feat(immich): scaffold registry manifests for postgres/redis/server (not yet live)

immich becomes a manifest-driven stack (the legacy install_immich_stack — hardcoded
podman run + sudo chown — is the anti-pattern being retired). Three image-only
manifests modelled on the btcpay stack + the live .228 container config:

- immich-postgres / immich-redis / immich-server on archy-net; container_name set
  to the underscore form (immich_postgres/_redis/_server) so the server's
  DB_HOSTNAME/REDIS_HOSTNAME aliases resolve.
- generated_secrets: [immich-db-password] (idempotent — reuses the live secret on
  existing nodes; postgres is already initialised with it).
- server depends on postgres+redis (install ordering); upload bind preserved.

Inert for now: not added to the UI catalog and install_immich_stack still the
default, so nothing installs these until the orchestrator wiring + on-node
ownership (data_uid) validation lands. Schema validated by the all-manifests
round-trip test. See docs/PRODUCTION-MASTER-PLAN.md §6.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
archipelago 2026-06-21 05:53:58 -04:00
parent 7bfbe8fe40
commit 011081d180
3 changed files with 158 additions and 0 deletions

View File

@ -0,0 +1,52 @@
app:
id: immich-postgres
name: Immich Postgres
version: "14-vectorchord0.4.3-pgvectors0.2.0"
description: Postgres (pgvecto.rs / vectorchord) backend for Immich.
# The Immich server connects via DB_HOSTNAME=immich_postgres, so the container
# name (and thus its archy-net alias) must be the underscore form.
extensions:
container_name: immich_postgres
container:
image: 146.59.87.168:3000/lfg2025/immich-postgres:14-vectorchord0.4.3-pgvectors0.2.0
pull_policy: if-not-present
network: archy-net
generated_secrets:
- name: immich-db-password
kind: hex32
secret_env:
- key: POSTGRES_PASSWORD
secret_file: immich-db-password
dependencies:
- storage: 40Gi
resources:
memory_limit: 2Gi
disk_limit: 40Gi
security:
capabilities: [CHOWN, DAC_OVERRIDE, FOWNER, SETGID, SETUID]
readonly_root: false
network_policy: isolated
ports: []
volumes:
- type: bind
source: /var/lib/archipelago/immich-db
target: /var/lib/postgresql/data
options: [rw]
environment:
- POSTGRES_USER=postgres
- POSTGRES_DB=immich
health_check:
type: tcp
endpoint: localhost:5432
interval: 30s
timeout: 5s
retries: 3

View File

@ -0,0 +1,37 @@
app:
id: immich-redis
name: Immich Redis
version: "7-alpine"
description: Valkey (Redis-compatible) cache for Immich.
# Immich server connects via REDIS_HOSTNAME=immich_redis — alias must match.
extensions:
container_name: immich_redis
container:
image: 146.59.87.168:3000/lfg2025/valkey:7-alpine
pull_policy: if-not-present
network: archy-net
dependencies: []
resources:
memory_limit: 128Mi
security:
capabilities: [SETGID, SETUID]
readonly_root: false
network_policy: isolated
ports: []
volumes: []
environment: []
health_check:
type: tcp
endpoint: localhost:6379
interval: 30s
timeout: 5s
retries: 3

View File

@ -0,0 +1,69 @@
app:
id: immich-server
name: Immich
version: "release"
description: Self-hosted photo and video backup with mobile apps and search.
extensions:
container_name: immich_server
container:
image: 146.59.87.168:3000/lfg2025/immich-server:release
pull_policy: if-not-present
network: archy-net
secret_env:
- key: DB_PASSWORD
secret_file: immich-db-password
dependencies:
- app_id: immich-postgres
- app_id: immich-redis
- storage: 200Gi
resources:
memory_limit: 2Gi
disk_limit: 200Gi
security:
capabilities: []
readonly_root: false
network_policy: isolated
ports:
- host: 2283
container: 2283
protocol: tcp
volumes:
- type: bind
source: /var/lib/archipelago/immich
target: /usr/src/app/upload
options: [rw]
environment:
- DB_HOSTNAME=immich_postgres
- DB_USERNAME=postgres
- DB_DATABASE_NAME=immich
- REDIS_HOSTNAME=immich_redis
- UPLOAD_LOCATION=/usr/src/app/upload
health_check:
type: http
endpoint: http://localhost:2283
path: /api/server/ping
interval: 30s
timeout: 5s
retries: 20
interfaces:
main:
name: Web UI
description: Immich photo library
type: ui
port: 2283
protocol: http
path: /
metadata:
launch:
open_in_new_tab: true