From 92bacccadb2fc535084263e9b5cd0a6735120606 Mon Sep 17 00:00:00 2001 From: Daniel Cosme Date: Thu, 30 Apr 2026 18:18:09 -0400 Subject: [PATCH] Add Immich Cluster Role and Secret --- apps/hydra/linkding/kuztomization.yaml | 2 +- apps/hydra/secrets/immich-db.yaml | 23 +++++++++++++++++++ apps/hydra/secrets/kuztomization.yaml | 1 + apps/hydra/secrets/linkding.yaml | 18 +++++++-------- apps/hydra/secrets/truenas-csi.yaml | 16 ++++++------- .../hydra/cloud-native-pg/pg-cluster.yaml | 6 ++++- .../hydra/truenas-csi/kuztomization.yaml | 12 +++++----- pkg/cnpg/cluster.go | 10 +++++++- 8 files changed, 62 insertions(+), 26 deletions(-) create mode 100644 apps/hydra/secrets/immich-db.yaml diff --git a/apps/hydra/linkding/kuztomization.yaml b/apps/hydra/linkding/kuztomization.yaml index 61fcd21..50feba8 100644 --- a/apps/hydra/linkding/kuztomization.yaml +++ b/apps/hydra/linkding/kuztomization.yaml @@ -4,7 +4,7 @@ metadata: name: linkding namespace: linkding resources: -- namespace.yaml - srv.yaml - pvc.yaml - deployment.yaml +- namespace.yaml diff --git a/apps/hydra/secrets/immich-db.yaml b/apps/hydra/secrets/immich-db.yaml new file mode 100644 index 0000000..10630bd --- /dev/null +++ b/apps/hydra/secrets/immich-db.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: immich + namespace: cnpg-system +stringData: + db_password: ENC[AES256_GCM,data:UUHuRIePSoOOxnla+A99xknb+jO3pDsWGh6ayhRXdq5j48TbzTXaCQ==,iv:I0mKgTs8TDZX9Xfzk7LMBocCbdPv+KJkVpHu2NjNP0I=,tag:97scyt6REfIKcVStRoMdeg==,type:str] + db_username: ENC[AES256_GCM,data:KqRpNF49,iv:7MCP/Z2NYIzfAAHSEaEzlXbmgbonP6qucHicR/9/yD8=,tag:ySljEz/xBwM1L8WFpr7sqA==,type:str] +sops: + age: + - recipient: age1lelpkv7u2xh5wezuwp09fmf9gsa8gp4rzy92jz0t203au82a7u5sutsjwa + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUHhXb05PVjlvTXVzbWlJ + ZGFvSjh3ZjM1WXpuY3hYNjF4YUl1UmwyT1ZvCnFkeENINWl3Z1dSUDY4VW84WXlD + L3d0Qk0yL0pnTDBKOENKeldzZkpncDgKLS0tIGUvaTZlcHFVU0RETU5waWsyanFp + Ti9iSkNMdWRjWXljU3pxcHduUnhsQTgKe+0pzlKJ3mITrBMmcW1wASVpd99z4rvb + 94iv/WgCJtD4T2qTaAcxbJY+hz58dA7Qnwm27d64wccZOMVgNR1WcA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-04-30T22:17:42Z" + mac: ENC[AES256_GCM,data:0AGAGfq4nC/Sxu9Jx6YZtsdM1CaMiZdbJcv/wyA+FzsCR962fpN1fCLQBFqQa39AKwL1OQGxWzq3QHnu7/4xCpiTP3fiU8n01rD0itdXF/POz9XIhixfsk1abCO1jikEcklj9f3sRLsa5+oKELKAtVomoOYKzQDK2GQbTNX0a3k=,iv:TuZKioijtYAzkWky6taii20j7JGbq7EeSvHqZaNVPew=,tag:MZOOYF3ha7/2xKsYPWtI3g==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/apps/hydra/secrets/kuztomization.yaml