[immich] Adds but disabled Immich because it's crashing on start-up

2025-09-25 17:23:01 -07:00 · 2025-09-25 17:23:01 -07:00 · 3b8e38e702
commit 3b8e38e702
parent 05c001081e
5 changed files with 114 additions and 30 deletions
--- a/secrets/mcp.yaml
+++ b/secrets/mcp.yaml
@ -23,6 +23,8 @@ matrix:
    blazestar-registration-token: ENC[AES256_GCM,data:TB3bR+E4H4c2l9pRcEOAZr35+vBVaJUcuCs9K0Pjd0aW+M35x5LgZ8+F99Y=,iv:e28sie6LSI5UX41BPb+yN+3n+Yw9Ssfsqe4zppwbPkU=,tag:cQPgZcRFbYSiZnmPVtZxHg==,type:str]
 tandoor:
    secret_key: ENC[AES256_GCM,data:nl7S2fS1wENrT5k2iZfLEAGc99lCUktgwR5L5KklF69BNVKQkW1rUgb3aIv50VpXZa+3OxV/vdPmG9NhKMy96I5+Dno=,iv:FFyGQBARz0B5zrONZELzUMsOIn8TWrDNTKGsAHPlS7w=,tag:/c4MnDfLXQpBZDqVxZ0DTg==,type:str]
+immich:
+    database: ENC[AES256_GCM,data:1fjOQsLZcq/T+r+AkzomWwCQWw==,iv:c4pn2rC+3xkxLJ7uAdhnTE6zVTRQkfuKK3tjUyDhfAw=,tag:kvk7DOv6X/+RDxfPxVak7w==,type:str]
 sops:
    age:
        - recipient: age1yvdzvuvu5wqztcx6ll2xk6x547uuyqy735tjjdd7zftkz53jsf9qf5ahue
@ -43,7 +45,7 @@ sops:
            by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw
            vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-07T19:03:58Z"
-    mac: ENC[AES256_GCM,data:Rjb4uTow01fHFOcjKFBCvqpow+yAeSY0RymCoSFUNhavsE4HBqhw2acWsNkXqTQA1FxczJP5mtesYNzg7tQR2fN+a/T5jG7q5sC+RYQkDZPy5ECVxEv3J+BtXmMuKJS3YadiIy0iQTXiiwmYBo8cnKIDxQ75AQLoGCGxSr42NU8=,iv:aSevCC9kbYnTy9KuXcxjaeFmERa+qCn9E3ANCJ2CqoU=,tag:RC0H+lRWfBfOGX2VJoAfyg==,type:str]
+    lastmodified: "2025-09-25T22:21:11Z"
+    mac: ENC[AES256_GCM,data:1Ru10z/hiMNgzgbBpzuo6jNi5eF87nNMfryurO75k9PvYzsOX4iUwDQf/PppP/YP/g73HJdYaGGEzE8YxaSDtOnmf5qbQe1+5rZmHSO/iIZr/rfV3nkGfqxE4TpPlR/NXB5ktToe7GB6BF1AXwbVIbjWe6Ymsi6Dy2e56Ml1x7k=,iv:v3GV7TL2+BHWETD0mtUBpM/B6vIjNgLiNn45boBjNUg=,tag:a4MplFxRfBF10iwxVGVUOA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/system/hosts/mcp/containers/havenisms.com/default.nix
+++ b/system/hosts/mcp/containers/havenisms.com/default.nix
@ -2,6 +2,8 @@
 {
  imports = [
    ./chat.nix
+    # Currently disabled because it doesn't start up properly
+    # ./immich.nix
    ./storyden.nix
    ./tandoor.nix
  ];
--- a/system/hosts/mcp/containers/havenisms.com/immich.nix
+++ b/system/hosts/mcp/containers/havenisms.com/immich.nix
@ -0,0 +1,73 @@
+{ config, ... }:
+let
+  inherit (import ../lib.nix config) havenisms mkPostgresContainer;
+in
+{
+  imports = [
+    (mkPostgresContainer {
+      # Immich wants a custom build of postgres with the vectors extensions.
+      image = "ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:c44be5f2871c59362966d71eab4268170eb6f5653c0e6170184e72b38ffdf107";
+      name = "immich";
+      directory = "/tank/immich/db";
+      uid = config.users.users.immich.uid;
+      gid = config.users.groups.immich.gid;
+      passwordSecret = "immich/database";
+    })
+  ];
+
+  sops.secrets = {
+    "immich/database" = {
+      restartUnits = [
+        "${config.local.container-backend}-immich-db.service"
+      ];
+      mode = "0400";
+      owner = config.users.users.immich.name;
+    };
+  };
+
+  sops.templates."immich.env" = {
+    restartUnits = [ "${config.local.container-backend}-immich.service" ];
+    owner = config.users.users.immich.name;
+    content = ''
+      DB_HOSTNAME=immich-postgres
+      DB_PASSWORD=${config.sops.placeholder."immich/database"}
+      DB_USERNAME=immich
+      DB_DATABASE_NAME=immich
+      REDIS_HOSTNAME=immich-redis
+      IMMICH_LOG_LEVEL=verbose
+    '';
+  };
+
+  virtualisation.web-containers.containers.immich = {
+    image = "ghcr.io/immich-app/immich-server:release";
+    hostname = "immich";
+    domain = havenisms;
+    port = 2283;
+    volumes = [
+      "/tank/photos/immich:/data"
+      "/etc/localtime:/etc/localtime:ro"
+    ];
+    dependsOn = [
+      "immich-redis"
+      "immich-postgres"
+    ];
+    environmentFiles = [
+      "${config.sops.templates."immich.env".path}"
+    ];
+  };
+
+  virtualisation.oci-containers.containers = {
+    "immich-redis" = {
+      image = "docker.io/valkey/valkey";
+    };
+    "immich-machine-learning" = {
+      image = "ghcr.io/immich-app/immich-machine-learning:release";
+      volumes = [
+        "model-cache:/cache"
+      ];
+      environmentFiles = [
+        "${config.sops.templates."immich.env".path}"
+      ];
+    };
+  };
+}
--- a/system/hosts/mcp/containers/lib.nix
+++ b/system/hosts/mcp/containers/lib.nix
@ -70,15 +70,14 @@ in
        extraOptions
        ;
      autoStart = true;
-      labels =
-        {
-          "traefik.enable" = "true";
-          "traefik.http.routers.${hostName}.rule" = "${routerRule}";
-          "traefik.http.services.${hostName}.loadbalancer.server.port" = "${toString port}";
-        }
-        // oauthLabels
-        // homepageLabels
-        // extraLabels;
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.${hostName}.rule" = "${routerRule}";
+        "traefik.http.services.${hostName}.loadbalancer.server.port" = "${toString port}";
+      }
+      // oauthLabels
+      // homepageLabels
+      // extraLabels;
    };

