feat: Initial commit

2025-03-20 13:39:58 +01:00 · 2025-03-20 13:39:58 +01:00 · feb76efafc
commit feb76efafc
15 changed files with 538 additions and 0 deletions
--- a/README.md
+++ b/README.md
--- a/manifests/configmap.yaml
+++ b/manifests/configmap.yaml
@ -0,0 +1,210 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: immich-config
  namespace: immich
 data:
  immich.json: |
    {
      "backup": {
        "database": {
          "cronExpression": "0 02 * * *",
          "enabled": true,
          "keepLastAmount": 14
        }
      },
      "ffmpeg": {
        "accel": "disabled",
        "accelDecode": false,
        "acceptedAudioCodecs": [
          "aac",
          "mp3",
          "libopus",
          "pcm_s16le"
        ],
        "acceptedContainers": [
          "mov",
          "ogg",
          "webm"
        ],
        "acceptedVideoCodecs": [
          "h264"
        ],
        "bframes": -1,
        "cqMode": "auto",
        "crf": 23,
        "gopSize": 0,
        "maxBitrate": "0",
        "preferredHwDevice": "auto",
        "preset": "ultrafast",
        "refs": 0,
        "targetAudioCodec": "aac",
        "targetResolution": "720",
        "targetVideoCodec": "h264",
        "temporalAQ": false,
        "threads": 0,
        "tonemap": "hable",
        "transcode": "required",
        "twoPass": false
      },
      "image": {
        "colorspace": "p3",
        "extractEmbedded": false,
        "preview": {
          "format": "jpeg",
          "quality": 80,
          "size": 1440
        },
        "thumbnail": {
          "format": "webp",
          "quality": 80,
          "size": 250
        }
      },
      "job": {
        "backgroundTask": {
          "concurrency": 5
        },
        "faceDetection": {
          "concurrency": 2
        },
        "library": {
          "concurrency": 5
        },
        "metadataExtraction": {
          "concurrency": 5
        },
        "migration": {
          "concurrency": 5
        },
        "notifications": {
          "concurrency": 5
        },
        "search": {
          "concurrency": 5
        },
        "sidecar": {
          "concurrency": 5
        },
        "smartSearch": {
          "concurrency": 2
        },
        "thumbnailGeneration": {
          "concurrency": 3
        },
        "videoConversion": {
          "concurrency": 1
        }
      },
      "library": {
        "scan": {
          "cronExpression": "0 0 * * *",
          "enabled": true
        },
        "watch": {
          "enabled": false
        }
      },
      "logging": {
        "enabled": true,
        "level": "log"
      },
      "machineLearning": {
        "clip": {
          "enabled": true,
          "modelName": "ViT-B-32__openai"
        },
        "duplicateDetection": {
          "enabled": true,
          "maxDistance": 0.01
        },
        "enabled": true,
        "facialRecognition": {
          "enabled": true,
          "maxDistance": 0.5,
          "minFaces": 3,
          "minScore": 0.7,
          "modelName": "buffalo_l"
        },
        "urls": [
          "http://immich-svc.immich.svc.cluster.local:3003"
        ]
      },
      "map": {
        "darkStyle": "https://tiles.immich.cloud/v1/style/dark.json",
        "enabled": true,
        "lightStyle": "https://tiles.immich.cloud/v1/style/light.json"
      },
      "metadata": {
        "faces": {
          "import": false
        }
      },
      "newVersionCheck": {
        "enabled": true
      },
      "notifications": {
        "smtp": {
          "enabled": false,
          "from": "",
          "replyTo": "",
          "transport": {
            "host": "",
            "ignoreCert": false,
            "password": "",
            "port": 587,
            "username": ""
          }
        }
      },
      "oauth": {
        "autoLaunch": false,
        "autoRegister": true,
        "buttonText": "Login with OAuth",
        "clientId": "",
        "clientSecret": "",
        "defaultStorageQuota": 0,
        "enabled": false,
        "issuerUrl": "",
        "mobileOverrideEnabled": false,
        "mobileRedirectUri": "",
        "profileSigningAlgorithm": "none",
        "scope": "openid email profile",
        "signingAlgorithm": "RS256",
        "storageLabelClaim": "preferred_username",
        "storageQuotaClaim": "immich_quota"
      },
      "passwordLogin": {
        "enabled": true
      },
      "reverseGeocoding": {
