2026-06-21 05:53:58 -04:00
|
|
|
app:
|
|
|
|
|
id: immich-postgres
|
|
|
|
|
name: Immich Postgres
|
|
|
|
|
version: "14-vectorchord0.4.3-pgvectors0.2.0"
|
|
|
|
|
description: Postgres (pgvecto.rs / vectorchord) backend for Immich.
|
|
|
|
|
|
2026-06-21 09:20:38 -04:00
|
|
|
# Container named immich_postgres (underscore) to match the runtime's existing
|
|
|
|
|
# per-app references (lifecycle/health/crash-recovery/config) and serve as the
|
|
|
|
|
# server's DB_HOSTNAME alias. Top-level key → serde(flatten) → extensions →
|
|
|
|
|
# compute_container_name.
|
|
|
|
|
container_name: immich_postgres
|
2026-06-21 05:53:58 -04:00
|
|
|
|
|
|
|
|
container:
|
|
|
|
|
image: 146.59.87.168:3000/lfg2025/immich-postgres:14-vectorchord0.4.3-pgvectors0.2.0
|
|
|
|
|
pull_policy: if-not-present
|
|
|
|
|
network: archy-net
|
feat(immich): manifest-driven stack via orchestrator — live-migrated on .228
Completes the immich migration off the legacy hardcoded install_immich_stack
(podman run + sudo chown) to the registry-manifest + orchestrator path. Validated
live on .228 (clean single set, healthy v2.7.4, data dir ownership correct).
- install_immich_stack now tries install_stack_via_orchestrator(immich_stack_app_ids)
first; legacy remains only as the no-manifests fallback.
- immich-{postgres,redis,server} manifests corrected from live findings:
* named by app_id (dropped container_name override) — using container_name
spawned DUPLICATE containers (app_id-named install vs name-override reconcile)
on the same PGDATA, which corrupted a postgres cluster. Server reaches its
siblings via app_id aliases (DB_HOSTNAME=immich-postgres, REDIS=immich-redis).
* immich-postgres data_uid 100998:100998 (postgres drops to container 999 →
host 100998 under rootless; verified the fresh dir is chowned correctly).
* immich-server version "release"→"2.7.4" (manifest validation requires a digit;
the bad version made the manifest silently skip → partial orchestrator install
→ legacy fallback → the duplicate corruption above).
- HARDEN install_stack_via_orchestrator: only fall back to the legacy installer
when NOTHING was installed yet. An "unknown app_id" AFTER a member is up now
errors instead of double-creating containers on shared data (the corruption
root cause).
- Strict the all-manifests round-trip test: fail (not skip) on any invalid shipped
manifest — this gap let the bad immich-server version through.
Known follow-up (pre-existing, platform-wide): orchestrator-installed backends
(immich, btcpay-db) run as podman --restart, not Quadlet, and podman-restart.service
is disabled on .228 → reboot-survival gap independent of this migration.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 07:08:45 -04:00
|
|
|
# postgres drops to its own uid (container 999 → host 100998 under rootless),
|
|
|
|
|
# so the data dir must be owned by that mapped uid — mirrors archy-btcpay-db.
|
|
|
|
|
# Verified on .228: the live immich-db is owned 100998. Without this a FRESH
|
|
|
|
|
# install's dir would be service-user-owned and postgres would EACCES.
|
|
|
|
|
data_uid: "100998:100998"
|
2026-06-21 05:53:58 -04:00
|
|
|
generated_secrets:
|
|
|
|
|
- name: immich-db-password
|
|
|
|
|
kind: hex32
|
|
|
|
|
secret_env:
|
|
|
|
|
- key: POSTGRES_PASSWORD
|
|
|
|
|
secret_file: immich-db-password
|
|
|
|
|
|
|
|
|
|
dependencies:
|
|
|
|
|
- storage: 40Gi
|
|
|
|
|
|
|
|
|
|
resources:
|
|
|
|
|
memory_limit: 2Gi
|
|
|
|
|
disk_limit: 40Gi
|
|
|
|
|
|
|
|
|
|
security:
|
|
|
|
|
capabilities: [CHOWN, DAC_OVERRIDE, FOWNER, SETGID, SETUID]
|
|
|
|
|
readonly_root: false
|
|
|
|
|
network_policy: isolated
|
|
|
|
|
|
|
|
|
|
ports: []
|
|
|
|
|
|
|
|
|
|
volumes:
|
|
|
|
|
- type: bind
|
|
|
|
|
source: /var/lib/archipelago/immich-db
|
|
|
|
|
target: /var/lib/postgresql/data
|
|
|
|
|
options: [rw]
|
|
|
|
|
|
|
|
|
|
environment:
|
|
|
|
|
- POSTGRES_USER=postgres
|
|
|
|
|
- POSTGRES_DB=immich
|
|
|
|
|
|
|
|
|
|
health_check:
|
|
|
|
|
type: tcp
|
|
|
|
|
endpoint: localhost:5432
|
|
|
|
|
interval: 30s
|
|
|
|
|
timeout: 5s
|
|
|
|
|
retries: 3
|