added photo service

.env.cloud.secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:UaWhSRacf7xpa+9EWmQfT5x5cgXl1jolc9JVew9OsQNUVUz9Li/qVgBg80XNV982ul8T5VEPQAgqa32zS9CPTQsS3j94Ook0VL9tnuEjH3xxNQ5pKwgAcwZdY1aKva8=,iv:E0560L717gDaHY8AVDXbZfbXT9R7BLmq/qAKxyr9/nc=,tag:uL9UrZ4Qag5XlBP40QEu7w==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1xwmpq4ydrqmj8c9petpp9q5ujupdkd40puqqgpqvnuw23nckuupshrwcr9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bHYyd3NLNXdWcDMyN3Iw\naThxeWRlSDVsWGNxNjF4V2pWUWtxbFFzc3hBCkYwNTF2V0dQNFNkSlM3QTBpR0tm\nUjdmcEtQWWJGeFpkMnVOeHpwV3p4OWMKLS0tIHIyVUVmRUdJMlZLbnd5VkE5eVVO\nUWdQcm1xc1B3S3grZ253d1NCQXE3aFkKrueEKMImsWQvkMrkqekc6dh3FLmaW2rz\nU/ktcnYhLwAkoJlLKTEQ90+p36ut/sbZVjnyMQUPY32FGTJKJodqwA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-05T12:44:10Z",
+		"mac": "ENC[AES256_GCM,data:hcUVEfoNup/vPJdrBPiSVtAdUjVZFe4gg0k80iobnIuy/FfG5l/gF92+aNoBs9UePqNUpUfJovlhdOpViD1E5+Cpuus/yX8k7dHFRm7AEDFqg1IkZC2hGYhtutsHvy94BVa2QDPxBt0VGf04+ZVErR2A4+xxUbZDToF5JyYTMlY=,iv:gZebbr2rM5NzFUewp8ekOPbMhbHV66lHRXGeZCVSS00=,tag:qUtuevfJ+R/4JjQoMj/Rvg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

.env.database.secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:7Yme1F1IWIVoUA5+10Lwy+eiaZqKK+vjHKzk6LSE5GVhEY7QlXQrL7uE1PJCxDDu2B4=,iv:RDhV9HDE6uigsc2Ghhhm23yQVGm//EAhLJdv2siOxiI=,tag:7cKLVmPE9n4KCiGNCnTDzg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1xwmpq4ydrqmj8c9petpp9q5ujupdkd40puqqgpqvnuw23nckuupshrwcr9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ1hEZVlBR0ZGSHdOTE5j\nOElSdW1xME94WE8yWUlNYTJXZGNaZkFxbEF3Ck1mRzZKaVlXTXZobVNuN202bzAy\nck8vZmIxS2paM0JGOG8wNnp0aVAwQVUKLS0tIFBwOHMwcHVpeERvU1B2OFc0bTFI\nT0Foelg4TUpCWUduVUxleEo4OWpZS1EKpSwos8Fm4RT1/sn2bJPYVSPwpFPJ8FsJ\naXLE9RFLkSdtDNB6ZQJQcEU3y8lLbxvGEwU/mtwDUaNcxAvUigY0qA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-05T12:33:12Z",
+		"mac": "ENC[AES256_GCM,data:Q9P8OimJNBHSf1CbdcIp+K50eu45A3YG5eTWs9uLoBwmh9Skij8n/dvbP8ua8WZWOiLBhG8BWLwDhTYOwZAwpenT+skmFO4Af0M/QAGN50frH1qbsARtIIlgbcQPyEQw6KKLQtGcz4O8BfSlUvTq4U0cu1c8A/xsl01N7I3iD70=,iv:FCGYU6g/4jGewrjxBp1yem0VCGb+4vT6ePF5QqzNBdo=,tag:cdEH5YKMb4tX1D4ULQTmUA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

.env.password-manager.secret

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:FtLEZ26HWzv7nQuk2CK33FqVYaww1TNYx1yTfQleSZ1RWkPdE3Vsr03FSKb5sPa1G7mWmRE2ATAFdA+PYdqIWIXVoyVuwNdV1gThokClmi6Q1PsF9lBJiB9nWSnCMaUNxWms1bd77CK5DeKrfaoXUSRXbyQAS12An4Vt8CrBbsXQXOltpexX7/GfOAKF6SMay+t7,iv:BaeCWAaGkMsgiyZZRJZVDWWKIQ4aOwWZu2unHCq4xq0=,tag:kh4tykxoRNiGxcnMSV3lkg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1xwmpq4ydrqmj8c9petpp9q5ujupdkd40puqqgpqvnuw23nckuupshrwcr9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYaEZuMlk4MXJnaXp6K2Ri\nQUxmRkhsMnBNRjdnZEdDemxza1BQdzlTMVFFCmVUZk1JbitLYjNUUTV0TzRMUGdF\ncnZtR0FDbyszUExDN09wWGFZdTdacGsKLS0tIFdTRVNRWDErbmt1RUJJcGowWFdO\nMitCUS9ha25zS21RSks4UTluY1FCRWsKuOFQSIfUoAB+RVqyh7PfXYLiKk7kDMJR\nQzqZoRdm1Lkwicfuz5WlrbzJ9nMQPt51gVRBTKWxMkZvlbIRd/idaA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-10-05T12:33:31Z",
+		"mac": "ENC[AES256_GCM,data:PQpE8jRlzQUTuVATWC2goxy355hkrCPKe8TrVpqoHgqN4XPTeo0hE0mavX9RK/8bK9iC6dGuxPWdvCF8SU+rUJJd5/fCyagRcbL4JrQwThDFsLYory3venMmT6c/AZ8ejUZUzUm5bBZOmTqpSmAQLOsa3g0Gt0l5+9VKpbX/zzg=,iv:VCFJ+dvuZghwYMxfuwZQ2SRNN5mF1j2jo8toUu8868E=,tag:2ROpYJRMHimH/3g/hc3ncw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

