From 6c6607dd493408cb4d94caf545ac6dc5c8269c41 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Tue, 9 Jun 2026 17:09:18 +0000 Subject: [PATCH] chore: upgrade to 1.7.0+v2.7.5 Confirms immich-server at the latest v2.7.5 + holds the DB pin immich v2.7.5 ships (14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357), and adds a working postgres backup/restore for the VectorChord DB (search_path rewrite per immich docs + a local-trust pg_hba lockout, like matrix-synapse, so the app cannot race the reimport). --- abra.sh | 1 + compose.yml | 17 ++++++++++++++++- pg_backup.sh | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 abra.sh create mode 100755 pg_backup.sh diff --git a/abra.sh b/abra.sh new file mode 100644 index 0000000..0975f1e --- /dev/null +++ b/abra.sh @@ -0,0 +1 @@ +export PG_BACKUP_VERSION=v1 diff --git a/compose.yml b/compose.yml index a308f36..420e723 100644 --- a/compose.yml +++ b/compose.yml @@ -30,7 +30,7 @@ services: - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - - "coop-cloud.${STACK_NAME}.version=1.6.0+v2.7.5" + - "coop-cloud.${STACK_NAME}.version=1.7.0+v2.7.5" - "backupbot.backup=${ENABLE_BACKUPS:-true}" - "backupbot.volumes.model-cache=false" - "backupbot.volumes.uploads=false" @@ -67,6 +67,21 @@ services: - postgres:/var/lib/postgresql/data networks: - backend + deploy: + labels: + backupbot.backup: "${ENABLE_BACKUPS:-true}" + backupbot.backup.pre-hook: "/pg_backup.sh backup" + backupbot.backup.volumes.postgres.path: "backup.sql" + backupbot.restore.post-hook: "/pg_backup.sh restore" + configs: + - source: pg_backup + target: /pg_backup.sh + mode: 0555 + +configs: + pg_backup: + name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION} + file: pg_backup.sh secrets: db_password: diff --git a/pg_backup.sh b/pg_backup.sh new file mode 100755 index 0000000..218c7f3 --- /dev/null +++ b/pg_backup.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# Postgres backup/restore hook for the immich `database` service (VectorChord/pgvecto.rs). Restore +# follows the same pattern as the (green) matrix-synapse recipe — a local-trust `pg_hba` lockout so +# the app can't reconnect and race the reimport — plus the `search_path` rewrite from immich's docs +# (https://docs.immich.app/administration/backup-and-restore) so the vector/vchord types resolve. + +set -e + +BACKUP_FILE='/var/lib/postgresql/data/backup.sql' +HBA='/var/lib/postgresql/data/pg_hba.conf' +export PGPASSWORD=$(cat "${POSTGRES_PASSWORD_FILE:-/run/secrets/db_password}") +DB_USER="${POSTGRES_USER:-postgres}" +DB_NAME="${POSTGRES_DB:-immich}" + +function backup { + pg_dump -U "$DB_USER" "$DB_NAME" | gzip > "$BACKUP_FILE" +} + +function restore { + restore_hba() { + if [ -f "${HBA}.ccci.bak" ]; then + cat "${HBA}.ccci.bak" > "$HBA" + rm -f "${HBA}.ccci.bak" + psql -U "$DB_USER" -d postgres -c "SELECT pg_reload_conf();" >/dev/null 2>&1 || true + fi + } + trap restore_hba EXIT INT TERM + + # Lock the networked app out for the restore: local-trust-only pg_hba + reload rejects all TCP + # connections, then terminate the ones it already holds so DROP DATABASE can proceed. + cp "$HBA" "${HBA}.ccci.bak" + printf 'local all all trust\n' > "$HBA" + psql -U "$DB_USER" -d postgres -c "SELECT pg_reload_conf();" + psql -U "$DB_USER" -d postgres -c \ + "SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE datname='${DB_NAME}' AND pid<>pg_backend_pid();" + + psql -U "$DB_USER" -d postgres -c "DROP DATABASE ${DB_NAME} WITH (FORCE);" + createdb -U "$DB_USER" "$DB_NAME" + gunzip -c "$BACKUP_FILE" \ + | sed "s/SELECT pg_catalog.set_config('search_path', '', false);/SELECT pg_catalog.set_config('search_path', 'public, pg_catalog', true);/g" \ + | psql -U "$DB_USER" -d "$DB_NAME" --single-transaction --set ON_ERROR_STOP=on + + restore_hba + trap - EXIT INT TERM +} + +$@