SYS-677 immich photo manager

.image-gitlab-ci.yml

@@ -4,7 +4,7 @@ variables:
   IMAGE: {{ IMAGE }}
   PLATFORMS: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7
   REGISTRY: $REGISTRY_URI/$CI_PROJECT_PATH
-  TRIVY_VERSION: 0.68.2
+  TRIVY_VERSION: 0.70.0
 
 stages:
   - Static Code Analysis
@@ -13,7 +13,7 @@ stages:
   - Security Scan
   - Promote Image
 
-image: docker:29.1.5
+image: docker:29.5.2
 
 .registry_template: &registry_login
   before_script:

README.md

@@ -101,6 +101,7 @@ The cluster-deployment tools here include helm charts and ansible playbooks to s
 | Service | Version | Notes |
 | --- | --- | --- |
 | davite | [![](https://img.shields.io/docker/v/instantlinux/davite?sort=date)](https://hub.docker.com/r/instantlinux/davite "Version badge") | party-invites manager like eVite |
+| immich | ** | immich self-hosted photo/video manager |
 | mythtv-backend | [![](https://img.shields.io/docker/v/instantlinux/mythtv-backend?sort=date)](https://hub.docker.com/r/instantlinux/mythtv-backend "Version badge") | MythTV backend |
 | OwnTone | ** | iTunes server (formerly forked-daapd) |
 | weewx | [![](https://img.shields.io/docker/v/instantlinux/weewx?sort=date)](https://hub.docker.com/r/instantlinux/weewx "Version badge") | Weather station software (Davis VantagePro2 etc.) |

ansible/roles/kubernetes/templates/kubeadm-config-cplane.j2

@@ -55,7 +55,7 @@ apiServer:
   - name: oidc-groups-prefix
     value: {{ oidc.group_prefix }}
   - name: oidc-ca-file
-    value: {{ oidc.ca-file }}
+    value: {{ oidc.ca_file }}
   extraVolumes:
   - name: local-config
     hostPath: "/etc/kubernetes/local"

ansible/roles/ntp/defaults/main.yml

@@ -3,6 +3,7 @@
 ntp_defaults:
   driftfile: /var/lib/ntpsec/ntp.drift
   leapfile: /usr/share/zoneinfo/leap-seconds.list
+  log_level: warn
   query_ok:
   - localhost
   - ::1

ansible/roles/ntp/templates/ntp.toml.j2

@@ -1,6 +1,6 @@
 {{ ansible_managed | comment }}
 [observability]
-log-level = "info"
+log-level = "{{ ntp.log_level }}"
 observation-path = "/var/run/ntpd-rs/observe"
 
 {% if 'servers' in ntp %}

ansible/roles/volumes/defaults/main.yml

@@ -5,13 +5,16 @@
 fs_type: ext4
 
 # LUKS-encrypted volumes
-luks_volumes: {}
+luks_volume_defaults: {}
 # example-volume:
 #   inodes: 100
 #   path: {{ local_k8s_root }}/backup
 #   size: 5000
 #   vg: "{{ luks_vg }}"
 
+luks_volume_additions: {}
+luks_volumes: "{{ luks_volume_defaults | combine(luks_volume_additions) }}"
+
 # Unencrypted local volumes
 local_volumes:
   tmpfs:

images/dhcpd-dns-pxe/Dockerfile

@@ -7,8 +7,8 @@ LABEL org.opencontainers.image.authors="Rich Braun docker@instantlinux.net" \
     org.label-schema.name=dhcpd-dns-pxe \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
-ARG KEA_VERSION=3.0.2-r0
-ARG DNSMASQ_VERSION=2.91-r0
+ARG KEA_VERSION=3.0.3-r0
+ARG DNSMASQ_VERSION=2.91-r1
 
 ENV DB_HOST=db00 \
     DB_NAME=kea \

images/dhcpd-dns-pxe/helm/Chart.yaml

@@ -7,8 +7,8 @@ sources:
 - https://source.isc.org/git/dhcp.git
 - http://thekelleys.org.uk/gitweb/?p=dnsmasq.git
 type: application
-version: 0.2.1
-appVersion: "3.0.2-r0-2.91-r0"
+version: 0.2.2
+appVersion: "3.0.3-r0-2.91-r1"
 dependencies:
 - name: chartlib
   version: 0.1.8

images/haproxy-keepalived/Dockerfile

@@ -1,4 +1,4 @@
-FROM haproxy:3.3.6-alpine
+FROM haproxy:3.3.10-alpine
 ARG BUILD_DATE
 ARG VCS_REF
 LABEL org.opencontainers.image.authors="Rich Braun docker@instantlinux.net" \

