variable "tls_secret_name" {} variable "postgresql_password" {} variable "homepage_token" {} module "tls_secret" { source = "../setup_tls_secret" namespace = "immich" tls_secret_name = var.tls_secret_name } resource "kubernetes_namespace" "immich" { metadata { name = "immich" # Container comms are broken - seems due to tls # labels = { # "istio-injection" : "enabled" # } } } resource "kubernetes_persistent_volume" "immich-postgresql" { metadata { name = "immich-postgresql" } spec { capacity = { "storage" = "10Gi" } access_modes = ["ReadWriteOnce"] persistent_volume_source { nfs { path = "/mnt/main/immich/data-immich-postgresql" server = "10.0.10.15" } } } } resource "kubernetes_persistent_volume" "immich" { metadata { name = "immich" } spec { capacity = { "storage" = "100Gi" } access_modes = ["ReadWriteOnce"] persistent_volume_source { nfs { path = "/mnt/main/immich/immich" server = "10.0.10.15" } } } } resource "kubernetes_persistent_volume" "immich-typesense-tsdata" { metadata { name = "immich-typesense-tsdata" } spec { capacity = { "storage" = "5Gi" } access_modes = ["ReadWriteOnce"] persistent_volume_source { nfs { path = "/mnt/main/immich/typesense-tsdata" server = "10.0.10.15" } } } } resource "kubernetes_persistent_volume_claim" "immich" { metadata { name = "immich" namespace = "immich" } spec { access_modes = ["ReadWriteOnce"] resources { requests = { "storage" = "20Gi" } } volume_name = "immich" } } # If you're having issuewith typesens container exiting prematurely, increase liveliness check resource "helm_release" "immich" { namespace = "immich" name = "immich" repository = "https://immich-app.github.io/immich-charts" chart = "immich" atomic = true version = "0.8.4" # version = "0.7.2" timeout = 6000 values = [templatefile("${path.module}/chart_values.tpl", { postgresql_password = var.postgresql_password })] } resource "kubernetes_ingress_v1" "immich" { metadata { name = "immich" namespace = "immich" annotations = { "kubernetes.io/ingress.class" = "nginx" # "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth" # "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" # WARNING: When changing any of the below settings, ensure that large file uploads continue working "nginx.ingress.kubernetes.io/proxy-read-timeout" : "6000", "nginx.ingress.kubernetes.io/proxy-send-timeout" : "6000", "nginx.ingress.kubernetes.io/proxy-connect-timeout" : "6000" "nginx.ingress.kubernetes.io/client-max-body-size" : "0" # "nginx.ingress.kubernetes.io/proxy-body-size" : "5G", "nginx.ingress.kubernetes.io/proxy-body-size" : "0", # "nginx.ingress.kubernetes.io/proxy-buffering" : "on" # "nginx.ingress.kubernetes.io/proxy-max-temp-file-size" : "4096m" # "nginx.ingress.kubernetes.io/proxy-request-buffering" : "off" # "nginx.ingress.kubernetes.io/client-body-buffer-size" : "5G" # "nginx.ingress.kubernetes.io/proxy-buffer-size" : "16k" # "nginx.ingress.kubernetes.io/proxy-buffers-number" : "8" # "nginx.ingress.kubernetes.io/client-body-buffer-size" : "5000m" # "nginx.ingress.kubernetes.io/proxy-buffers-number" : "8" # "nginx.ingress.kubernetes.io/proxy-buffer-size" : "16k" # "nginx.ingress.kubernetes.io/proxy-body-size" : "0", # "nginx.ingress.kubernetes.io/affinity" : "cookie" # "nginx.ingress.kubernetes.io/affinity-mode" : "persistent" # "nginx.ingress.kubernetes.io/session-cookie-change-on-failure" : true # "nginx.ingress.kubernetes.io/session-cookie-expires" : 172800 # "nginx.ingress.kubernetes.io/session-cookie-max-age" : 172800 # "nginx.ingress.kubernetes.io/session-cookie-name" : "STICKY_SESSION" # "nginx.ingress.kubernetes.io/use-regex" : false "nginx.org/websocket-services" : "immich-server" "gethomepage.dev/enabled" = "true" "gethomepage.dev/description" = "Photos library" "gethomepage.dev/icon" = "immich.png" "gethomepage.dev/name" = "Immich" "gethomepage.dev/widget.type" = "immich" "gethomepage.dev/widget.url" = "https://immich.viktorbarzin.me" "gethomepage.dev/pod-selector" = "" "gethomepage.dev/widget.key" = var.homepage_token # location ~* \.