From 0d20dc315364a98168efb5fd615b4d0500362fbf Mon Sep 17 00:00:00 2001
From: Peter Smit <peter.smit@elnino.tech>
Date: Fri, 26 Sep 2025 11:37:14 +0200
Subject: [PATCH] Add shared postgres (wip)

---
 immich/docker-compose.updated.yml             |  48 ++++++++
 nextcloud/docker-compose.updated.yml          |  47 ++++++++
 paperless/docker-compose.updated.yml          |  54 +++++++++
 postgres/.env.example                         |   6 +-
 postgres/docker-compose.yml                   |  35 +++---
 postgres/init-scripts/01-init-databases.sh    |  73 ++++++++++++
 postgres/init-scripts/02-immich-extensions.sh |  35 ++++++
 shlink/docker-compose.updated.yml             |  27 +++++
 spliit/docker-compose.updated.yml             |  24 ++++
 synapse/docker-compose.updated.yml            | 105 ++++++++++++++++++
 10 files changed, 439 insertions(+), 15 deletions(-)
 create mode 100644 immich/docker-compose.updated.yml
 create mode 100644 nextcloud/docker-compose.updated.yml
 create mode 100644 paperless/docker-compose.updated.yml
 create mode 100755 postgres/init-scripts/01-init-databases.sh
 create mode 100755 postgres/init-scripts/02-immich-extensions.sh
 create mode 100644 shlink/docker-compose.updated.yml
 create mode 100644 spliit/docker-compose.updated.yml
 create mode 100644 synapse/docker-compose.updated.yml

diff --git a/immich/docker-compose.updated.yml b/immich/docker-compose.updated.yml
new file mode 100644
index 0000000..f21402d
--- /dev/null
+++ b/immich/docker-compose.updated.yml
@@ -0,0 +1,48 @@
+services:
+  immich-server:
+    container_name: immich_server
+    image: ghcr.io/immich-app/immich-server:v1.143.1
+    volumes:
+      - ${UPLOAD_LOCATION}:/data
+      - /etc/localtime:/etc/localtime:ro
+    env_file:
+      - .env
+    environment:
+      DB_HOSTNAME: shared-postgres
+      DB_PORT: 5432
+      DB_USERNAME: ${IMMICH_DB_USERNAME}
+      DB_PASSWORD: ${IMMICH_DB_PASSWORD}
+      DB_DATABASE_NAME: ${IMMICH_DB_DATABASE_NAME}
+    ports:
+      - '2283:2283'
+    depends_on:
+      shared-postgres:
+        condition: service_healthy
+      redis:
+        condition: service_started
+    restart: always
+    networks:
+      - postgres-network
+
+  immich-machine-learning:
+    container_name: immich_machine_learning
+    image: ghcr.io/immich-app/immich-machine-learning:v1.143.1
+    volumes:
+      - model-cache:/cache
+    env_file:
+      - .env
+    restart: always
+
+  redis:
+    container_name: immich_redis
+    image: docker.io/redis:7.4-alpine@sha256:1bf97f21f01b0e7bd4b7b34a26d3b9d8086e41e70c10f262e8a9e0b49b5116a0
+    healthcheck:
+      test: redis-cli ping || exit 1
+    restart: always
+
+volumes:
+  model-cache:
+
+networks:
+  postgres-network:
+    external: true
diff --git a/nextcloud/docker-compose.updated.yml b/nextcloud/docker-compose.updated.yml
new file mode 100644
index 0000000..6958366
--- /dev/null
+++ b/nextcloud/docker-compose.updated.yml
@@ -0,0 +1,47 @@
+services:
+  nextcloud_db:
+    # Remove this service - using shared-postgres instead
+
+  nextcloud:
+    image: nextcloud:31.0.9
+    restart: always
+    ports:
+      - 8081:80
+    volumes:
+      - ${NEXTCLOUD_DATA_DIR}:/var/www/html
+    environment:
+      - POSTGRES_HOST=shared-postgres
+      - POSTGRES_PORT=5432
+      - POSTGRES_DB=${NEXTCLOUD_POSTGRES_DB}
+      - POSTGRES_USER=${NEXTCLOUD_POSTGRES_USER}
+      - POSTGRES_PASSWORD=${NEXTCLOUD_POSTGRES_PASSWORD}
+      - REDIS_HOST=nextcloud-redis
+      - REDIS_PORT=6379
+      - NEXTCLOUD_TRUSTED_DOMAINS=${NEXTCLOUD_DOMAIN}
+    depends_on:
+      shared-postgres:
+        condition: service_healthy
+    networks:
+      - nextcloud
+      - postgres-network
+
+  cron:
+    image: nextcloud:31.0.9
+    container_name: nextcloud-cron
+    volumes:
+      - ${NEXTCLOUD_DATA_DIR}:/var/www/html
+    entrypoint: /cron.sh
+    restart: always
+    networks:
+      - nextcloud
+
+  nextcloud-redis:
+    image: redis:7
+    restart: always
+    networks:
+      - nextcloud
+
+networks:
+  nextcloud:
+  postgres-network:
+    external: true