  # Creates a MariaDB container for a specific app. It should be safe to give
@ -127,11 +126,12 @@ in
      containerName ? "${name}-postgres",
      databaseName ? name,
      username ? name,
+      image ? "postgres",
    }:
    { config, ... }:
    {
      virtualisation.oci-containers.containers."${containerName}" = {
-        image = "postgres";
+        inherit image;
        autoStart = true;
        volumes = [
          # Note that data must be mounted at this location to persist.
--- a/system/hosts/mcp/containers/users.nix
+++ b/system/hosts/mcp/containers/users.nix
@ -1,4 +1,5 @@
-{ pkgs, ... }: let
+{ pkgs, ... }:
+let
  systemUsers = {
    gitea = {
      uid = 2001;
@ -19,6 +20,7 @@
      home = "/tank/web";
      packages = [ pkgs.git ];
    };
+    immich = 2009;
  };

  mkUser = name: value: {
@ -27,25 +29,30 @@
    description = "System User for ${name}";
    group = "${name}";
    shell = value.shell or null;
-    extraGroups = value.extraGroups or [];
-    openssh.authorizedKeys.keys = value.authorizedKeys or [];
+    extraGroups = value.extraGroups or [ ];
+    openssh.authorizedKeys.keys = value.authorizedKeys or [ ];
    home = value.home or "/var/empty";
-    packages = value.packages or [];
+    packages = value.packages or [ ];
  };
-  mkGroup = name: value: let
-    # 1. Value if int
-    # 2. "gid" if present
-    # 3. "uid"
-    gid =
-      if builtins.isInt value
-      then value
-      else if builtins.hasAttr "gid" value
-        then value.gid
-        else value.uid;
-  in {
-    inherit gid;
-  };
-in {
+  mkGroup =
+    name: value:
+    let
+      # 1. Value if int
+      # 2. "gid" if present
+      # 3. "uid"
+      gid =
+        if builtins.isInt value then
+          value
+        else if builtins.hasAttr "gid" value then
+          value.gid
+        else
+          value.uid;
+    in
+    {
+      inherit gid;
+    };
+in
+{
  users.users = builtins.mapAttrs mkUser systemUsers;
  users.groups = (builtins.mapAttrs mkGroup systemUsers) // {
    # Legacy groups.