fix: podman integration

roles/immich/defaults/main.yml

@@ -9,13 +9,13 @@ immich_upload_location: "{{ podman_projects_dir }}/immich/data/upload"
 immich_postgres_db_name: immich
 immich_postgres_user: immich
 # immich_postgres_password: ""  # Intentionally undefined - role will fail if not set
-# immich_postgres_host: ""  # Must be set in inventory (e.g., podman_gw_gateway)
+# immich_postgres_host: ""  # Must be set in inventory (e.g., "{{ podman_gw_gateway }}" to reach host postgres)
 immich_postgres_port: 5432
 
 # Valkey configuration (REQUIRED password - must be set explicitly)
 immich_valkey_user: immich
 # immich_valkey_password: ""  # Intentionally undefined - role will fail if not set
-# immich_valkey_host: ""  # Must be set in inventory (e.g., podman_gw_gateway)
+# immich_valkey_host: ""  # Must be set in inventory (e.g., "{{ podman_gw_gateway }}" to reach host valkey)
 immich_valkey_port: 6379
 immich_valkey_db: 0 # Dedicated database number for isolation (0-15)
 

roles/immich/tasks/main.yml

@@ -57,6 +57,18 @@
     - earthdistance
     - vector
 
+- name: Update PostgreSQL extensions to latest available version
+  community.postgresql.postgresql_query:
+    login_db: "{{ immich_postgres_db_name }}"
+    query: "ALTER EXTENSION {{ item }} UPDATE"
+  become: false
+  become_user: "{{ postgres_admin_user | default('postgres') }}"
+  loop:
+    - cube
+    - earthdistance
+    - vector
+  changed_when: false
+
 - name: Grant schema permissions to Immich user
   community.postgresql.postgresql_privs:
     login_db: "{{ immich_postgres_db_name }}"
@@ -144,6 +156,12 @@
   become: false
   become_user: "{{ ansible_user }}"
 
+- name: Provision TLS certificate for Immich
+  ansible.builtin.include_tasks: "{{ role_path }}/../nginx/tasks/certbot.yml"
+  vars:
+    certbot_hostname: "{{ immich_nginx_hostname }}"
+  when: immich_nginx_enabled
+
 - name: Deploy nginx vhost configuration for Immich
   ansible.builtin.template:
     src: nginx-vhost.conf.j2

roles/immich/templates/immich.service.j2

@@ -5,7 +5,7 @@ Description=Immich Media Server
 Type=oneshot
 RemainAfterExit=true
 WorkingDirectory={{ podman_projects_dir | default('/opt/podman') }}/immich
-ExecStart=/usr/bin/podman play kube --replace immich.yaml
+ExecStart=/usr/bin/podman play kube --replace --network=pasta:--map-host-loopback={{ podman_gw_gateway }} immich.yaml
 ExecStop=/usr/bin/podman play kube --down immich.yaml
 Restart=on-failure
 RestartSec=10

roles/immich/templates/immich.yaml.j2

@@ -5,9 +5,6 @@ metadata:
   name: immich
   labels:
     app: immich
-  annotations:
-    io.podman.annotations.network.mode: bridge
-    io.podman.annotations.network.name: podman-gw
 spec:
   containers:
     - name: server