diff --git a/paperless/docker-compose.updated.yml b/paperless/docker-compose.updated.yml
new file mode 100644
index 0000000..43f7c98
--- /dev/null
+++ b/paperless/docker-compose.updated.yml
@@ -0,0 +1,54 @@
+services:
+  broker:
+    image: docker.io/library/redis:7
+    restart: always
+    volumes:
+      - ${PAPERLESS_REDIS_DATA_DIR}:/data
+
+  paperless:
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.18.4
+    restart: always
+    depends_on:
+      shared-postgres:
+        condition: service_healthy
+      broker:
+        condition: service_started
+      gotenberg:
+        condition: service_started
+      tika:
+        condition: service_started
+    ports:
+      - "8070:8000"
+    volumes:
+      - ${PAPERLESS_DATA_DIR}:/usr/src/paperless/data
+      - ${PAPERLESS_MEDIA_DIR}:/usr/src/paperless/media
+      - ${PAPERLESS_EXPORT_DIR}/export:/usr/src/paperless/export
+      - ${PAPERLESS_CONSUME_DIR}:/usr/src/paperless/consume
+    env_file: .env
+    environment:
+      PAPERLESS_REDIS: redis://broker:6379
+      PAPERLESS_DBHOST: shared-postgres
+      PAPERLESS_DBPORT: 5432
+      PAPERLESS_DBNAME: ${PAPERLESS_POSTGRES_DB}
+      PAPERLESS_DBUSER: ${PAPERLESS_POSTGRES_USER}
+      PAPERLESS_DBPASS: ${PAPERLESS_POSTGRES_PASSWORD}
+      PAPERLESS_TIKA_ENABLED: 1
+      PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
+      PAPERLESS_TIKA_ENDPOINT: http://tika:9998
+      PAPERLESS_APPS: "allauth.socialaccount.providers.openid_connect"
+      USE_X_FORWARD_HOST: true
+      USE_X_FORWARDED_PORT: true
+      PAPERLESS_DISABLE_REGULAR_LOGIN: true
+      PAPERLESS_REDIRECT_LOGIN_TO_SSO: true
+    networks:
+      - postgres-network
+
+  gotenberg:
+    # ... existing gotenberg configuration ...
+
+  tika:
+    # ... existing tika configuration ...
+
+networks:
+  postgres-network:
+    external: true
diff --git a/postgres/.env.example b/postgres/.env.example
index 95ccfc5..e65da04 100644
--- a/postgres/.env.example
+++ b/postgres/.env.example
@@ -1,2 +1,4 @@
-POSTGRES_USER=
-POSTGRES_PASSWORD=
\ No newline at end of file
+SHARED_DB_USER=
+SHARED_DB_PASSWORD=
+SHARED_DB_DB=
+SHARED_DB_DATA_DIR=
\ No newline at end of file
diff --git a/postgres/docker-compose.yml b/postgres/docker-compose.yml
index 8eb3222..3da0236 100644
--- a/postgres/docker-compose.yml
+++ b/postgres/docker-compose.yml
@@ -1,18 +1,27 @@
 services:
-  postgres:
-    image: ghcr.io/immich-app/postgres:17-vectorchord0.4.3-pgvectors0.3.0
-    container_name: database
-    environment:
-      POSTGRES_USER: ${POSTGRES_USER}
-      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
-      POSTGRES_INITDB_ARGS: '--data-checksums --encoding=UTF-8  --locale=C'
-      DB_STORAGE_TYPE: 'HDD'
+  shared-postgres:
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
+    container_name: shared-postgres
     restart: always
-    env_file:
-      - .env
+    environment:
+      POSTGRES_USER: ${SHARED_DB_USER}
+      POSTGRES_PASSWORD: ${SHARED_DB_PASSWORD}
+      POSTGRES_DB: ${SHARED_DB_DB}  # Default database
+      POSTGRES_INITDB_ARGS: '--encoding=UTF-8 --locale=C --data-checksums'
+    volumes:
+      - ${SHARED_DB_DATA_DIR}:/var/lib/postgresql/data
+      - ./init-scripts:/docker-entrypoint-initdb.d:ro
     ports:
-      - 5432:5432
+      - "5431:5432"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${SHARED_DB_USER}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
     networks:
-      - postgres
+      - postgres-network
+
 networks:
-  postgres:
\ No newline at end of file
+  postgres-network:
+    name: postgres-network
+    driver: bridge
diff --git a/postgres/init-scripts/01-init-databases.sh b/postgres/init-scripts/01-init-databases.sh
new file mode 100755
index 0000000..45cf233
--- /dev/null
+++ b/postgres/init-scripts/01-init-databases.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+set -e
+
+# This script initializes all databases and users for the homelab services
+# It runs automatically when the PostgreSQL container starts for the first time
+
+echo "Creating databases and users for homelab services..."