b/apps/hydra/secrets/kuztomization.yaml index 653bee8..184c88b 100644 --- a/apps/hydra/secrets/kuztomization.yaml +++ b/apps/hydra/secrets/kuztomization.yaml @@ -5,3 +5,4 @@ metadata: resources: - linkding.yaml - truenas-csi.yaml +- immich-db.yaml diff --git a/apps/hydra/secrets/linkding.yaml b/apps/hydra/secrets/linkding.yaml index 7565846..27b1ad9 100644 --- a/apps/hydra/secrets/linkding.yaml +++ b/apps/hydra/secrets/linkding.yaml @@ -4,20 +4,20 @@ metadata: name: linkding namespace: linkding stringData: - supe_user_name: ENC[AES256_GCM,data:XvTjgXWqxeY7kTdEu4ez3/w=,iv:7v9BWmQpqnNYYdWPyD07xIcHoJAwkrGq11d2wP49j14=,tag:GyZtZme1DheHjNFuBp7nbA==,type:str] - supe_user_password: ENC[AES256_GCM,data:ATUaLra8h2OFUP8DkRG5kvPqR+OZKzbGZRQ60ECrCTkh+//M81o0GBrX0Nc=,iv:UzKVJRYWjKhEs50GNkijG0XiPAkiGKXWtqHZSEFYEpY=,tag:ROali/QL3ihSyWgSXh091w==,type:str] + supe_user_name: ENC[AES256_GCM,data:kDeIwS4IcrXPPO6ZxkhPXf4=,iv:7IEB0WjRpNmQz7Vfwa6qZNWomACoXQwH3Y6SfIPdgd8=,tag:JGFwt7nfhR8HqpUlUb+Tqw==,type:str] + supe_user_password: ENC[AES256_GCM,data:+2N0zdCiCSiYguhAmggMHkPWjBDLZ1+oxh/F4W4sBfTk54K9z3CNBU9nUvw=,iv:JYUzvHpNM0ECKf9JDQfwcH0DnZDBo7YNgaPHJzslftk=,tag:r3PSQofyxNoLweZcz8OokA==,type:str] sops: age: - recipient: age1lelpkv7u2xh5wezuwp09fmf9gsa8gp4rzy92jz0t203au82a7u5sutsjwa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocEdFTVhWT0dZUGZlTHhK - MjcxbFpFd3lydnJPMTV5T2pqblRVdnBZZ1FRCnFlV09oaFptY2JvTGVmZ3poQ2Nz - cm1IME13djMwbHJraVhPOEpBN1FqOEkKLS0tIEV5SkN1OXkxZDkrNFRhSEhoRDZC - RzlpNytqZGJOYW1BU0hOdFEyV3RjeEkKIWRRXhJTevlTCnlhoV3xoP6Kwtqt+aaE - wZECZ5N9Gk8JehsLkv5ShYxqcuenC8Rg/0Lc9Pmp6xhgJgWwJJzl+w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuWWpDa1RCM20zblFiZEZG + MkcxVGlrN0thNURDaHIySU9xbG1CQ1FPNHowClBsUmpuVHVqaGNFWWd0VEVjYXFs + Yk5ZZ1BJVUQzMkFCbmRraUlSYkZ5SlEKLS0tIFBDZXlERFp2alJJelhrOER0S3pF + Vms3MW1sQm8yMk14OTk2THp0ZHpkc2MKiXJn3ZOUfh2W7UoYB2NHZ0Es9l7WJhaJ + 9cbedKWQt53ySKYfWKSC742wJ+mQZTIyD4zxh4RmT7GL166N6yJSoQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-27T20:50:36Z" - mac: ENC[AES256_GCM,data:lh8FgtmZI59b/lHNAW6ScWG4yE/63hBkAbwhoaPwQNRSOAgTGG0xy147zqO7R/dryQmgjNBiZU8tD9KOmqoKRYvi10BxHbnT83gR3IpKSx2dTZldw2Odp1y7MJxsiG646N/CqsEKP4+K7oP4GZT/ERrq03dDDhN3ZFdsxg4Xuu0=,iv:TIswHRnyihQrrBPozXUiZv8XjXiZGqptlf7ckxLWTJo=,tag:x6z5SE94x9Ewej3XjHcUyA==,type:str] + lastmodified: "2026-04-30T22:17:42Z" + mac: ENC[AES256_GCM,data:38wsQscf4Ngz5RtBHvWK+aq6Qq2oKK5Y338akWTQW9CbObh+ltikJkx9xKYSwmSrLf9D9Cal5NCejqHCU2S32QbPR+Jf7E1V9KYScTuiHxLLiepYUYhyD+K8S8B9M0mupGuEsnfmW1gOV6VQepqhDmyw2D6UhoTz8MFSrrTnA4I=,iv:45wGTvc9Vx48xhl+bkpvBhlGNPSUJh9ZPaHH2Sov0NI=,tag:afIY1nQl2YS2J/kx/ZRWQw==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.12.2 diff --git a/apps/hydra/secrets/truenas-csi.yaml b/apps/hydra/secrets/truenas-csi.yaml index 5d19b54..d00a0e5 100644 --- a/apps/hydra/secrets/truenas-csi.yaml +++ b/apps/hydra/secrets/truenas-csi.yaml @@ -4,19 +4,19 @@ metadata: name: truenas-csi-api-credentials namespace: truenas-csi stringData: - api-key: ENC[AES256_GCM,data:rLckxqJRQRrRf5t9r/9tkGau0Jmq0GWvIS6CuIb8DSa0p3PnmWZ8XxptPf0zYylcwVmcHTypU/rQXL1cVjovj61U,iv:nD50QitcpDVJ7Xrduqg4N75qa8m6Kei7LtDc5ZO0+fI=,tag:RFKG8rZ0HLQ+skJIzAV5NA==,type:str] + api-key: ENC[AES256_GCM,data:IH63ctc6uglYSpV5uQHQgd0uFrO7Y9yplN28xMIn1LD8eYO0zq/2BVVSaQ8i3+PWtV48nioJOBTVEzSVXQ7YlKMm,iv:bSapMu05DNksTHNwVH9QJ/rbsipJBRkb9GlpSbQbXiw=,tag:xyTAI7OOfQsa2f8ro4XmKg==,type:str] sops: age: - recipient: age1lelpkv7u2xh5wezuwp09fmf9gsa8gp4rzy92jz0t203au82a7u5sutsjwa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWldlbGNyK2lHUTFQUGI2 - aWxVZERyYXRDYVEwVTRyVkorSG1sMkxnWkRZCk1NM0hPNEc1YjY2Y2lFL3lMUkFk - RmZYamhJSGFUc2hXQm9IMnJFdUZoRGMKLS0tIFZWM1FTSkZnU0NEd1YycnpnYVFQ - M2NsdTdjMlZvSUluU1d5TG1CMXdpcnMKQWmdbo9Clk7SGmD6AwXfcZnbbXKrMgti - q2Cn+ZRDvZEYwQtMp/ob8iwbrl9KrUURNq/1GkmCjy73fy+MzTCnCQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZFMxTUpLMGJmejNYYkN1 + TjBRQnE5V2pZSTY3QWp1cDJpRGh6S3BmbnpvCnVXZ1kreGlIZ2VOUU0vMDJnQTBs + Kzh5WEdEZzZpanBQbGllT0VaSmZvbjgKLS0tIDBQc2RENHZyWVZTS2ZCQ0hiQnRu + c2c1enpDM0tCU0lkZFdpbjIvREh0QWMKc8W2CXxdvFSNuel7Wls3dS/+fayXE1cu + ghx+vlWQK+3CjDla+dTSd8UJwcA1YNkW6kRepuMP+4+P5jCR/3uyNg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-27T20:50:36Z" - mac: ENC[AES256_GCM,data:Rc3fcgj1BZR+jK4pHmukqPfdsZuxv/31RFLQJ8oV8XvU3eN1eedaS9DPUPss3VyLSnc0hjwlcCkd/QwNxeAUg3rHgWt5tc5m2nxIcjuHyuTMpoXvQ3xzOzTfC/DsewpKHuGR6lfF74x4SFZrwoocZztMh6i930lzfBk4FV4q0/Q=,iv:gA+XJvUYYDpPmNRmoeJvcu/J0rFvWGU+umUnem5tcfI=,tag:92ArjqfdFjV3qtJn2bK+Jw==,type:str] + lastmodified: "2026-04-30T22:17:42Z" + mac: ENC[AES256_GCM,data:QOSR+wLE3l/wBIR2ztIYt7BYWpXB5b8Sm8LBeZNU1xNJOigaAVyXYRnEW5Cy38fUVH+RWx/5JALEanF1yLRok98IvAAe6FSdOO5h+SniKDO61s/o7SWEQdpEzXVU7iVhYgjWNeyNNFbqzLwkJ8/weli9AobN36H+zUOTR/EI9ek=,iv:HfchJ4eyKncJLX1EONXmJF14lZW43EE4FuP/xoeScL0=,tag:rNf0UN6KWBMH5umKheZC1Q==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.12.2 diff --git a/infrastructure/hydra/cloud-native-pg/pg-cluster.yaml b/infrastructure/hydra/cloud-native-pg/pg-cluster.yaml index 66fbd9b..13231ae 100644 --- a/infrastructure/hydra/cloud-native-pg/pg-cluster.yaml +++ b/infrastructure/hydra/cloud-native-pg/pg-cluster.yaml @@ -6,7 +6,11 @@ metadata: spec: affinity: {} instances: 3 - managed: {} + managed: + roles: + - name: immich + passwordSecret: + name: immich postgresql: syncReplicaElectionConstraint: enabled: false diff --git a/infrastructure/hydra/truenas-csi/kuztomization.yaml b/infrastructure/hydra/truenas-csi/kuztomization.yaml index 413913b..8d2513b 100644 --- a/infrastructure/hydra/truenas-csi/kuztomization.yaml +++ b/infrastructure/hydra/truenas-csi/kuztomization.yaml @@ -4,16 +4,16 @@ metadata: name: truenas-csi namespace: truenas-csi resources: +- controller-deployment.yaml +- node-deamonset.yaml +- CSIDriver.yaml +- nfs-storage-class.yaml +- iscsi-storage-class.yaml - namespace.yaml - controller-service-account.yaml - controller-cluster-role.yaml - controller-binding.yaml - node-service-account.yaml -- node-deamonset.yaml -- CSIDriver.yaml -- config.yaml -- controller-deployment.yaml - node-cluster-role.yaml - node-binding.yaml -- nfs-storage-class.yaml -- iscsi-storage-class.yaml +- config.yaml diff --git a/pkg/cnpg/cluster.go b/pkg/cnpg/cluster.go index 6032acd..0689cbd 100644 --- a/pkg/cnpg/cluster.go +++ b/pkg/cnpg/cluster.go @@ -2,6 +2,7 @@ package cnpg import ( "danicos.dev/daniel/go-kube/pkg/kube" + "danicos.dev/daniel/homelab/pkg/immich" "danicos.dev/daniel/homelab/pkg/root" kube_cnpg "danicos.dev/daniel/go-kube/pkg/cnpg" @@ -22,7 +23,14 @@ func Cluster() pg.Cluster { }, }, Managed: &pg.ManagedConfiguration{ - Roles: []pg.RoleConfiguration{}, + Roles: []pg.RoleConfiguration{ + { + Name: root.Immich.Name, + PasswordSecret: &pg.LocalObjectReference{ + Name: immich.Secret.Name, + }, + }, + }, }, } return kube_cnpg.NewCluster(meta, spec)