first working version

chore: publish 1.2.0+v2.4.1 release
chore: remove unnecessary port mapping of ml container
2026-01-11 21:41:43 +01:00 · 2025-12-23 11:59:44 +01:00 · 2025-12-23 11:55:37 +01:00 · 2025-12-23 10:53:47 +00:00
6 changed files with 60 additions and 12 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -17,6 +17,7 @@ steps:
      DOMAIN: {{ .Name }}.swarm-test.autonomic.zone
      STACK_NAME: {{ .Name }}
      LETS_ENCRYPT_ENV: production
+      SECRET_DB_PASSWORD_VERSION: v1
 trigger:
  branch:
    - main
--- a/.env.sample
+++ b/.env.sample
@ -17,11 +17,23 @@ DB_DATA_LOCATION=./postgres
 # To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
 # TZ=Etc/UTC

-# Connection secret for postgres. You should change it to a random password
-# Please use only the characters `A-Za-z0-9`, without special characters or spaces
-DB_PASSWORD=postgres
-
 # The values below this line do not need to be changed
 ###################################################################################
 DB_USERNAME=postgres
 DB_DATABASE_NAME=immich
+
+#### from here on you can edit again
+
+SECRET_DB_PASSWORD_VERSION=v1
+
+
+## Additional Storage:
+
+# COMPOSE_FILE="compose.yml"
+
+# external storage
+# COMPOSE_FILE="$COMPOSE_FILE:compose.storage.yml"
+# STORAGE_DEVICE="//uxxxxx-sub1.your-server.de/uxxxxx-sub1"
+# STORAGE_USERNAME="uuxxxxx-sub1"
+# STORAGE_PASSWORD="<your-password-not-to-be-checked-in-unencrypted-in-a-git-repository-"
+# STORAGE_READONLY=":ro"
--- a/README.md
+++ b/README.md
@ -5,13 +5,13 @@
 <!-- metadata -->

 * **Category**: Apps
-* **Status**: 0
+* **Status**: 1
 * **Image**: [`immich`](https://hub.docker.com/r/immich), 4, upstream
 * **Healthcheck**: No
 * **Backups**: No
-* **Email**: No
+* **Email**: 1
 * **Tests**: No
-* **SSO**: No
+* **SSO**: 1 (Oauth)

 <!-- endmetadata -->

@ -23,6 +23,9 @@

 For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).

+## How do I integrate with Keycloak SSO?
+
+See https://docs.immich.app/administration/oauth/. The `ISSUER_URL` in the Immich settings should be `https://<sso-domain>/realms/<realm_name>/.well-known/openid-configuration`.

 ## Volume

@ -36,3 +39,10 @@ You can manually create a volume that has more storage for the library. For exam
 	--opt o=addr=uxxxxx.your-server.de,username=uxxxxxxx,password=*****,file_mode=0777,dir_mode=0777 \
 	--name immich_example_com_uploads
 ``` 
+
+## External Library
+
+If you want to use the [external library functionality](https://docs.immich.app/guides/external-library/) of immich via a cifs/smb-share-drive you can use the additional `compose.storage.yml` file.
+Just uncomment and edit the respective .env-files.
+
+The external storage will be mounted to `/mnt/external_storage` (this is your import path in immich).
--- a/compose.storage.yml
+++ b/compose.storage.yml
@ -0,0 +1,15 @@
+---
+version: "3.8"
+
+services:
+  app:
+    volumes:
+      - external_storage:/mnt/external_storage${STORAGE_READONLY}
+
+volumes:
+  external_storage:
+    driver: local
+    driver_opts:
+      type: cifs
+      device: ${STORAGE_DEVICE}
+      o: "username=${STORAGE_USERNAME},password=${STORAGE_PASSWORD}"
--- a/compose.yml
+++ b/compose.yml
@ -12,9 +12,11 @@ services:
      - DB_DATA_LOCATION
      - TZ
      - IMMICH_VERSION
-      - DB_PASSWORD
+      - DB_PASSWORD_FILE=/run/secrets/db_password
      - DB_USERNAME
      - DB_DATABASE_NAME
+    secrets:
+      - db_password
    networks:
      - proxy
      - backend
@ -27,37 +29,44 @@ services:
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=1.1.0+v2.4.1"
+        - "coop-cloud.${STACK_NAME}.version=1.2.0+v2.4.1"


  immich-machine-learning: # TODO: this has to be that name, as the frontend tries to reach it at: http://immich-machine-learning:3003
    image: ghcr.io/immich-app/immich-machine-learning:v2.4.1
-    ports:
-      - 3003:3003
    volumes:
      - model-cache:/cache
    networks:
      - backend
    healthcheck:
      disable: false
+
  redis:
    image: redis:8.4-alpine
    healthcheck:
      test: redis-cli ping || exit 1
    networks:
      - backend
+
  database:
    image: tensorchord/pgvecto-rs:pg14-v0.2.0
    environment:
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
+    secrets:
+      - db_password
    volumes:
      - postgres:/var/lib/postgresql/data
    networks:
      - backend

+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+
 networks:
  proxy:
    external: true
--- a/release/1.2.0+v2.4.1
+++ b/release/1.2.0+v2.4.1
@ -0,0 +1 @@
+Adds db_password secret, you'll need to create a new db secret when upgrading (e.g. `echo "secret" | abra app secret insert immich.example.com db_password v1`)
Author	SHA1	Message	Date
contraintuitiv	8c554b29e0	first working version	2026-01-11 21:41:43 +01:00
Philipp Rothmann	811fbf6f68	chore: publish 1.2.0+v2.4.1 release	2025-12-23 11:59:44 +01:00
Philipp Rothmann	4b06b48d02	chore: remove unnecessary port mapping of ml container	2025-12-23 11:55:37 +01:00
Hermann Käser	958294c1f6	use docker secrets for db password	2025-12-23 10:53:47 +00:00
				`@ -0,0 +1 @@`
				Adds db_password secret, you'll need to create a new db secret when upgrading (e.g. `echo "secret" \| abra app secret insert immich.example.com db_password v1`)