From 2cd5e208a25fd81499089a11a52ab024c5ce0dfc Mon Sep 17 00:00:00 2001 From: Amarpreet Minhas Date: Wed, 19 Jul 2023 20:44:37 +0000 Subject: [PATCH] More fixes for immich --- argo/immich/values.yaml | 4 +++- manifests/photos.yaml | 31 +++++++++++++++++++++++++++++++ scripts/immich.sh | 21 +++++++++++++++++++++ 3 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 manifests/photos.yaml create mode 100755 scripts/immich.sh diff --git a/argo/immich/values.yaml b/argo/immich/values.yaml index 2a9cc20..148eeeb 100644 --- a/argo/immich/values.yaml +++ b/argo/immich/values.yaml @@ -30,8 +30,10 @@ env: value: "immich" - name: TYPESENSE_ENABLED value: false - - name: IMMICH_WEB_URL + - name: PUBLIC_IMMICH_SERVER_URL value: "https;//photos.minhas.io" + - name: IMMICH_MACHINE_LEARNING_URL + value: false - name: DB_PASSWORD valueFrom: secretKeyRef: diff --git a/manifests/photos.yaml b/manifests/photos.yaml new file mode 100644 index 0000000..508b2f4 --- /dev/null +++ b/manifests/photos.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: immich + name: immich +... +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: serviceaccounttoken + namespace: immich + annotations: + kubernetes.io/service-account.name: "immich" +... +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: immich + namespace: immich +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn-encrypted-retain + resources: + requests: + storage: 50Gi +... diff --git a/scripts/immich.sh b/scripts/immich.sh new file mode 100755 index 0000000..fda4b87 --- /dev/null +++ b/scripts/immich.sh @@ -0,0 +1,21 @@ +#!/bin/bash -xe +VAULT_AUTH_NAMESPACE="k8s-teapot" +cat << EOH > immich.hcl +path "kv/data/immich" { + capabilities = ["read"] +} +EOH +vault policy write immich immich.hcl +rm immich.hcl + +HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+') +TOKEN="$(kubectl get secret serviceaccounttoken -n immich -o go-template='{{ .data.token }}' | base64 -d)" + +vault write auth/${VAULT_AUTH_NAMESPACE}/role/immich \ + bound_service_account_names=immich \ + bound_service_account_namespaces=immich \ + policies=immich \ + ttl=24h + +vault write auth/${VAULT_AUTH_NAMESPACE}/login role=immich jwt=${TOKEN} iss=https://${HOST_IP}:6443 +