base docker config

2026-03-19 00:48:42 +01:00
parent 7ad51dae13
commit a073d75f16
11 changed files with 393 additions and 1 deletions
@@ -0,0 +1,5 @@
+# ignore ALL .log files
+*.log
+
+# ignore all the files in any directoy
+data/
@@ -1,3 +1,39 @@
 # immich-simple-server-config

 This is the simplest way to host immich on a old computer. 
+
+1. Install proxmox on your computer. Make sure it is installed on the proper drive. Usally it is installed on an SSD or NVME drive
+2. After the installation, make sure it is properly connected to your network. Ideally use wired connection. Configure the network accordingly on proxmox (correct host, correct bridge). Your configuration in ```/etc/network/interfaces``` should look like the following, where the brige should match the output of ```ip -a```
+```
+
+Hello
+```
+
+3. Once proxmox is configured it correctly, you should be able to access the web console on the ip defined in the terminal. 
+4. Verify on your node that all the drives that will be used are properly recognized. It is common practice to host the VM on your SSD/NVME drive and the data on a HDD drive.
+5. Download an ISO. I recommend the latest version of Debian. 
+6. Create a VM using the downloaded ISO. I would recommend using 128GB of space if you have that much to start with. The space can always be expanded, but it is harder to reduce. So it is better to start small, and increase it as the needs arise. Only the basic installation is needed. You do not need a DE!
+7. Make sure your user is part of the sudoers. Otherwise install sudo as root and your user to the the list:
+
+```
+su
+apt install sudo
+adduser <username> sudo
+
+```
+7. Install docker and docker compose following the [documentation](https://docs.docker.com/engine/install/debian/)
+8. Clone this repository: ```git clone https://gitea.crescentec.ch/chriswin/immich-simple-server-config.git```  This repository consists of a docker compose stack of the following softwares:
+- Pangolin (reverse proxy, vpn, ...)
+- PostgreSQL (database)
+- Redis (Caching)
+- pgAdmin (database explorer)
+- Databasus (database backup)
+- Immich (image library)
+9. Mount the HDD drive which will contain your data
+10. Configure Postgres...
+- Create a new user for Immich (memorize the password)
+- Create a new table linked to this user (memorize the table name)
+11. Configure Pangolin...
+12. Configure Immich...
+13. Configure Databasus... (optional but highly recommended)
+14. Configure Proxmox backup of VM... (optional but highly recommended)
@@ -0,0 +1,9 @@
+# Timezone
+TZ=Europe/Zurich
+
+# User and group docker will executed
+PUID=1000
+PGID=1000
+
+TEMPLATES_PATH=$[PWD]/docker-compose.templates.yml
+INCLUDE_PATH=${PWD}/docker
@@ -0,0 +1,41 @@
+# To see all available options, please visit the docs:
+# https://docs.pangolin.net/
+
+gerbil:
+    start_port: 51820
+    base_endpoint: "pangolin.example.com" # REPLACE WITH YOUR DOMAIN
+    # Optional network settings (defaults shown):
+    # subnet_group: "100.89.137.0/20"
+    # block_size: 24
+    # site_block_size: 30
+
+app:
+    dashboard_url: "https://pangolin.example.com" # REPLACE WITH YOUR DOMAIN
+    log_level: "info"
+    telemetry:
+        anonymous_usage: true
+
+domains:
+    domain1:
+        base_domain: "example.com" # REPLACE WITH YOUR DOMAIN
+        cert_resolver: "letsencrypt"
+
+server:
+    secret: "your-strong-secret" # REPLACE
+    cors:
+        origins: ["https://pangolin.example.com"] # REPLACE WITH YOUR DOMAIN
+        methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
+        allowed_headers: ["X-CSRF-Token", "Content-Type"]
+        credentials: false
+
+# Optional organization network settings (defaults shown):
+# orgs:
+#     block_size: 24
+#     subnet_group: "100.90.128.0/20"
+#     utility_subnet_group: "100.96.128.0/20"
+
+flags:
+    require_email_verification: false
