Immich VM: Initial provision and decommission Immich from Cloud VM (#11)

Reviewed-on: #11

infra/cloud/0000_proxmox_playbook.yaml

@@ -93,12 +93,6 @@
         backup: true
         storage: nvme
         size: 2048
-    - name: Create media disk
-      community.general.proxmox_disk:
-        disk: scsi2
-        backup: false
-        storage: zfs
-        size: 4096
     - name: Update VM
       community.general.proxmox_kvm:
         update: true
@@ -107,8 +101,8 @@
           - debian-12
           - managed
         onboot: true
-        cores: 16
-        memory: 32768
+        cores: 8
+        memory: 16384
 
     - name: Retart VM
       community.general.proxmox_kvm:

infra/cloud/0001_initialise_playbook.yaml

@@ -40,25 +40,3 @@
         opts: rw,errors=remount-ro,x-systemd.growfs
         state: mounted
       become: true
-
-    - name: Create media partition
-      community.general.parted:
-        device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2
-        label: gpt
-        name: media
-        number: 1
-        state: present
-      become: true
-    - name: Create media filesystem
-      community.general.filesystem:
-        dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2-part1
-        fstype: ext4
-      become: true
-    - name: Mount media partition
-      ansible.posix.mount:
-        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2-part1
-        path: /mnt/media
-        fstype: ext4
-        opts: rw,errors=remount-ro,x-systemd.growfs
-        state: mounted
-      become: true

infra/cloud/0004_decommission_immich_playbook.yaml

@@ -0,0 +1,71 @@
+- name: Decommission Immich
+  hosts: cloud
+  gather_facts: false
+  vars:
+    app: immich
+    api_user: "{{ lookup('ansible.builtin.env', 'PROXMOX_USER') }}"
+    api_host: "{{ lookup('ansible.builtin.env', 'PROXMOX_HOST' ) }}"
+    api_token_id: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_ID') }}"
+    api_token_secret: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_SECRET') }}"
+    vmname: "{{ inventory_hostname | regex_replace('^([^\\.]+)\\..+$', '\\1') }}"
+    node: pve
+  module_defaults:
+    community.general.proxmox_kvm:
+      api_user: "{{ api_user }}"
+      api_host: "{{ api_host }}"
+      api_token_id: "{{ api_token_id }}"
+      api_token_secret: "{{ api_token_secret }}"
+      name: "{{ vmname }}"
+      node: "{{ node }}"
+    community.general.proxmox_disk:
+      api_user: "{{ api_user }}"
+      api_host: "{{ api_host }}"
+      api_token_id: "{{ api_token_id }}"
+      api_token_secret: "{{ api_token_secret }}"
+      name: "{{ vmname }}"
+  tasks:
+    - name: Wait for connection
+      ansible.builtin.wait_for_connection:
+        timeout: 300
+    - name: Get user
+      ansible.builtin.user:
+        name: debian
+      register: user
+    - name: Docker compose down
+      ansible.builtin.command: docker compose down
+      args:
+        chdir: "{{ user.home }}/{{ app }}"
+      ignore_errors: true
+    - name: Remove docker volumes
+      ansible.builtin.command: docker compose down --volumes
+      args:
+        chdir: "{{ user.home }}/{{ app }}"
+      ignore_errors: true
+    - name: Remove config directory
+      ansible.builtin.file:
+        path: "{{ user.home }}/{{ app }}"
+        state: absent
+
+    - name: Destroy media disk
+      community.general.proxmox_disk:
+        disk: scsi2
+        state: absent
+      delegate_to: localhost
+    - name: Remove media mount
+      ansible.posix.mount:
+        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2-part1
+        path: /mnt/media
+        fstype: ext4
+        opts: rw,errors=remount-ro,x-systemd.growfs
+        state: absent
+      become: true
+    - name: Remove media directory
+      ansible.builtin.file:
+        path: /mnt/media
+        state: absent
+      become: true
+    - name: Restart VM
+      community.general.proxmox_kvm:
+        state: restarted
+        timeout: 60
+      delegate_to: localhost

infra/photos/0000_proxmox_playbook.yaml

@@ -0,0 +1,116 @@
+- name: Provision photos Proxmox VM
+  hosts: photos
+  connection: ansible.builtin.local
+  gather_facts: false
+  vars:
+    api_user: "{{ lookup('ansible.builtin.env', 'PROXMOX_USER') }}"
+    api_host: "{{ lookup('ansible.builtin.env', 'PROXMOX_HOST' ) }}"
+    api_token_id: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_ID') }}"
+    api_token_secret: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_SECRET') }}"
+    ssh_public: "{{ lookup('ansible.builtin.env', 'SSH_PUBLIC') }}"
+    vmname: "{{ inventory_hostname | regex_replace('^([^\\.]+)\\..+$', '\\1') }}"
+    node: pve
+  module_defaults:
+    community.general.proxmox_kvm:
+      api_user: "{{ api_user }}"
+      api_host: "{{ api_host }}"
+      api_token_id: "{{ api_token_id }}"
+      api_token_secret: "{{ api_token_secret }}"
+      name: "{{ vmname }}"
+      node: "{{ node }}"
+    community.general.proxmox_nic:
+      api_user: "{{ api_user }}"
+      api_host: "{{ api_host }}"
+      api_token_id: "{{ api_token_id }}"
+      api_token_secret: "{{ api_token_secret }}"
+      name: "{{ vmname }}"
+    community.general.proxmox_disk:
+      api_user: "{{ api_user }}"
+      api_host: "{{ api_host }}"
+      api_token_id: "{{ api_token_id }}"
+      api_token_secret: "{{ api_token_secret }}"
+      name: "{{ vmname }}"
+  tasks:
+    # Initial setup
+    - name: Create VM
+      community.general.proxmox_kvm:
+        clone: "{{ node }}-debian-12"
+        storage: nvme
+      register: create
+    - name: Wait for status
+      community.general.proxmox_kvm:
+        state: current
+      register: vm
+      retries: 30
+      delay: 10
+      until: vm.status is defined
+
+    # Networking and initial config
+    - name: Add PUB NIC
+      community.general.proxmox_nic:
+        interface: net0
+        firewall: false
+        bridge: PUB
+    - name: Add SRV NIC
+      community.general.proxmox_nic:
+        interface: net1
+        firewall: false
+        bridge: SRV
+    - name: Configure cloud-init
+      community.general.proxmox_kvm:
+        update: true
+        ciuser: debian
+        sshkeys: "{{ ssh_public }}"
+        ipconfig:
+          ipconfig0: ip=dhcp,ip6=auto
+          ipconfig1: ip=dhcp
+
+    # Initial boot
+    # For some reason debian cloud images don't use
+    # cloud-init for networking on first boot (cloud-init files
+    # are regenerated AFTER networking starts). But we need the
+    # hostname to be registered with DHCP later on so ¯\_(ツ)_/¯
+    - name: Initial boot
+      when: create.changed is true
+      block:
+        - name: Start
+          community.general.proxmox_kvm:
+            state: started
+          register: start
+        - name: Wait 1.5 min # Initial apt update, apt upgrade, cloud-init
+          ansible.builtin.wait_for:
+            timeout: 90
+
+    # VM Configuration
+    - name: Resize root disk
+      community.general.proxmox_disk:
+        disk: scsi0
+        size: 16G
+        state: resized
+    - name: Create data disk
+      community.general.proxmox_disk:
+        disk: scsi1
+        backup: true
+        storage: nvme
+        size: 64
+    - name: Create media disk
+      community.general.proxmox_disk:
+        disk: scsi2
+        backup: true
+        storage: nvme
+        size: 2048
+    - name: Update VM
+      community.general.proxmox_kvm:
+        update: true
+        agent: enabled=1
+        tags:
+          - debian-12
+          - managed
+        onboot: true
+        cores: 8
+        memory: 16384
+
+    - name: Retart VM
+      community.general.proxmox_kvm:
+        state: restarted
+        timeout: 60