        "enabled": true
      },
      "server": {
        "externalDomain": "",
        "loginPageMessage": "",
        "publicUsers": true
      },
      "storageTemplate": {
        "enabled": true,
        "hashVerificationEnabled": true,
        "template": "{{y}}/{{dd}}-{{MM}}/{{filename}}"
      },
      "templates": {
        "email": {
          "albumInviteTemplate": "",
          "albumUpdateTemplate": "",
          "welcomeTemplate": ""
        }
      },
      "theme": {
        "customCss": ""
      },
      "trash": {
        "days": 30,
        "enabled": true
      },
      "user": {
        "deleteDelay": 7
      }
    }
--- a/manifests/database-backup.yaml
+++ b/manifests/database-backup.yaml
@ -0,0 +1,10 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: ScheduledBackup
 metadata:
  name: postiz-db-backup
  namespace: postiz
 spec:
  schedule: "0 0 0 * * *"
  backupOwnerReference: self
  cluster:
    name: postiz-db
--- a/manifests/database-ondemand-backup.yaml
+++ b/manifests/database-ondemand-backup.yaml
@ -0,0 +1,8 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Backup
 metadata:
  name: immich-db-ondemand-backup-280225
  namespace: immich
 spec:
  cluster:
    name: immich-db
--- a/manifests/database-recovery.yaml
+++ b/manifests/database-recovery.yaml
@ -0,0 +1,55 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: immich-db
  namespace: immich
 spec:
  imageName: ghcr.io/tensorchord/cloudnative-pgvecto.rs:16.5-v0.3.0
  instances: 1
  storage:
    size: 1Gi
    storageClass: local-path
  bootstrap:
    recovery:
      source: immich-db
  postgresql:
    pg_hba:
      - host all all all md5
    shared_preload_libraries:
      - "vectors.so"
    parameters:
      max_wal_size: "2GB"
      shared_buffers: "512MB"
      wal_compression: "on"
  externalClusters:
    - name: immich-db
      barmanObjectStore:
        serverName: immich-db
        destinationPath: "s3://halis/cloudnativepg"
        endpointURL: https://s3.halia.dev
        s3Credentials:
          accessKeyId:
            name: s3-secret
            key: AWS_ACCESS_KEY_ID
          secretAccessKey:
            name: s3-secret
            key: AWS_SECRET_ACCESS_KEY
          region:
            name: s3-secret
            key: AWS_REGION
        wal:
          compression: gzip
          maxParallel: 8
  resources:
    requests:
      cpu: 100m
      memory: 512Mi
    limits:
      cpu: 500m
      memory: 1Gi
--- a/manifests/database.yaml
+++ b/manifests/database.yaml
@ -0,0 +1,52 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: postiz-db
  namespace: postiz
 spec:
  instances: 3
  storage:
    size: 1Gi
    storageClass: local-path
  bootstrap:
    initdb:
      database: postiz
      owner: postiz
      secret:
        name: postiz-db
  postgresql:
    pg_hba:
      - host all all all md5
  backup:
    barmanObjectStore:
      destinationPath: "s3://halis/cloudnativepg"
      endpointURL: https://s3.halia.dev
      s3Credentials:
        accessKeyId:
          name: s3-secret
          key: AWS_ACCESS_KEY_ID
        secretAccessKey:
          name: s3-secret
          key: AWS_SECRET_ACCESS_KEY
        region:
          name: s3-secret
          key: AWS_REGION
      wal:
        compression: gzip
        maxParallel: 8
  resources:
    requests:
      cpu: 100m
      memory: 512Mi
    limits:
      cpu: 500m
      memory: 1Gi
  monitoring:
    enablePodMonitor: true
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@ -0,0 +1,70 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
    name: postiz
    namespace: postiz
 spec:
    replicas: 1
    selector:
        matchLabels:
            app: postiz
    template:
        metadata:
            labels:
                app: postiz
        spec:
            containers:
              - name: postiz-web
                image: ghcr.io/gitroomhq/postiz-app:v1.36.1-arm64
                ports:
                  - containerPort: 5000
                envFrom:
                  - secretRef:
                      name: postiz-providers
                env:
                  - name: MAIN_URL
                    value: "https://postiz.halis.io"
                  - name: FRONTEND_URL
                    value: "https://postiz.halis.io"
                  - name: NEXT_PUBLIC_BACKEND_URL
                    value: "https://postiz.halis.io/api"
                  - name: JWT_SECRET
                    valueFrom:
