fixed geoip tag
This commit is contained in:
+78
-78
@@ -217,11 +217,11 @@ spec:
|
||||
app.kubernetes.io/instance: immich
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
labels:
|
||||
app.kubernetes.io/controller: main
|
||||
app.kubernetes.io/instance: immich
|
||||
app.kubernetes.io/name: machine-learning
|
||||
spec:
|
||||
spec:
|
||||
enableServiceLinks: false
|
||||
serviceAccountName: default
|
||||
automountServiceAccountToken: true
|
||||
@@ -229,18 +229,18 @@ spec:
|
||||
hostNetwork: false
|
||||
hostPID: false
|
||||
dnsPolicy: ClusterFirst
|
||||
containers:
|
||||
containers:
|
||||
- env:
|
||||
- name: HF_XET_CACHE
|
||||
value: /cache/huggingface-xet
|
||||
- name: IMMICH_MACHINE_LEARNING_URL
|
||||
value: http://immich-machine-learning:3003
|
||||
- name: MPLCONFIGDIR
|
||||
value: /cache/matplotlib-config
|
||||
- name: REDIS_HOSTNAME
|
||||
value: immich-valkey
|
||||
- name: TRANSFORMERS_CACHE
|
||||
value: /cache
|
||||
- name: HF_XET_CACHE
|
||||
value: /cache/huggingface-xet
|
||||
- name: IMMICH_MACHINE_LEARNING_URL
|
||||
value: http://immich-machine-learning:3003
|
||||
- name: MPLCONFIGDIR
|
||||
value: /cache/matplotlib-config
|
||||
- name: REDIS_HOSTNAME
|
||||
value: immich-valkey
|
||||
- name: TRANSFORMERS_CACHE
|
||||
value: /cache
|
||||
image: ghcr.io/immich-app/immich-machine-learning:v2.4.1
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
@@ -253,9 +253,9 @@ spec:
|
||||
timeoutSeconds: 1
|
||||
name: main
|
||||
ports:
|
||||
- containerPort: 3003
|
||||
name: http
|
||||
protocol: TCP
|
||||
- containerPort: 3003
|
||||
name: http
|
||||
protocol: TCP
|
||||
readinessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
@@ -273,9 +273,9 @@ spec:
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 1
|
||||
volumeMounts:
|
||||
- mountPath: /cache
|
||||
name: cache
|
||||
volumes:
|
||||
- mountPath: /cache
|
||||
name: cache
|
||||
volumes:
|
||||
- name: cache
|
||||
persistentVolumeClaim:
|
||||
claimName: immich-machine-learning
|
||||
@@ -302,11 +302,11 @@ spec:
|
||||
app.kubernetes.io/instance: immich
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
labels:
|
||||
app.kubernetes.io/controller: main
|
||||
app.kubernetes.io/instance: immich
|
||||
app.kubernetes.io/name: server
|
||||
spec:
|
||||
spec:
|
||||
enableServiceLinks: false
|
||||
serviceAccountName: default
|
||||
automountServiceAccountToken: true
|
||||
@@ -314,28 +314,28 @@ spec:
|
||||
hostNetwork: false
|
||||
hostPID: false
|
||||
dnsPolicy: ClusterFirst
|
||||
containers:
|
||||
containers:
|
||||
- env:
|
||||
- name: DB_HOSTNAME
|
||||
value: immich-postgres
|
||||
- name: DB_PORT
|
||||
value: "5432"
|
||||
- name: DB_DATABASE_NAME
|
||||
value: immich
|
||||
- name: DB_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-db
|
||||
key: username
|
||||
- name: DB_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-db
|
||||
key: password
|
||||
- name: IMMICH_MACHINE_LEARNING_URL
|
||||
value: http://immich-machine-learning:3003
|
||||
- name: REDIS_HOSTNAME
|
||||
value: immich-valkey
|
||||
- name: DB_HOSTNAME
|
||||
value: immich-postgres
|
||||
- name: DB_PORT
|
||||
value: "5432"
|
||||
- name: DB_DATABASE_NAME
|
||||
value: immich
|
||||
- name: DB_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-db
|
||||
key: username
|
||||
- name: DB_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: immich-db
|
||||
key: password
|
||||
- name: IMMICH_MACHINE_LEARNING_URL
|
||||
value: http://immich-machine-learning:3003
|
||||
- name: REDIS_HOSTNAME
|
||||
value: immich-valkey
|
||||
image: ghcr.io/immich-app/immich-server:v2.4.1
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
@@ -348,9 +348,9 @@ spec:
|
||||
timeoutSeconds: 1
|
||||
name: main
|
||||
ports:
|
||||
- containerPort: 2283
|
||||
name: http
|
||||
protocol: TCP
|
||||
- containerPort: 2283
|
||||
name: http
|
||||