+
+# Function to create database and user with restricted permissions
+create_db_and_user() {
+    local db_name=$1
+    local db_user=$2
+    local db_password=$3
+
+    echo "Creating database: $db_name with user: $db_user"
+
+    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+        -- Create database
+        CREATE DATABASE $db_name;
+
+        -- Create user with password
+        CREATE USER $db_user WITH ENCRYPTED PASSWORD '$db_password';
+
+        -- Grant connection to the specific database only
+        GRANT CONNECT ON DATABASE $db_name TO $db_user;
+
+        -- Make user owner of the database
+        ALTER DATABASE $db_name OWNER TO $db_user;
+
+        -- Connect to the specific database to set schema permissions
+        \c $db_name
+
+        -- Grant schema permissions
+        GRANT ALL ON SCHEMA public TO $db_user;
+        GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO $db_user;
+        GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO $db_user;
+        GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO $db_user;
+
+        -- Set default privileges for future objects
+        ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO $db_user;
+        ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO $db_user;
+        ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO $db_user;
+
+        -- Switch back to postgres database
+        \c postgres
+EOSQL
+}
+
+# Create databases for each service
+# Using environment variables that will be set in your .env file
+
+# Spliit
+create_db_and_user "${SPLIIT_POSTGRES_DB}" "${SPLIIT_POSTGRES_USER}" "${SPLIIT_POSTGRES_PASSWORD}"
+
+# Shlink
+create_db_and_user "${SHLINK_POSTGRES_DB}" "${SHLINK_POSTGRES_USER}" "${SHLINK_POSTGRES_PASSWORD}"
+
+# Immich
+create_db_and_user "${IMMICH_DB_DATABASE_NAME}" "${IMMICH_DB_USERNAME}" "${IMMICH_DB_PASSWORD}"
+
+# Nextcloud
+create_db_and_user "${NEXTCLOUD_POSTGRES_DB}" "${NEXTCLOUD_POSTGRES_USER}" "${NEXTCLOUD_POSTGRES_PASSWORD}"
+
+# Paperless
+create_db_and_user "${PAPERLESS_POSTGRES_DB}" "${PAPERLESS_POSTGRES_USER}" "${PAPERLESS_POSTGRES_PASSWORD}"
+
+# Matrix and co
+create_db_and_user "${SYNAPSE_POSTGRES_DB}" "${SYNAPSE_POSTGRES_USER}" "${SYNAPSE_POSTGRES_PASSWORD}"
+create_db_and_user "${MAS_POSTGRES_DB}" "${MAS_POSTGRES_USER}" "${MAS_POSTGRES_PASSWORD}"
+create_db_and_user "${MAUTRIX_SIGNAL_POSTGRES_DB}" "${MAUTRIX_SIGNAL_POSTGRES_USER}" "${MAUTRIX_SIGNAL_POSTGRES_PASSWORD}"
+create_db_and_user "${MAUTRIX_WHATSAPP_POSTGRES_DB}" "${MAUTRIX_WHATSAPP_POSTGRES_USER}" "${MAUTRIX_WHATSAPP_POSTGRES_PASSWORD}"
+
+echo "Database initialization completed successfully!"
diff --git a/postgres/init-scripts/02-immich-extensions.sh b/postgres/init-scripts/02-immich-extensions.sh
new file mode 100755
index 0000000..479b367
--- /dev/null
+++ b/postgres/init-scripts/02-immich-extensions.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+set -e
+
+# Enable vector extensions for Immich database
+echo "Enabling vector extensions for Immich database..."