+    disable_signup_without_invite: true
+    disable_user_create_org: false
+    allow_raw_resources: true
@@ -0,0 +1,73 @@
+http:
+  middlewares:
+    badger:
+      plugin:
+        badger:
+          disableForwardAuth: true
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+
+  routers:
+    # HTTP to HTTPS redirect router
+    main-app-router-redirect:
+      rule: "Host(`pangolin.example.com`)" # REPLACE WITH YOUR DOMAIN
+      service: next-service
+      entryPoints:
+        - web
+      middlewares:
+        - redirect-to-https
+        - badger
+
+    # Next.js router (handles everything except API and WebSocket paths)
+    next-router:
+      rule: "Host(`pangolin.example.com`) && !PathPrefix(`/api/v1`)" # REPLACE WITH YOUR DOMAIN
+      service: next-service
+      entryPoints:
+        - websecure
+      middlewares:
+        - badger
+      tls:
+        certResolver: letsencrypt
+
+    # API router (handles /api/v1 paths)
+    api-router:
+      rule: "Host(`pangolin.example.com`) && PathPrefix(`/api/v1`)" # REPLACE WITH YOUR DOMAIN
+      service: api-service
+      entryPoints:
+        - websecure
+      middlewares:
+        - badger
+      tls:
+        certResolver: letsencrypt
+
+    # WebSocket router
+    ws-router:
+      rule: "Host(`pangolin.example.com`)" # REPLACE WITH YOUR DOMAIN
+      service: api-service
+      entryPoints:
+        - websecure
+      middlewares:
+        - badger
+      tls:
+        certResolver: letsencrypt
+
+  services:
+    next-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3002"  # Next.js server
+
+    api-service:
+      loadBalancer:
+        servers:
+          - url: "http://pangolin:3000"  # API/WebSocket server
+
+tcp:
+  serversTransports:
+    pp-transport-v1:
+      proxyProtocol:
+        version: 1
+    pp-transport-v2:
+      proxyProtocol:
+        version: 2
@@ -0,0 +1,54 @@
+api:
+  insecure: true
+  dashboard: true
+
+providers:
+  http:
+    endpoint: "http://pangolin:3001/api/v1/traefik-config"
+    pollInterval: "5s"
+  file:
+    filename: "/etc/traefik/dynamic_config.yml"
+
+experimental:
+  plugins:
+    badger:
+      moduleName: "github.com/fosrl/badger"
+      version: "v1.3.1"
+
+log:
+  level: "INFO"
+  format: "common"
+  maxSize: 100
+  maxBackups: 3
+  maxAge: 3
+  compress: true
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      httpChallenge:
+        entryPoint: web
+      email: "admin@example.com" # REPLACE WITH YOUR EMAIL
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+    transport:
+      respondingTimeouts:
+        readTimeout: "30m"
+    http:
+      tls:
+        certResolver: "letsencrypt"
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true
+
+serversTransport:
+  insecureSkipVerify: true
+
+ping:
+  entryPoint: "web"
@@ -0,0 +1,44 @@
+services:
+
+  postgres-with-pg-vector:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: postgres-with-pg-vector
+    image: tensorchord/pgvecto-rs:pg16-v0.3.0
+    ports:
+      - 5433:5432
+    networks:
+      - ip4net
+    environment:
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} 
+      # PGDATA: /var/lib/postgresql/data
+      # see https://www.pgadmin.org/docs/pgadmin4/latest/container_deployment.html
+      PUID: 5050
+      PGID: 5050
+    volumes:
+      - ${INCLUDE_PATH}/data/postgres:/var/lib/postgresql/data
+
+  redis:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: redis
+    image: redis:8.6.1
+    networks:
+      - ip4net
+    volumes:
+      - ${INCLUDE_PATH}/data/redis:/data
+
+  databasus:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: databasus/databasus:v3.22.0
+    container_name: databasus
+    ports:
+      - 8086:4005
+    networks:
+      - ip4net
+    volumes:
+      - ${INCLUDE_PATH}/data/databasus:/databasus-data
@@ -0,0 +1,17 @@
+# While this file is not meant to be deployed directly it is used for "inheritance" of your sevices. 
+# Below you can see a service that I've called "default" which is used as a base definition for other services.
+# It defines only the most common properties that I need. It does not have the 'image' for example as each extending service will have its own 'image'.
+# Of course you can have more templates here or even 'extend' them from each other.
+services:
+  default:
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges=true
+    environment:
+      TZ: ${TZ}
+      PUID: ${PUID}
+      PGID: ${PGID}
+    logging:
+      options:
+        max-size: "5m"
+        max-file: "3"
@@ -0,0 +1,20 @@
+# center docker-compose file
+# see https://github.com/labmonkey/docker-compose-project-example for more info
+
+# Here I will include all "child" docker compose files that I need.
+# The paths can relative to this file or absolue. I've used INCLUDE_PATH variable to make it more cofigurable.
+# Whenever I need to remove some service then I can comment out the lines here.
+include:
+  - path:
+      - ${INCLUDE_PATH}/media.yml
+      - ${INCLUDE_PATH}/infrastructure.yml
+      - ${INCLUDE_PATH}/database.yml
+    env_file: ${INCLUDE_PATH}/.env
+
+networks:
+  ip4net:
+    driver: bridge
+    name: ip4net
+    ipam:
+      config:
+        - subnet: 10.6.0.0/16
@@ -0,0 +1,60 @@
+services:
+
+  pangolin:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: docker.io/fosrl/pangolin:v1.16.2
+    container_name: pangolin
+    volumes:
+      - ./config/pangolin:/app/config
+    network:
+      - ip4net
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
+      interval: "10s"
+      timeout: "10s"
+      retries: 15
+      
+  # gerbil:
+  #   extends:
+  #     file: ${TEMPLATES_PATH}
+  #     service: default
+  #   image: docker.io/fosrl/gerbil:latest # https://github.com/fosrl/gerbil/releases
+  #   container_name: gerbil
+  #   depends_on:
+  #     pangolin:
+  #       condition: service_healthy
+  #   command:
+  #     - --reachableAt=http://gerbil:3004
+  #     - --generateAndSaveKeyTo=/var/config/key
+  #     - --remoteConfig=http://pangolin:3001/api/v1/
+  #   volumes:
+  #     - ./config/pangolin:/var/config
+  #   cap_add:
+  #     - NET_ADMIN
+  #     - SYS_MODULE
+  #   ports:
+  #     - 51820:51820/udp
+  #     - 21820:21820/udp
+  #     - 443:443
+  #     - 80:80
+
+  traefik:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: docker.io/traefik:v3.6
+    container_name: traefik
+    network:
+      - ip4net
+    depends_on:
+      pangolin:
+        condition: service_healthy
+    command:
+      - --configFile=/etc/traefik/traefik_config.yml
+    volumes:
+      - ./config/pangolin/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
+      - ./config/pangolin/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
+      - ./config/pangolin/traefik/logs:/var/log/traefik # Volume to store Traefik logs
+
@@ -0,0 +1,33 @@
+services:
+
+  immich-server:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: immich_server
+    image: ghcr.io/immich-app/immich-server:v2.5.6
+    environment:
+      DB_PASSWORD: ${IMMICH_DB_PASSWORD}
+      DB_HOSTNAME: postgres-with-pg-vector
+      DB_USERNAME: immich
+      DB_DATABASE_NAME: immich
+      REDIS_HOSTNAME: redis
+    volumes:
+      - ${IMMICH_EXTERNAL_PATH}:/usr/src/app/external:ro
+      - ${MEDIA_PATH}/immich/data/library:/usr/src/app/upload
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - 2283:3001
+    networks:
+      - ip4net
+
+  immich-machine-learning:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    container_name: immich_machine_learning
+    image: ghcr.io/immich-app/immich-machine-learning:v2.5.6
+    ports:
+      - 3003:3003
+    volumes:
+      - ${INCLUDE_PATH}/data/immich/model-cache:/cache