(png|jpg|jpeg|gif|webp|svg)$ { # expires 1M; # add_header Cache-Control "public, max-age=31536000, immutable"; # } "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF proxy_cache static-cache; proxy_cache_valid 404 1m; proxy_cache_use_stale error timeout updating http_404 http_500 http_502 http_503 http_504; proxy_cache_bypass $http_x_purge; add_header X-Cache-Status $upstream_cache_status; EOF } } spec { tls { hosts = ["immich.viktorbarzin.me"] secret_name = var.tls_secret_name } rule { host = "immich.viktorbarzin.me" http { path { path = "/" backend { service { # name = "immich-proxy" name = "immich-server" # after v1.88 port { # number = 8080 # number = 3001 number = 2283 } } } } } } } } resource "kubernetes_ingress_v1" "photos" { metadata { name = "photos" namespace = "immich" annotations = { "kubernetes.io/ingress.class" = "nginx" "nginx.ingress.kubernetes.io/proxy-body-size" : "5000m" } } spec { tls { hosts = ["photos.viktorbarzin.me"] secret_name = var.tls_secret_name } rule { host = "photos.viktorbarzin.me" http { path { path = "/" backend { service { # name = "immich-proxy" name = "immich-server" # after v1.88 port { # number = 8080 number = 3001 } } } } } } } } resource "kubernetes_cron_job_v1" "postgresql-backup" { metadata { name = "postgresql-backup" namespace = "immich" } spec { concurrency_policy = "Replace" failed_jobs_history_limit = 5 schedule = "0 */6 * * *" # schedule = "* * * * *" starting_deadline_seconds = 10 successful_jobs_history_limit = 10 job_template { metadata {} spec { backoff_limit = 3 ttl_seconds_after_finished = 10 template { metadata {} spec { container { name = "postgresql-backup" image = "postgres:16.4-bullseye" command = ["/bin/sh", "-c", <<-EOT export now=$(date +"%Y_%m_%d_%H_%M") PGPASSWORD=${var.postgresql_password} pg_dumpall -h immich-postgresql -U immich > /backup/dump_$now.sql # Rotate - delete last log file cd /backup find . -name "dump_*.sql" -type f -mtime +14 -delete # 14 day retention of backups EOT ] volume_mount { name = "postgresql-backup" mount_path = "/backup" } } volume { name = "postgresql-backup" nfs { path = "/mnt/main/immich/data-immich-postgresql" server = "10.0.10.15" } } } } } } } } # POWER TOOLS resource "kubernetes_deployment" "powertools" { metadata { name = "powertools" namespace = "immich" labels = { app = "powertools" } annotations = { "reloader.stakater.com/search" = "true" } } spec { replicas = 1 strategy { type = "Recreate" } selector { match_labels = { app = "powertools" } } template { metadata { labels = { app = "powertools" } annotations = { "diun.enable" = "true" "diun.include_tags" = "latest" } } spec { container { image = "ghcr.io/varun-raj/immich-power-tools:latest" name = "owntracks" port { name = "http" container_port = 3000 } env { name = "IMMICH_API_KEY" value = "bLz8OIoRrtUFumDaBrXjkgwXkU5YoJBXcwRr8F90KQ" } env { name = "IMMICH_URL" # value = "http://immich-server.immich.svc.cluster.local" value = "http://10.109.73.214" } env { name = "EXTERNAL_IMMICH_URL" value = "https://immich.viktorbarzin.me" } env { name = "DB_USERNAME" value = "immich" } env { name = "DB_PASSWORD" value = var.postgresql_password } env { name = "DB_HOST" # value = "immich-postgresql.immich.svc.cluster.local" value = "10.102.122.16" } # env { # name = "DB_PORT" # value = "5432" # } env { name = "DB_DATABASE_NAME" value = "immich" } env { name = "NODE_ENV" value = "development" } } } } } } resource "kubernetes_service" "powertools" { metadata { name = "powertools" namespace = "immich" labels = { "app" = "powertools" } } spec { selector = { app = "powertools" } port { name = "http" port = 80 target_port = 3000 protocol = "TCP" } } } resource "kubernetes_ingress_v1" "powertools" { metadata { name = "powertools" namespace = "immich" annotations = { "kubernetes.io/ingress.class" = "nginx" "nginx.ingress.kubernetes.io/auth-url" : "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx" "nginx.ingress.kubernetes.io/auth-signin" : "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri" "nginx.ingress.kubernetes.io/auth-response-headers" : "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid" "nginx.ingress.kubernetes.io/auth-snippet" : "proxy_set_header X-Forwarded-Host $http_host;" } } spec { tls { hosts = ["immich-powertools.viktorbarzin.me"] secret_name = var.tls_secret_name } rule { host = "immich-powertools.viktorbarzin.me" http { path { path = "/" backend { service { name = "powertools" port { number = 80 } } } } } } } }