images/haproxy-keepalived/helm/Chart.yaml

@@ -7,8 +7,8 @@ sources:
 - https://github.com/haproxy/haproxy
 - https://github.com/acassen/keepalived
 type: application
-version: 0.1.21
-appVersion: "3.3.6-alpine-2.3.4-r3"
+version: 0.1.22
+appVersion: "3.3.10-alpine-2.3.4-r3"
 dependencies:
 - name: chartlib
   version: 0.1.8

images/mysqldump/Dockerfile

@@ -18,7 +18,7 @@ ENV HOUR=3 MINUTE=30 \
     TZ=UTC
 ARG UID=210
 ARG BACKUP_GID=34
-ARG CLIENT_VERSION=11.4.10-r0
+ARG CLIENT_VERSION=11.4.11-r0
 
 RUN RMGROUP=$(grep :$BACKUP_GID: /etc/group | cut -d: -f 1) && \
     [ -z "$RMGROUP" ] || delgroup $RMGROUP && \

images/mysqldump/helm/Chart.yaml

@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/mariadb/server/tree/10.5/client
 type: application
-version: 0.1.16
-appVersion: "11.4.10-r0"
+version: 0.1.17
+appVersion: "11.4.11-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8

images/nut-upsd/Dockerfile

@@ -38,8 +38,8 @@ RUN echo '@edge http://dl-cdn.alpinelinux.org/alpine/edge/main' \
       >>/etc/apk/repositories && \
     apk add --no-cache dash && \
     apk add --update --no-cache nut=$NUT_VERSION \
-      busybox curl linux-pam \
-      libcrypto3 libssl3 \
+      busybox curl@edge linux-pam \
+      libcrypto3 libexpat@edge libssl3 \
       libusb musl@edge net-snmp-libs util-linux \
       musl-utils@edge nghttp2-libs@edge
 

images/openldap/Dockerfile

@@ -8,7 +8,7 @@ LABEL org.opencontainers.image.authors="Rich Braun docker@instantlinux.net" \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG OPENLDAP_VERSION=2.6.10-r0
+ARG OPENLDAP_VERSION=2.6.13-r0
 ENV SLAPD_DN_ATTR=uid \
     SLAPD_FQDN=example.com \
     SLAPD_LOG_LEVEL=Config,Stats \

images/openldap/helm/Chart.yaml

@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://git.openldap.org/openldap/openldap
 type: application
-version: 0.1.8
-appVersion: "2.6.10-r0"
+version: 0.1.9
+appVersion: "2.6.13-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8

images/proftpd/Dockerfile

@@ -8,7 +8,7 @@ LABEL org.opencontainers.image.authors="Rich Braun docker@instantlinux.net" \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG PROFTPD_VERSION=1.3.9-r1
+ARG PROFTPD_VERSION=1.3.9a-r1
 
 ENV ALLOW_OVERWRITE=on \
     ANONYMOUS_DISABLE=off \

images/proftpd/helm/Chart.yaml

@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/proftpd/proftpd
 type: application
-version: 0.1.12
-appVersion: "1.3.9-r1"
+version: 0.1.13
+appVersion: "1.3.9a-r1"
 dependencies:
 - name: chartlib
   version: 0.1.8

images/samba-dc/Dockerfile

@@ -24,7 +24,7 @@ ENV ADMIN_PASSWORD_SECRET=samba-admin-password \
     WINBIND_USE_DEFAULT_DOMAIN=yes \
     WORKGROUP=AD
 
-ARG SAMBA_VERSION=4.22.8-r0
+ARG SAMBA_VERSION=4.22.10-r0
 
 COPY *.conf.j2 /root/
 COPY entrypoint.sh /usr/local/bin/

images/samba-dc/helm/Chart.yaml

@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - ttps://gitlab.com/samba-team/samba
 type: application
-version: 0.1.17
-appVersion: "4.22.8-r0"
+version: 0.1.18
+appVersion: "4.22.10-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8

images/samba/Dockerfile

@@ -8,7 +8,7 @@ LABEL org.opencontainers.image.authors="Rich Braun docker@instantlinux.net" \
     org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
 
