More fixes for immich

argo/immich/values.yaml

@@ -30,8 +30,10 @@ env:
     value: "immich"
   - name: TYPESENSE_ENABLED
     value: false
-  - name: IMMICH_WEB_URL
+  - name: PUBLIC_IMMICH_SERVER_URL
     value: "https;//photos.minhas.io"
+  - name: IMMICH_MACHINE_LEARNING_URL
+    value: false
   - name: DB_PASSWORD
     valueFrom:
       secretKeyRef:

manifests/photos.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: immich
+  name: immich
+...
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: serviceaccounttoken
+  namespace: immich
+  annotations:
+    kubernetes.io/service-account.name: "immich"
+...
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: immich
+  namespace: immich
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn-encrypted-retain
+  resources:
+    requests:
+      storage: 50Gi
+...

scripts/immich.sh

@@ -0,0 +1,21 @@
+#!/bin/bash -xe
+VAULT_AUTH_NAMESPACE="k8s-teapot"
+cat << EOH > immich.hcl
+path "kv/data/immich" {
+  capabilities = ["read"]
+}
+EOH
+vault policy write immich immich.hcl
+rm immich.hcl
+
+HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
+TOKEN="$(kubectl get secret serviceaccounttoken -n immich -o go-template='{{ .data.token }}' | base64 -d)"
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/role/immich \
+    bound_service_account_names=immich \
+    bound_service_account_namespaces=immich \
+    policies=immich \
+    ttl=24h
+
+vault write auth/${VAULT_AUTH_NAMESPACE}/login role=immich jwt=${TOKEN} iss=https://${HOST_IP}:6443
+