redis-service.yaml
+  - ingress.yaml
+  - pvc.yaml
--- a/manifests/namespace.yaml
+++ b/manifests/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: postiz
--- a/manifests/pvc.yaml
+++ b/manifests/pvc.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postiz-pvc
+  namespace: postiz
+  labels:
+    recurring-job.longhorn.io/source: enabled
+    recurring-job-group.longhorn.io/standard-pvc: enabled
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi
+  storageClassName: redundant-storage-class
--- a/manifests/redis-service.yaml
+++ b/manifests/redis-service.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+    name: redis-svc
+    namespace: postiz
+    labels:
+      app.kubernetes.io/name: postiz
+spec:
+    ports:
+        - name: http
+          port: 6379
+          protocol: TCP
+          targetPort: 6379
+    selector:
+        app: postiz
--- a/manifests/secrets.yaml
+++ b/manifests/secrets.yaml
@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: postiz-secrets
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.halis.io/athens-school/k3s-secrets
+    targetRevision: prod-migration
+    path: postiz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: postiz
--- a/manifests/service.yaml
+++ b/manifests/service.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+    name: postiz-svc
+    namespace: postiz
+    labels:
+      app.kubernetes.io/name: postiz
+spec:
+    ports:
+        - name: http
+          port: 80
+          protocol: TCP
+          targetPort: 5000
+    selector:
+        app: postiz
--- a/manifests/servicemonitor.yaml
+++ b/manifests/servicemonitor.yaml
@ -0,0 +1,18 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: postiz
+  namespace: postiz
+  labels:
+    team: core
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postiz
+  endpoints:
+    - port: streaming
+      path: /metrics
+    - port: web-metrics
+      path: /metrics
+    - port: sidekiq-metrics
+      path: /metrics