-ARG SAMBA_VERSION=4.22.8-r0
+ARG SAMBA_VERSION=4.22.10-r0
 ENV LOGON_DRIVE=H \
     NETBIOS_NAME=samba \
     SERVER_STRING="Samba Server" \

images/samba/helm/Chart.yaml

@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://gitlab.com/samba-team/samba
 type: application
-version: 0.1.17
-appVersion: "4.22.8-r0"
+version: 0.1.18
+appVersion: "4.22.10-r0"
 dependencies:
 - name: chartlib
   version: 0.1.8

k8s/Makefile.vars

@@ -46,5 +46,5 @@ export PORT_DOVECOT_IMAPD    ?= 843
 export PORT_DOVECOT_IMAPS    ?= 993
 export PORT_DOVECOT_SMTP     ?= 825
 export PORT_GIT_SSH          ?= 8999
-export PORT_POSTFIX_INTERNAL ?= 3425
+# export PORT_POSTFIX_INTERNAL ?= 3425
 export PORT_POSTFIX_EXTERNAL ?= 3525

k8s/README.md

@@ -37,7 +37,7 @@ kubeadm suite:
 * Local-volume sync
 * Automatic certificate issuing/renewal with Letsencrypt
 
-Helm has become the standard mechanism for deploying kubernetes resources. This repo provides a library, chartlib, which handles almost all of the logic and tedium of golang templating. Look in the values.yaml file of each of the helm charts published here for parameters that you can override by supplying a helm overrides yaml file.
+Helm has become the standard mechanism for deploying kubernetes resources. This repo provides a time-tested library, [chartlib](https://github.com/instantlinux/docker-tools/tree/main/k8s/helm/chartlib), which provides a simple abstraction for almost all of the logic and tedium of golang templating. Look in the values.yaml file of each of the helm charts published here for parameters that you can override by supplying a helm overrides yaml file. Most chart libraries you find online are over-complicated and constantly changing; this library has survived years of changes in Kubernetes releases without needing modification.
 
 ### Requirements and cost
 

k8s/helm/gitea/Chart.yaml

@@ -6,8 +6,8 @@ sources:
 - https://github.com/instantlinux/docker-tools
 - https://github.com/go-gitea/gitea
 type: application
-version: 0.1.8
-appVersion: 1.25.3-rootless
+version: 0.1.9
+appVersion: 1.26.2-rootless
 dependencies:
 - name: chartlib
   version: 0.1.8

k8s/helm/immich/.helmignore

@@ -0,0 +1,2 @@
+*~
+.git

k8s/helm/immich/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: immich
+description: Immich media server
+home: https://github.com/instantlinux/docker-tools
+sources:
+- https://github.com/immich-app/immich
+- https://github.com/instantlinux/docker-tools
+type: application
+version: 0.1.0
+# Reminder, update tag for ml instance in values.yaml
+appVersion: v2.7.5
+dependencies:
+- name: chartlib
+  version: 0.1.8
+  repository: https://instantlinux.github.io/docker-tools
+- name: ml
+  version: 0.1.0
+  repository: file://subcharts/ml
+- name: postgres
+  version: 0.1.0
+  repository: file://subcharts/postgres
+- name: valkey
+  version: 0.1.0
+  repository: file://subcharts/valkey

k8s/helm/immich/subcharts/ml/.helmignore

@@ -0,0 +1,2 @@
+*~
+.git

k8s/helm/immich/subcharts/ml/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: ml
+description: Immich machine-learning
+home: https://github.com/instantlinux/docker-tools
+sources:
+- https://github.com/instantlinux/docker-tools
+- ghcr.io/immich-app/immich-machine-learning
+type: application
+version: 0.1.0
+# specify version tag from hub.docker.com in top-level values.yaml
+appVersion: "0.0.1"
+dependencies:
+- name: chartlib
+  version: 0.1.8
+  repository: https://instantlinux.github.io/docker-tools

k8s/helm/immich/subcharts/ml/templates/NOTES.txt

@@ -0,0 +1,28 @@
+{{- if hasKey .Values "service" }}
+{{- if or .Values.service.enabled (not (hasKey .Values.service "enabled")) }}
+1. Get the application URL by running these commands:
+{{- if hasKey .Values "ingress" }}
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "local.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "local.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "local.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "local.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

k8s/helm/immich/subcharts/ml/templates/app.yaml

@@ -0,0 +1,15 @@
+{{- include "chartlib.configmap" . }}
+---
+{{- include "chartlib.deployment" . }}
+---
+{{- include "chartlib.hpa" . }}
+---
+{{- include "chartlib.ingress" . }}
+---
+{{- include "chartlib.ingresstotp" . }}
+---
+{{- include "chartlib.service" . }}
+---
+{{- include "chartlib.serviceaccount" . }}
+---
+{{- include "chartlib.statefulset" . }}

k8s/helm/immich/subcharts/ml/templates/tests/test-connection.yaml

@@ -0,0 +1,17 @@
+{{- if hasKey .Values "service" }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "local.fullname" . }}-test-connection"
+  labels:
+    {{- include "local.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "local.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never
+{{- end }}