.gitignore

@@ -1 +1 @@
-.env.*
+dist/

.sops.yaml

@@ -0,0 +1,17 @@
+keys:
+    - &primary age1xwmpq4ydrqmj8c9petpp9q5ujupdkd40puqqgpqvnuw23nckuupshrwcr9
+creation_rules:
+    - path_regex: .env.cloud$
+      key_groups:
+          - age:
+                - *primary
+
+    - path_regex: .env.database$
+      key_groups:
+          - age:
+                - *primary
+
+    - path_regex: .env.password-manager$
+      key_groups:
+          - age:
+                - *primary

compose.yml

@@ -4,6 +4,9 @@
 
 name: implohq
 
+include:
+  - ./services/photos/compose.yaml
+
 services:
   proxy:
     image: traefik:v2.10
@@ -36,8 +39,8 @@ services:
       # - "--certificatesresolvers.webresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
       - "--certificatesresolvers.webresolver.acme.email=quirin.ecker@bajupa.com"
       - "--certificatesresolvers.webresolver.acme.storage=/letsencrypt/acme.json"
-      # - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
-      # - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
 
   smarthome:
     container_name: implohq-smarthome

dynamic/tsl.yaml

@@ -0,0 +1,6 @@
+tls:
+    certificates:
+        - certFile: /certs/passwords.crt
+          keyFile: /certs/passwords.key
+        - certFile: /certs/photos.implohq.de.crt
+          keyFile: /certs/photos.implohq.de.key

implohq.nu

@@ -0,0 +1,19 @@
+def main [] {
+	nu ./implohq.nu --help
+}
+
+def "main deploy" [] {
+	let env_files = ["cloud", "database", "password-manager"]
+
+	mkdir dist
+
+	$env_files | each { |env_file|
+		sops decrypt $".env.($env_file).secret" | save -f $"./dist/.env.($env_file)"
+	}
+
+	cp -rf compose.yml dist
+	cp -rf dynamic dist/
+	cp -rf services dist/
+
+	scp -r dist/* implohq:.services/homelab/
+}

services/photos/.env

@@ -0,0 +1,24 @@
+# You can find documentation for all the supported env variables at https://docs.immich.app/install/environment-variables
+
+# The location where your uploaded files are stored
+UPLOAD_LOCATION=../../storage/immich/library
+
+# The location where your database files are stored. Network shares are not supported for the database
+DB_DATA_LOCATION=../../storage/immich/postgres
+
+# To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
+# TZ=Etc/UTC
+
+# The Immich version to use. You can pin this to a specific version like "v1.71.0"
+IMMICH_VERSION=release
+
+# Connection secret for postgres. You should change it to a random password
+# Please use only the characters `A-Za-z0-9`, without special characters or spaces
+DB_PASSWORD=postgres
+
+# The values below this line do not need to be changed
+###################################################################################
+DB_USERNAME=postgres
+DB_DATABASE_NAME=immich
+DB_HOSTNAME=photos-database
+REDIS_HOSTNAME=photos-redis

services/photos/compose.yaml

@@ -0,0 +1,89 @@
+#
+# WARNING: To install Immich, follow our guide: https://docs.immich.app/install/docker-compose
+#
+# Make sure to use the docker-compose.yml of the current release:
+#
+# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
+#
+# The compose file on main may not be compatible with the latest release.
+
+services:
+  photos-server:
+    container_name: implohq-photos-server
+    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
+    networks:
+      - immich
+      - proxy
+    # extends:
+    #   file: hwaccel.transcoding.yml
+    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
+    volumes:
+      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
+      - ${UPLOAD_LOCATION}:/data
+      - /etc/localtime:/etc/localtime:ro
+    env_file:
+      - .env
+    ports:
+      - "2283:2283"
+    depends_on:
+      - photos-redis
+      - photos-database
+    restart: always
+    healthcheck:
+      disable: false
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.immich.rule=Host(`photos.implohq.de`)"
+      - "traefik.http.routers.immich.entrypoints=websecure"
+      - "traefik.http.routers.immich.tls=true"
+      - "traefik.http.routers.immich.tls.domains[0].main=photos.implohq.de"
+
+  photos-machine-learning:
+    networks:
+      - immich
+    container_name: implohq-photos-machine-learning
+    # For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
+    # Example tag: ${IMMICH_VERSION:-release}-cuda
+    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
+    # extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
+    #   file: hwaccel.ml.yml
+    #   service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
+    volumes:
+      - model-cache:/cache
+    env_file:
+      - .env
+    restart: always
+    healthcheck:
+      disable: false
+
+  photos-redis:
+    networks:
+      - immich
+    container_name: implohq-photos-redis
+    image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
+    healthcheck:
+      test: redis-cli ping || exit 1
+    restart: always
+
+  photos-database:
+    networks:
+      - immich
+    container_name: implohq-photos-postgres
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
+    environment:
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_USER: ${DB_USERNAME}
+      POSTGRES_DB: ${DB_DATABASE_NAME}
+      POSTGRES_INITDB_ARGS: "--data-checksums"
+      # Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
+      # DB_STORAGE_TYPE: 'HDD'
+    volumes:
+      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
+      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
+    shm_size: 128mb
+    restart: always
+
+volumes:
+  model-cache:
+networks:
+  immich: