use immich recommended containers

.drone.yml

@@ -17,6 +17,7 @@ steps:
       DOMAIN: {{ .Name }}.swarm-test.autonomic.zone
       STACK_NAME: {{ .Name }}
       LETS_ENCRYPT_ENV: production
+      SECRET_DB_PASSWORD_VERSION: v1
 trigger:
   branch:
     - main

.env.sample

@@ -10,18 +10,19 @@ LETS_ENCRYPT_ENV=production
 # You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
 
 # The location where your uploaded files are stored
-UPLOAD_LOCATION=./library
+# UPLOAD_LOCATION=./library
 # The location where your database files are stored
-DB_DATA_LOCATION=./postgres
+# DB_DATA_LOCATION=./postgres
+
+# Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
+# DB_STORAGE_TYPE: 'HDD'
 
 # To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
 # TZ=Etc/UTC
 
-# Connection secret for postgres. You should change it to a random password
-# Please use only the characters `A-Za-z0-9`, without special characters or spaces
-DB_PASSWORD=postgres
-
 # The values below this line do not need to be changed
 ###################################################################################
 DB_USERNAME=postgres
 DB_DATABASE_NAME=immich
+
+SECRET_DB_PASSWORD_VERSION=v1

README.md

@@ -5,13 +5,13 @@
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**: 0
+* **Status**: 1
 * **Image**: [`immich`](https://hub.docker.com/r/immich), 4, upstream
 * **Healthcheck**: No
 * **Backups**: No
-* **Email**: No
+* **Email**: 1
 * **Tests**: No
-* **SSO**: No
+* **SSO**: 1 (Oauth)
 
 <!-- endmetadata -->
 
@@ -23,6 +23,9 @@
 
 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
 
+## How do I integrate with Keycloak SSO?
+
+See https://docs.immich.app/administration/oauth/. The `ISSUER_URL` in the Immich settings should be `https://<sso-domain>/realms/<realm_name>/.well-known/openid-configuration`.
 
 ## Volume
 

compose.yml

@@ -3,23 +3,26 @@ version: "3.8"
 
 services:
   app:
-    image: ghcr.io/immich-app/immich-server:v1.136.0
+    image: ghcr.io/immich-app/immich-server:v2.4.1
     volumes:
       - uploads:/usr/src/app/upload
       - /etc/localtime:/etc/localtime:ro
     environment:
-      - UPLOAD_LOCATION
-      - DB_DATA_LOCATION
       - TZ
       - IMMICH_VERSION
-      - DB_PASSWORD
+      - DB_PASSWORD_FILE=/run/secrets/db_password
       - DB_USERNAME
       - DB_DATABASE_NAME
+    secrets:
+      - db_password
     networks:
       - proxy
       - backend
     healthcheck:
       disable: false
+    depends_on:
+      - redis
+      - database
     deploy:
       labels:
         - "traefik.enable=true"
@@ -27,37 +30,45 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.2.1+v1.136.0"
+        - "coop-cloud.${STACK_NAME}.version=1.2.0+v2.4.1"
 
 
   immich-machine-learning: # TODO: this has to be that name, as the frontend tries to reach it at: http://immich-machine-learning:3003
-    image: ghcr.io/immich-app/immich-machine-learning:v1.136.0
-    ports:
-      - 3003:3003
+    image: ghcr.io/immich-app/immich-machine-learning:v2.4.1
     volumes:
       - model-cache:/cache
     networks:
       - backend
     healthcheck:
       disable: false
+
   redis:
-    image: redis:8.2-alpine
+    image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
     healthcheck:
       test: redis-cli ping || exit 1
     networks:
       - backend
+
   database:
-    image: tensorchord/pgvecto-rs:pg14-v0.2.0
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
     environment:
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
       POSTGRES_USER: ${DB_USERNAME}
       POSTGRES_DB: ${DB_DATABASE_NAME}
       POSTGRES_INITDB_ARGS: '--data-checksums'
+      DB_STORAGE_TYPE: ${DB_STORAGE_TYPE}
+    secrets:
+      - db_password
     volumes:
       - postgres:/var/lib/postgresql/data
     networks:
       - backend
 
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+
 networks:
   proxy:
     external: true

release/0.2.1+v1.136.0

@@ -1 +1,14 @@
-when upgrading from below 1.132.0 first need to run 1.132.0-1.136.0 first! see https://immich.app/errors/#typeorm-upgrade
+when upgrading from below 1.132.0 first need to run 1.132.0-1.136.0 first! see https://immich.app/errors/#typeorm-upgrade
+
+### DB migration failing: multiple primary keys for table "geodata_places"
+
+https://github.com/immich-app/immich/issues/20167
+
+I ran into this issue while upgrading and had to remove it manually:
+
+```bash
+abra app run immich.example.com database bash
+psql -U postgres
+\c immich
+ALTER TABLE "geodata_places" DROP CONSTRAINT IF EXISTS "geodata_places_tmp_pkey";
+```

release/1.2.0+v2.4.1

@@ -0,0 +1 @@
+Adds db_password secret, you'll need to create a new db secret when upgrading (e.g. `echo "secret" | abra app secret insert immich.example.com db_password v1`)