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "${IMMICH_DB_DATABASE_NAME}" <<-EOSQL
+    -- Create extensions as superuser
+    CREATE EXTENSION IF NOT EXISTS vectors;
+    CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;
+
+    -- Grant usage on the extension schemas to immich user
+    GRANT USAGE ON SCHEMA vectors TO ${IMMICH_DB_USERNAME};
+    GRANT USAGE ON SCHEMA earthdistance TO ${IMMICH_DB_USERNAME};
+
+    -- Grant all privileges on extension objects to immich user
+    GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA vectors TO ${IMMICH_DB_USERNAME};
+    GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA vectors TO ${IMMICH_DB_USERNAME};
+    GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA vectors TO ${IMMICH_DB_USERNAME};
+
+    GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA earthdistance TO ${IMMICH_DB_USERNAME};
+    GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA earthdistance TO ${IMMICH_DB_USERNAME};
+    GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA earthdistance TO ${IMMICH_DB_USERNAME};
+
+    -- Set default privileges for future extension objects
+    ALTER DEFAULT PRIVILEGES IN SCHEMA vectors GRANT ALL ON TABLES TO ${IMMICH_DB_USERNAME};
+    ALTER DEFAULT PRIVILEGES IN SCHEMA vectors GRANT ALL ON SEQUENCES TO ${IMMICH_DB_USERNAME};
+    ALTER DEFAULT PRIVILEGES IN SCHEMA vectors GRANT ALL ON FUNCTIONS TO ${IMMICH_DB_USERNAME};
+
+    ALTER DEFAULT PRIVILEGES IN SCHEMA earthdistance GRANT ALL ON TABLES TO ${IMMICH_DB_USERNAME};
+    ALTER DEFAULT PRIVILEGES IN SCHEMA earthdistance GRANT ALL ON SEQUENCES TO ${IMMICH_DB_USERNAME};
+    ALTER DEFAULT PRIVILEGES IN SCHEMA earthdistance GRANT ALL ON FUNCTIONS TO ${IMMICH_DB_USERNAME};
+EOSQL
+
+echo "Immich vector extensions enabled successfully!"
diff --git a/shlink/docker-compose.updated.yml b/shlink/docker-compose.updated.yml
new file mode 100644
index 0000000..7d752a8
--- /dev/null
+++ b/shlink/docker-compose.updated.yml
@@ -0,0 +1,27 @@
+services:
+  shlink:
+    image: shlinkio/shlink:4.5
+    container_name: shlink
+    restart: always
+    ports:
+      - "8085:8080"
+    environment:
+      DEFAULT_DOMAIN: ${SHLINK_DOMAIN}
+      IS_HTTPS_ENABLED: ${SHLINK_IS_HTTPS_ENABLED}
+      GEOLITE_LICENSE_KEY: ${SHLINK_GEOIP_LICENSE_KEY}
+      INITIAL_API_KEY: ${SHLINK_API_KEY}
+      DB_DRIVER: postgres
+      DB_HOST: shared-postgres
+      DB_PORT: 5432
+      DB_NAME: ${SHLINK_POSTGRES_DB}
+      DB_USER: ${SHLINK_POSTGRES_USER}
+      DB_PASSWORD: ${SHLINK_POSTGRES_PASSWORD}
+    depends_on:
+      shared-postgres:
+        condition: service_healthy
+    networks:
+      - postgres-network
+
+networks:
+  postgres-network:
+    external: true
diff --git a/spliit/docker-compose.updated.yml b/spliit/docker-compose.updated.yml
new file mode 100644
index 0000000..9d222cb
--- /dev/null
+++ b/spliit/docker-compose.updated.yml
@@ -0,0 +1,24 @@
+services:
+  spliit:
+    image: ghcr.io/spliit-app/spliit:1.18.0
+    restart: always
+    ports:
+      - 3001:3000
+    depends_on:
+      shared-postgres:
+        condition: service_healthy
+    env_file:
+      - .env
+    environment:
+      TZ: ${TZ}
+      POSTGRES_HOST: shared-postgres
+      POSTGRES_PORT: 5432
+      POSTGRES_DB: ${SPLIIT_POSTGRES_DB}
+      POSTGRES_USER: ${SPLIIT_POSTGRES_USER}
+      POSTGRES_PASSWORD: ${SPLIIT_POSTGRES_PASSWORD}
+    networks:
+      - postgres-network
+
+networks:
+  postgres-network:
+    external: true
diff --git a/synapse/docker-compose.updated.yml b/synapse/docker-compose.updated.yml
