eddie/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
homelab/compose/media/frontend/immich/compose.yaml
Claude ffc30ff582
refactor: Move all environment variables to .env files with example secrets 
This commit improves configuration management by:

## Changes

### Environment Variable Management
- Moved ALL environment blocks from compose.yaml files to .env files
- Added comprehensive .env files for all 20 services
- Included example secret formats with generation commands
- Added detailed comments explaining what each secret should look like

### Example Secret Formats
All .env files now include examples for:
- **JWT Secrets**: 64-character hex strings
  - Example format: `a1b2c3d4e5f67890abcdef1234567890...`
  - Generate with: `openssl rand -hex 32`

- **Passwords**: Strong alphanumeric passwords
  - Example format: `MyS3cur3P@ssw0rd!2024#HomeL@b`
  - Generate with: `openssl rand -base64 32 | tr -d /=+ | cut -c1-32`

- **Session Secrets**: Random hex strings
  - Example format: `b2c3d4e5f67890abcdef1234567890a1b2...`
  - Generate with: `openssl rand -hex 32`

- **API Keys**: Service-specific formats
  - Meili: 32-character hex (`openssl rand -hex 16`)
  - NextAuth: 64-character hex (`openssl rand -hex 32`)

### GPU Support Documentation
- Added NVIDIA GPU (GTX 1070) configuration for Jellyfin
- Added NVIDIA GPU configuration for Immich (ML inference & transcoding)
- Included setup instructions for NVIDIA Container Toolkit
- Documented how to enable GPU acceleration in each service

### Services Updated

**Core Infrastructure:**
- lldap: Added JWT secret and password examples
- tinyauth: Added session secret examples
- traefik: No environment variables needed

**Media Services:**
- jellyfin: Added .env with GPU configuration docs
- jellyseer: Created .env with logging and timezone settings
- immich: Added database password examples and GPU docs
- sonarr: Created .env for PUID/PGID/TZ
- radarr: Created .env for PUID/PGID/TZ
- sabnzbd: Created .env for PUID/PGID/TZ
- qbittorrent: Created .env for PUID/PGID/TZ/WEBUI_PORT

**Utility Services:**
- homarr: Created .env for port and timezone
- backrest: Added environment variables to .env
- linkwarden: Rewrote .env with NextAuth, Postgres, Meili examples
- vikunja: Created .env with JWT secret and database password
- FreshRSS: Created .env for PUID/PGID/TZ
- booklore: Created .env for PUID/PGID/TZ
- calibre-web: Created .env for PUID/PGID/TZ
- filebrowser: Created .env for PUID/PGID/TZ
- lubelogger: Created .env with locale settings
- rsshub: Created .env with cache and logging config
- microbin: Updated existing .env, removed environment block

### Benefits

1. **Security**:
   - Clear examples show what strong secrets look like
   - Generation commands prevent weak passwords
   - All secrets in one place per service

2. **Consistency**:
   - All services follow the same pattern (env_file: .env)
   - No more environment blocks in compose files
   - Easier to template new services

3. **Usability**:
   - Users know exactly what to change (look for `changeme_*`)
   - Example formats prevent configuration errors
   - Commands provided to generate secure values

4. **Maintainability**:
   - Compose files are cleaner and more readable
   - Environment changes don't require compose file edits
   - Version control friendly (.env files can be .gitignored)

### Files Changed
- Modified: 24 compose.yaml files
- Created: 14 new .env files
- Updated: 6 existing .env files
- Total .env files: 20 across all services

All compose.yaml files now use `env_file: .env` exclusively.
No environment blocks remain in any compose files.
2025-11-06 19:18:07 +00:00

98 lines
3.4 KiB
YAML
Raw Blame History

#
# Immich - Self-hosted photo and video management
# WARNING: To install Immich, follow our guide: https://docs.immich.app/install/docker-compose
#
# Make sure to use the docker-compose.yml of the current release:
#
# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
# https://docs.immich.app/install/docker-compose/
#
# The compose file on main may not be compatible with the latest release.
name: immich
services:
immich-server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
# extends:
# file: hwaccel.transcoding.yml
# service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
volumes:
# Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
- ${UPLOAD_LOCATION}:/data
- /etc/localtime:/etc/localtime:ro
# External photo library (optional - can be imported into Immich)
- /media/photos:/media/photos:ro
env_file:
- .env
ports:
- '2283:2283'
depends_on:
- redis
- database
restart: always
networks:
- homelab
- immich_internal
healthcheck:
disable: false
labels:
traefik.enable: true
traefik.docker.network: homelab
traefik.http.routers.immich.rule: Host(`photos.fig.systems`) || Host(`photos.edfig.dev`)
traefik.http.routers.immich.entrypoints: websecure
traefik.http.routers.immich.tls.certresolver: letsencrypt
traefik.http.services.immich.loadbalancer.server.port: 2283
# Optional: Enable SSO (note: Immich has its own user management)
# traefik.http.routers.immich.middlewares: tinyauth
immich-machine-learning:
container_name: immich_machine_learning
# For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
# Example tag: ${IMMICH_VERSION:-release}-cuda
image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
# extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
# file: hwaccel.ml.yml
# service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
volumes:
- model-cache:/cache
env_file:
- .env
restart: always
networks:
- immich_internal
healthcheck:
disable: false
redis:
container_name: immich_redis
image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
healthcheck:
test: redis-cli ping || exit 1
restart: always
networks:
- immich_internal
database:
container_name: immich_postgres
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
env_file:
- .env
volumes:
# Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
shm_size: 128mb
restart: always
networks:
- immich_internal
networks:
homelab:
external: true
immich_internal:
name: immich_internal
driver: bridge
volumes:
model-cache:
Reference in a new issue View git blame Copy permalink