                      secretKeyRef:
                        name: postiz-secrets
                        key: JWT_SECRET
                  - name: DB_USER
                    valueFrom:
                      secretKeyRef:
                        name: postiz-db
                        key: username
                  - name: DB_PASS
                    valueFrom:
                      secretKeyRef:
                        name: postiz-db
                        key: password
                  - name: DATABASE_URL
                    value: "postgresql://$(DB_USER):$(DB_PASS)@postiz-db-rw.postiz.svc.cluster.local:5432/postiz"
                  - name: REDIS_URL
                    value: "redis://redis-svc.postiz.svc.cluster.local:6379"
                  - name: BACKEND_INTERNAL_URL
                    value: "http://localhost:3000"
                  - name: IS_GENERAL
                    value: "true"
                  - name: STORAGE_PROVIDER
                    value: "local"
                  - name: UPLOAD_DIRECTORY
                    value: "/uploads"
                  - name: NEXT_PUBLIC_UPLOAD_DIRECTORY
                    value: "/uploads"
                volumeMounts:
                  - mountPath: "/uploads"
                    name: postiz-data
              - name: redis
                image: redis:7.4.2
                ports:
                  - containerPort: 6379
            volumes:
              - name: postiz-data
                persistentVolumeClaim:
                  claimName: postiz-pvc
--- a/manifests/ingress.yaml
+++ b/manifests/ingress.yaml
@ -0,0 +1,29 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: postiz-ingress
  namespace: postiz
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    kubernetes.io/ingress.class: nginx-external
    acme.cert-manager.io/http01-edit-in-place: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
 spec:
  tls:
  - hosts:
    - postiz.halis.io
    secretName: postiz-halis-io-tls
  ingressClassName: nginx-external
  rules:
  - host: postiz.halis.io
    http:
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: postiz-svc
              port:
                number: 80
--- a/manifests/kustomization.yaml
+++ b/manifests/kustomization.yaml
@ -0,0 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - secrets.yaml
  - database.yaml
  - deployment.yaml
  - database-backup.yaml
  - service.yaml
  - redis-service.yaml
  - ingress.yaml
  - pvc.yaml
--- a/manifests/namespace.yaml
+++ b/manifests/namespace.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: postiz
--- a/manifests/pvc.yaml
+++ b/manifests/pvc.yaml
@ -0,0 +1,15 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: postiz-pvc
  namespace: postiz
  labels:
    recurring-job.longhorn.io/source: enabled
    recurring-job-group.longhorn.io/standard-pvc: enabled
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: redundant-storage-class
--- a/manifests/redis-service.yaml
+++ b/manifests/redis-service.yaml
@ -0,0 +1,15 @@
 apiVersion: v1
 kind: Service
 metadata:
    name: redis-svc
    namespace: postiz
    labels:
      app.kubernetes.io/name: postiz
 spec:
    ports:
        - name: http
          port: 6379
          protocol: TCP
          targetPort: 6379
    selector:
        app: postiz
--- a/manifests/secrets.yaml
+++ b/manifests/secrets.yaml
@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: postiz-secrets
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://git.halis.io/athens-school/k3s-secrets
    targetRevision: prod-migration
    path: postiz
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=false
      - ApplyOutOfSyncOnly=true
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: postiz
--- a/manifests/service.yaml
+++ b/manifests/service.yaml
@ -0,0 +1,15 @@
 apiVersion: v1
 kind: Service
 metadata:
    name: postiz-svc
    namespace: postiz
    labels:
      app.kubernetes.io/name: postiz
 spec:
    ports:
        - name: http
          port: 80
          protocol: TCP
          targetPort: 5000
    selector:
        app: postiz
--- a/manifests/servicemonitor.yaml
+++ b/manifests/servicemonitor.yaml
@ -0,0 +1,18 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: postiz
  namespace: postiz
  labels:
    team: core
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: postiz
  endpoints:
    - port: streaming
      path: /metrics
    - port: web-metrics
      path: /metrics
    - port: sidekiq-metrics
      path: /metrics