homelab-infra/apps/immich/docker-compose.yml

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:v2.7.5@sha256:c15bff75068effb03f4355997d03dc7e0fc58720c2b54ad6f7f10d1bc57efaa5
    restart: unless-stopped
    depends_on:
      - redis
      - database
    environment:
      DB_HOSTNAME: database
      DB_USERNAME: immich
      DB_PASSWORD: ${IMMICH_DB_PASSWORD}
      DB_DATABASE_NAME: immich
      REDIS_HOSTNAME: redis
      TZ: Europe/Berlin
    volumes:
      - /mnt/user/photos/immich:/usr/src/app/upload
      - /mnt/user/photos/family_archive:/usr/src/app/external
    networks:
      - immich_default
      - frontend_net
    security_opt:
      - no-new-privileges:true
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=frontend_net"
      - "traefik.http.routers.immich.rule=Host(`immich.kaleschke.info`)"
      - "traefik.http.routers.immich.entrypoints=websecure"
      - "traefik.http.routers.immich.tls=true"
      - "traefik.http.routers.immich.tls.certresolver=le"
      - "traefik.http.services.immich.loadbalancer.server.port=2283"

  immich-machine-learning:
    container_name: immich_machine_learning
    image: ghcr.io/immich-app/immich-machine-learning:v2.7.5@sha256:a2501141440f10516d329fdfba2c68082e19eb9ba6016c061ac80d23beadf7f3
    restart: unless-stopped
    environment:
      # Workaround fuer gunicorn-25.1.0-Control-Socket-Bug: der Worker haengt
      # nach "Control socket listening at /usr/src/gunicorn.ctl" und erreicht
      # nie "Application startup complete" -> Container bleibt dauerhaft
      # unhealthy, ML (Gesichtserkennung/CLIP/Smart-Search) ist tot.
      # --no-control-socket deaktiviert das fehlerhafte Feature. immich-ml
      # startet gunicorn als Subprozess, der GUNICORN_CMD_ARGS aus der Env
      # liest und anhaengt. Bestaetigte Upstream-Regression seit Immich 2.6
      # (immich#27228, gunicorn#3510). Re-check: bei Immich-Update, das
      # gunicorn auf >25.1.0/<25.1.0 mit Fix bringt, wieder entfernen.
      GUNICORN_CMD_ARGS: "--no-control-socket"
    volumes:
      - model-cache:/cache
    networks:
      - immich_default
    security_opt:
      - no-new-privileges:true

  redis:
    container_name: immich_redis
    image: redis:8.8.0-alpine@sha256:09160599abd229764c0fb44cb6be640294e1d360a54b19985ab4843dcf2d90f1
    restart: unless-stopped
    networks:
      - immich_default
    security_opt:
      - no-new-privileges:true

  database:
    container_name: immich_postgres
    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
      POSTGRES_USER: immich
      POSTGRES_DB: immich
    shm_size: 128mb
    volumes:
      - /mnt/user/appdata/immich_postgres_vectorchord:/var/lib/postgresql/data
      - /mnt/user/appdata/secrets/immich_postgres_password.txt:/run/secrets/postgres_password:ro
    networks:
      - immich_default
    security_opt:
      - no-new-privileges:true

volumes:
  model-cache:

networks:
  immich_default:
    name: immich_default
    internal: true
    driver: bridge
  frontend_net:
    external: true