protocol: TCP
|
||||
readinessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
@@ -368,9 +368,9 @@ spec:
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 1
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: data
|
||||
volumes:
|
||||
- mountPath: /data
|
||||
name: data
|
||||
volumes:
|
||||
- name: data
|
||||
hostPath:
|
||||
path: /mnt/4_hdd/data/immich
|
||||
@@ -398,11 +398,11 @@ spec:
|
||||
app.kubernetes.io/instance: immich
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
labels:
|
||||
app.kubernetes.io/controller: main
|
||||
app.kubernetes.io/instance: immich
|
||||
app.kubernetes.io/name: valkey
|
||||
spec:
|
||||
spec:
|
||||
enableServiceLinks: false
|
||||
serviceAccountName: default
|
||||
automountServiceAccountToken: true
|
||||
@@ -410,35 +410,35 @@ spec:
|
||||
hostNetwork: false
|
||||
hostPID: false
|
||||
dnsPolicy: ClusterFirst
|
||||
containers:
|
||||
containers:
|
||||
- env:
|
||||
- name: IMMICH_MACHINE_LEARNING_URL
|
||||
value: http://immich-machine-learning:3003
|
||||
- name: REDIS_HOSTNAME
|
||||
value: immich-valkey
|
||||
- name: IMMICH_MACHINE_LEARNING_URL
|
||||
value: http://immich-machine-learning:3003
|
||||
- name: REDIS_HOSTNAME
|
||||
value: immich-valkey
|
||||
image: docker.io/valkey/valkey:9.0-alpine@sha256:b4ee67d73e00393e712accc72cfd7003b87d0fcd63f0eba798b23251bfc9c394
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- valkey-cli ping | grep PONG
|
||||
- sh
|
||||
- -c
|
||||
- valkey-cli ping | grep PONG
|
||||
failureThreshold: 3
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
name: main
|
||||
ports:
|
||||
- containerPort: 6379
|
||||
name: redis
|
||||
protocol: TCP
|
||||
- containerPort: 6379
|
||||
name: redis
|
||||
protocol: TCP
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- valkey-cli ping | grep PONG
|
||||
- sh
|
||||
- -c
|
||||
- valkey-cli ping | grep PONG
|
||||
failureThreshold: 3
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
@@ -446,17 +446,17 @@ spec:
|
||||
startupProbe:
|
||||
exec:
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- valkey-cli ping | grep PONG
|
||||
- sh
|
||||
- -c
|
||||
- valkey-cli ping | grep PONG
|
||||
failureThreshold: 30
|
||||
initialDelaySeconds: 0
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: data
|
||||
volumes:
|
||||
- mountPath: /data
|
||||
name: data
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: immich-valkey
|
||||
@@ -478,24 +478,24 @@ metadata:
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: |
|
||||
# GeoIP-based access control for Immich
|
||||
# Allows Hungarian traffic everywhere, worldwide only for /share/* paths
|
||||
|
||||
|
||||
set $geo_allowed 0;
|
||||
|
||||
|
||||
# Allow all Hungarian traffic
|
||||
if ($geoip2_city_country_code = "HU") {
|
||||
if ($geoip2_country_code = "HU") {
|
||||
set $geo_allowed 1;
|
||||
}
|
||||
|
||||
|
||||
# Allow public share paths from anywhere
|
||||
if ($request_uri ~* "^/share/") {
|
||||
set $geo_allowed 1;
|
||||
}
|
||||
|
||||
|
||||
# API endpoints needed for shared content
|
||||
if ($request_uri ~* "^/api/shared-links") {
|
||||
set $geo_allowed 1;
|
||||
}
|
||||
|
||||
|
||||
# Assets for shared albums (thumbnails and originals)
|
||||
if ($request_uri ~* "^/api/assets/.*/thumbnail") {
|
||||
set $geo_allowed 1;
|
||||
@@ -503,7 +503,7 @@ metadata:
|
||||
if ($request_uri ~* "^/api/assets/.*/original") {
|
||||
set $geo_allowed 1;
|
||||
}
|
||||
|
||||
|
||||
# Static assets needed for share page rendering
|
||||
if ($request_uri ~* "^/_app/") {
|
||||
set $geo_allowed 1;
|
||||
@@ -514,7 +514,7 @@ metadata:
|
||||
if ($request_uri ~* "\.(js|css|woff2?|ttf|svg|png|ico)$") {
|
||||
set $geo_allowed 1;
|
||||
}
|
||||
|
||||
|
||||
# Block non-allowed requests
|
||||
if ($geo_allowed = 0) {
|
||||
return 403 "Access restricted to Hungary";
|
||||
|
||||
Reference in New Issue
Block a user