new file mode 100644
index 0000000..ceaf52a
--- /dev/null
+++ b/synapse/docker-compose.updated.yml
@@ -0,0 +1,105 @@
+services:
+  element-call-auth-service:
+    image: ghcr.io/element-hq/lk-jwt-service:0.3.0
+    container_name: element-call-jwt
+    hostname: auth-server
+    environment:
+      - LK_JWT_PORT=8080
+      - LIVEKIT_URL=https://${LIVEKIT_DOMAIN}/livekit/sfu
+      - LIVEKIT_KEY=devkey
+      - LIVEKIT_SECRET=${LIVEKIT_SECRET_KEY}
+      - LIVEKIT_FULL_ACCESS_HOMESERVERS=${MATRIX_DOMAIN}
+    restart: always
+    ports:
+      - 8071:8080
+
+  element-call-livekit:
+    image: livekit/livekit-server:v1.9.1
+    command: --config /etc/livekit.yaml
+    ports:
+      - "7880:7880/tcp"
+      - "7881:7881/tcp"
+      - "7882:7882/tcp"
+      - "50100-50200:50100-50200/udp"
+    restart: always
+    volumes:
+      - ${LIVEKIT_CONFIG_DIR}/config.yaml:/etc/livekit.yaml:ro
+
+  mautrix-signal:
+    container_name: mautrix-signal
+    image: dock.mau.dev/mautrix/signal:v0.8.7
+    restart: always
+    volumes:
+      - ${MAUTRIX_SIGNAL_DATA_DIR}:/data
+    depends_on:
+      shared-postgres:
+        condition: service_healthy
+    environment:
+      # Configure database connection for mautrix-signal
+      MAUTRIX_SIGNAL_DATABASE_TYPE: postgres
+      MAUTRIX_SIGNAL_DATABASE_URI: postgresql://${MAUTRIX_SIGNAL_POSTGRES_USER}:${MAUTRIX_SIGNAL_POSTGRES_PASSWORD}@shared-postgres:5432/${MAUTRIX_SIGNAL_POSTGRES_DB}?sslmode=disable
+    networks:
+      - postgres-network
+
+  mautrix-whatsapp:
+    container_name: mautrix-whatsapp
+    image: dock.mau.dev/mautrix/whatsapp:v0.12.5
+    restart: always
+    volumes:
+      - ${MAUTRIX_WHATSAPP_DATA_DIR}:/data
+    depends_on:
+      shared-postgres:
+        condition: service_healthy
+    environment:
+      # Configure database connection for mautrix-whatsapp
+      MAUTRIX_WHATSAPP_DATABASE_TYPE: postgres
+      MAUTRIX_WHATSAPP_DATABASE_URI: postgresql://${MAUTRIX_WHATSAPP_POSTGRES_USER}:${MAUTRIX_WHATSAPP_POSTGRES_PASSWORD}@shared-postgres:5432/${MAUTRIX_WHATSAPP_POSTGRES_DB}?sslmode=disable
+    networks:
+      - postgres-network
+
+  mas:
+    image: ghcr.io/element-hq/matrix-authentication-service:1.3.0
+    restart: always
+    working_dir: /config
+    volumes:
+      - ${MAS_CONFIG_DIR}:/config
+    environment:
+      MAS_CONFIG: /config/config.yaml
+      # Database connection will be configured in the MAS config file
+      MAS_DATABASE_URL: postgresql://${MAS_POSTGRES_USER}:${MAS_POSTGRES_PASSWORD}@shared-postgres:5432/${MAS_POSTGRES_DB}?sslmode=disable
+    ports:
+      - "8090:8090"
+    depends_on:
+      shared-postgres:
+        condition: service_healthy
+    networks:
+      - postgres-network
+
+  synapse:
+    container_name: synapse
+    image: matrixdotorg/synapse:v1.138.2
+    restart: always
+    volumes:
+      - ${SYNAPSE_CONFIG_DIR}:/data
+    ports:
+      - "8008:8008"
+    environment:
+      # Synapse database connection will be configured in homeserver.yaml
+      SYNAPSE_DATABASE_HOST: shared-postgres
+      SYNAPSE_DATABASE_PORT: 5432
+      SYNAPSE_DATABASE_USER: ${SYNAPSE_POSTGRES_USER}
+      SYNAPSE_DATABASE_PASSWORD: ${SYNAPSE_POSTGRES_PASSWORD}
+      SYNAPSE_DATABASE_NAME: ${SYNAPSE_POSTGRES_DB}
+    depends_on:
+      shared-postgres:
+        condition: service_healthy
+      mas:
+        condition: service_started
+      mautrix-whatsapp:
+        condition: service_started
+    networks:
+      - postgres-network
+
+networks:
+  postgres-network:
+    external: true