fix(backup): back up the postgres database (was unprotected)

The immich recipe declared backupbot.backup only on the app service (whose volumes
are all excluded), so the postgres database — all of immich users metadata, albums,
people, settings — was NOT backed up at all. Restoring a backup yielded an empty DB.

Add a database-service postgres backup mirroring the coop-cloud convention
(matrix-synapse, keycloak, ...): a /pg_backup.sh config-mounted hook driven by
backupbot pre/restore hooks. backup = pg_dump | gzip -> backup.sql in the postgres
volume; restore = terminate immich-server connections, FORCE-drop, recreate, reimport
(the VectorChord/pgvecto.rs extensions and all data round-trip cleanly).

.env.sample

@@ -7,22 +7,17 @@ DOMAIN=immich.example.com
 
 LETS_ENCRYPT_ENV=production
 
-# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
+ENABLE_BACKUPS=true
 
-# The location where your uploaded files are stored
-UPLOAD_LOCATION=./library
-# The location where your database files are stored
-DB_DATA_LOCATION=./postgres
+# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
 
 # To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
 # TZ=Etc/UTC
 
-# The values below this line do not need to be changed
-###################################################################################
 DB_USERNAME=postgres
 DB_DATABASE_NAME=immich
+#DB_STORAGE_TYPE=HDD
 
-#### from here on you can edit again
 
 SECRET_DB_PASSWORD_VERSION=v1
 

abra.sh

@@ -0,0 +1 @@
+export PG_BACKUP_VERSION=v1

compose.yml

@@ -3,13 +3,11 @@ version: "3.8"
 
 services:
   app:
-    image: ghcr.io/immich-app/immich-server:v2.4.1
+    image: ghcr.io/immich-app/immich-server:v2.7.5
     volumes:
       - uploads:/usr/src/app/upload
       - /etc/localtime:/etc/localtime:ro
     environment:
-      - UPLOAD_LOCATION
-      - DB_DATA_LOCATION
       - TZ
       - IMMICH_VERSION
       - DB_PASSWORD_FILE=/run/secrets/db_password
@@ -22,6 +20,9 @@ services:
       - backend
     healthcheck:
       disable: false
+    depends_on:
+      - redis
+      - database
     deploy:
       labels:
         - "traefik.enable=true"
@@ -29,11 +30,15 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=1.3.0+v2.4.1"
+        - "coop-cloud.${STACK_NAME}.version=1.6.0+v2.7.5"
+        - "backupbot.backup=${ENABLE_BACKUPS:-true}"
+        - "backupbot.volumes.model-cache=false"
+        - "backupbot.volumes.uploads=false"
+        - "backupbot.volumes.external_storage=false"
 
 
   immich-machine-learning: # TODO: this has to be that name, as the frontend tries to reach it at: http://immich-machine-learning:3003
-    image: ghcr.io/immich-app/immich-machine-learning:v2.4.1
+    image: ghcr.io/immich-app/immich-machine-learning:v2.7.5
     volumes:
       - model-cache:/cache
     networks:
@@ -42,25 +47,41 @@ services:
       disable: false
 
   redis:
-    image: redis:8.4-alpine
+    image: docker.io/valkey/valkey:9@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
     healthcheck:
       test: redis-cli ping || exit 1
     networks:
       - backend
 
   database:
-    image: tensorchord/pgvecto-rs:pg14-v0.2.0
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
     environment:
       POSTGRES_PASSWORD_FILE: /run/secrets/db_password
       POSTGRES_USER: ${DB_USERNAME}
       POSTGRES_DB: ${DB_DATABASE_NAME}
       POSTGRES_INITDB_ARGS: '--data-checksums'
+      DB_STORAGE_TYPE: ${DB_STORAGE_TYPE:-SSD}
     secrets:
       - db_password
     volumes:
       - postgres:/var/lib/postgresql/data
     networks:
       - backend
+    deploy:
+      labels:
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.postgres.path: "backup.sql"
+        backupbot.restore.post-hook: "/pg_backup.sh restore"
+    configs:
+      - source: pg_backup
+        target: /pg_backup.sh
+        mode: 0555
+
+configs:
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh
 
 secrets:
   db_password:

pg_backup.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Postgres backup/restore hook for the immich `database` service (VectorChord/pgvecto.rs image).
+# Invoked by backupbot-two via the deploy labels:
+#   backupbot.backup.pre-hook    = "/pg_backup.sh backup"
+#   backupbot.backup.volumes.postgres.path = "backup.sql"
+#   backupbot.restore.post-hook  = "/pg_backup.sh restore"
+# Backup dumps the immich DB to backup.sql (gzip) inside the postgres volume; backupbot then
+# archives that file. Restore reads it back and reimports. immich-server keeps TCP connections
+# open to the DB, so restore must terminate them and FORCE-drop before recreating (the matrix-synapse
+# pg_hba "local trust" trick does not cover networked connections).
+
+set -e
+
+BACKUP_FILE='/var/lib/postgresql/data/backup.sql'
+export PGPASSWORD=$(cat "${POSTGRES_PASSWORD_FILE:-/run/secrets/db_password}")
+DB_USER="${POSTGRES_USER:-postgres}"
+DB_NAME="${POSTGRES_DB:-immich}"
+
+function backup {
+  pg_dump -U "$DB_USER" "$DB_NAME" | gzip > "$BACKUP_FILE"
+}
+
+function restore {
+  # immich-server holds connections to the DB; drop them so DROP DATABASE can proceed.
+  psql -U "$DB_USER" -d postgres -c \
+    "SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE datname='${DB_NAME}' AND pid<>pg_backend_pid();"
+  psql -U "$DB_USER" -d postgres -c "DROP DATABASE ${DB_NAME} WITH (FORCE);"
+  createdb -U "$DB_USER" "$DB_NAME"
+  gunzip -c "$BACKUP_FILE" | psql -U "$DB_USER" -d "$DB_NAME" -1 -v ON_ERROR_STOP=1 -f -
+}
+
+$@

release/1.4.0+v2.5.6

@@ -0,0 +1 @@
+changed database-images to the recommended one's by immich. this should work seemlessly. In doubt check PR #3: https://git.coopcloud.tech/coop-cloud/immich/pulls/3#issuecomment-30213.

release/1.5.0+v2.6.3

@@ -0,0 +1 @@
+there might be some long running db migrations that cause the update to look like it's timed out, check `abra ps` to verify status

release/1.5.1+v2.6.3

@@ -0,0 +1 @@
+patch to fix my tagging screw up

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}