infra/photos/0001_initialise_playbook.yaml

@@ -0,0 +1,64 @@
+- name: Initialise VM
+  hosts: photos
+  gather_facts: false
+  tasks:
+    - name: Wait for connection
+      ansible.builtin.wait_for_connection:
+        timeout: 300
+    - name: Install system packages
+      ansible.builtin.apt:
+        update_cache: true
+        pkg:
+          - qemu-guest-agent
+          - parted
+      become: true
+    - name: Enable qemu-guest-agent
+      ansible.builtin.systemd:
+        name: qemu-guest-agent
+        state: started
+        enabled: true
+      become: true
+
+    - name: Create data partition
+      community.general.parted:
+        device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1
+        label: gpt
+        name: data
+        number: 1
+        state: present
+      become: true
+    - name: Create data filesystem
+      community.general.filesystem:
+        dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
+        fstype: ext4
+      become: true
+    - name: Mount data partition
+      ansible.posix.mount:
+        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:1-part1
+        path: /var/lib/docker
+        fstype: ext4
+        opts: rw,errors=remount-ro,x-systemd.growfs
+        state: mounted
+      become: true
+
+    - name: Create media partition
+      community.general.parted:
+        device: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2
+        label: gpt
+        name: media
+        number: 1
+        state: present
+      become: true
+    - name: Create media filesystem
+      community.general.filesystem:
+        dev: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2-part1
+        fstype: ext4
+      become: true
+    - name: Mount media partition
+      ansible.posix.mount:
+        src: /dev/disk/by-path/pci-0000:00:05.0-scsi-0:0:0:2-part1
+        path: /mnt/media
+        fstype: ext4
+        opts: rw,errors=remount-ro,x-systemd.growfs
+        state: mounted
+      become: true

infra/photos/0002_docker_playbook.yaml

@@ -0,0 +1,47 @@
+- name: Install software
+  hosts: photos
+  gather_facts: false
+  tasks:
+    - name: Wait for connection
+      ansible.builtin.wait_for_connection:
+        timeout: 300
+    - name: Install dependencies
+      ansible.builtin.apt:
+        update_cache: true
+        pkg:
+          - curl
+          - python3-apt
+          - gpg
+      become: true
+    - name: Add docker key
+      ansible.builtin.apt_key:
+        url: https://download.docker.com/linux/debian/gpg
+        keyring: /etc/apt/keyrings/docker.gpg
+      become: true
+    - name: Add docker repo
+      ansible.builtin.apt_repository:
+        repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable
+      become: true
+    - name: Install docker
+      ansible.builtin.apt:
+        update_cache: true
+        pkg:
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+          - docker-buildx-plugin
+          - docker-compose-plugin
+      become: true
+    - name: Add user to docker group
+      ansible.builtin.user:
+        user: debian
+        groups:
+          - docker
+        append: true
+      become: true
+    - name: Enable docker
+      ansible.builtin.systemd:
+        name: docker
+        state: started
+        enabled: true
+      become: true

infra/photos/0003_immich_playbook.yaml

@@ -1,5 +1,5 @@
 - name: Deploy app
-  hosts: cloud
+  hosts: photos 
   gather_facts: false
   vars:
     app: immich
@@ -21,6 +21,16 @@
         src: "./{{ app }}"
         dest: "{{ user.home }}"
         mode: "0744"
+    - name: Replace Typesense secret
+      ansible.builtin.replace:
+        path: "{{ user.home }}/{{ app }}/.env"
+        regexp: "TYPESENSE_API_KEY_VALUE"
+        replace: "{{ lookup('ansible.builtin.password', user.home + '/typesense_secret', length=64, chars=['ascii_letters', 'digits']) }}"
+    - name: Replace DB secret
+      ansible.builtin.replace:
+        path: "{{ user.home }}/{{ app }}/.env"
+        regexp: "DB_PASSWORD_VALUE"
+        replace: "{{ lookup('ansible.builtin.password', user.home + '/db_secret', length=64, chars=['ascii_letters', 'digits']) }}"
     - name: Docker compose up -d
       ansible.builtin.command: docker compose up -d
       args:

infra/photos/immich/.env

@@ -7,13 +7,16 @@ UPLOAD_LOCATION=/mnt/media/immich
 IMMICH_VERSION=release
 
 # Connection secrets for postgres and typesense. You should change these to random passwords
-TYPESENSE_API_KEY=some-random-text
-DB_PASSWORD=postgres
+TYPESENSE_API_KEY=TYPESENSE_API_KEY_VALUE
+DB_PASSWORD=DB_PASSWORD_VALUE
+
+# Other
+PUBLIC_LOGIN_PAGE_MESSAGE="KovalHome Photos & Videos"
 
 # The values below this line do not need to be changed
 ###################################################################################
 DB_HOSTNAME=immich_postgres
-DB_USERNAME=immich
+DB_USERNAME=postgres
 DB_DATABASE_NAME=immich
 
 REDIS_HOSTNAME=immich_redis