From 83cacc506cc48d0ca59cb923fb9f83cda7a03bbb Mon Sep 17 00:00:00 2001 From: Alexander Dorn Date: Thu, 7 May 2026 08:44:34 +0200 Subject: [PATCH] fix(examples/03-immich): wire db password secret into immich-server MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `examples/03-immich/services/immich-server/quadlet/immich-server.container` declared `DB_USERNAME=immich` and `DB_HOSTNAME=immich-database` but did not mount the `immich-db-password` Podman secret nor point the server at the password file. The server fell back to whatever default Immich's image assumes, which does not match the random password the sibling `immich-database.container` initialises Postgres with via: Secret=immich-db-password,target=/run/secrets/immich-db-password Environment=POSTGRES_PASSWORD_FILE=/run/secrets/immich-db-password End-to-end on a clean host this manifested as: PostgresError: password authentication failed for user "immich" code: '28P01' file: 'auth.c' routine: 'auth_failed' with `immich-server.service` cycling on `Restart=always` indefinitely even after `core-ops apply` reported `Outcome: converged`. The canonical Immich walkthrough (FR-005 of spec/018) thus presented an all-green plan/apply/re-plan triple while the application was fundamentally non-functional — directly undercutting spec/018's "increase adoption likelihood" goal. Add to `immich-server.container`: Environment=DB_PASSWORD_FILE=/run/secrets/immich-db-password Secret=immich-db-password,target=/run/secrets/immich-db-password Immich supports the `_FILE` env-var convention for secrets natively (per Immich documentation), matching the same Podman secret as the database, so a single operator-provided secret feeds both ends. Discovered while exercising the canonical walkthrough for spec/018 session 3; the canonical example never ran end-to-end on a clean host since spec/017 shipped it. Same shape as PR #34 (postgres image-tag pin). Patch bump (`unclassified_path_releasable_default` fires for `examples/`); provenance-state fixture pinned in lock-step. Verification on `core-ops-uat` (Fedora CoreOS guest): $ podman secret create immich-db-password <(openssl rand -hex 16) $ sudo core-ops apply --source-repo examples/03-immich --host example Outcome: converged $ systemctl is-active immich-server active $ systemctl show immich-server -p NRestarts NRestarts=1 $ journalctl -u immich-server | grep "Microservices is running" Immich Microservices is running [v2.7.5] [production] $ core-ops plan --source-repo examples/03-immich --host example Summary: 10 unchanged $ cargo test 472 passed $ cargo clippy --all-targets -- -D warnings clean $ cargo run --bin core-ops-release -- validate --base-ref master passed (patch) Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 3 +++ Cargo.lock | 2 +- Cargo.toml | 2 +- changes/fix-immich-server-db-password.md | 7 +++++++ .../services/immich-server/quadlet/immich-server.container | 2 ++ tests/fixtures/provenance_state/valid-success.json | 2 +- 6 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 changes/fix-immich-server-db-password.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 15e0e28..e610dea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,9 @@ versioning for public release policy decisions. ## [Unreleased] +### Changed + +- Wire `immich-db-password` Podman secret + `DB_PASSWORD_FILE` env var into `examples/03-immich/services/immich-server/quadlet/immich-server.container`; without these, `immich-server` could never authenticate to the Postgres database started by `immich-database.container` and entered a restart loop with `password authentication failed for user "immich"`. ## [2.2.1] - 2026-05-07 diff --git a/Cargo.lock b/Cargo.lock index 32a352c..3404b3f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -157,7 +157,7 @@ checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570" [[package]] name = "core-ops" -version = "2.2.1" +version = "2.2.2" dependencies = [ "clap", "libc", diff --git a/Cargo.toml b/Cargo.toml index 4342c47..1886bcb 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "core-ops" -version = "2.2.1" +version = "2.2.2" edition = "2021" license = "AGPL-3.0-or-later" diff --git a/changes/fix-immich-server-db-password.md b/changes/fix-immich-server-db-password.md new file mode 100644 index 0000000..1988e84 --- /dev/null +++ b/changes/fix-immich-server-db-password.md @@ -0,0 +1,7 @@ +--- +change_id: fix-immich-server-db-password +release_intent: patch +summary: Wire `immich-db-password` Podman secret + `DB_PASSWORD_FILE` env var into `examples/03-immich/services/immich-server/quadlet/immich-server.container`; without these, `immich-server` could never authenticate to the Postgres database started by `immich-database.container` and entered a restart loop with `password authentication failed for user "immich"`. +scope: examples +release_preparation: false +--- diff --git a/examples/03-immich/services/immich-server/quadlet/immich-server.container b/examples/03-immich/services/immich-server/quadlet/immich-server.container index 7dc128b..c9b08d3 100644 --- a/examples/03-immich/services/immich-server/quadlet/immich-server.container +++ b/examples/03-immich/services/immich-server/quadlet/immich-server.container @@ -14,8 +14,10 @@ Environment=DB_HOSTNAME=immich-database Environment=DB_PORT=5432 Environment=DB_USERNAME=immich Environment=DB_DATABASE_NAME=immich +Environment=DB_PASSWORD_FILE=/run/secrets/immich-db-password Environment=REDIS_HOSTNAME=immich-redis Environment=IMMICH_MACHINE_LEARNING_URL=http://immich-ml:3003 +Secret=immich-db-password,target=/run/secrets/immich-db-password [Service] Restart=always diff --git a/tests/fixtures/provenance_state/valid-success.json b/tests/fixtures/provenance_state/valid-success.json index e28c547..260358b 100644 --- a/tests/fixtures/provenance_state/valid-success.json +++ b/tests/fixtures/provenance_state/valid-success.json @@ -1,7 +1,7 @@ { "schema_version": 1, "controller": { - "version": "2.2.1", + "version": "2.2.2", "revision": "8f3c2ab", "build_time": "2026-03-23T10:00:00Z", "tree_state": "clean"