Add Immich Machine Learning as software option (ID 216)

- Add software descriptor for ID 216 in Cloud category (arm64/amd64)
- Add install block: downloads Immich source, installs uv, creates Python
  venv with ML deps via uv sync, sets up immich user/data dir/env file,
  enables ML in Immich server config if present, creates systemd service
- Add uninstall block with shared-user handling and ML disable in server conf
- Add immich-ml to dietpi-services
- Add CI test entry with QEMU hardening override in dietpi-software.bash
- Add URL checks for Immich version (216) and uv binary (216000)
- Add CHANGELOG and README entries

Co-authored-by: Joulinar <47155374+Joulinar@users.noreply.github.com>

Author: Copilot

.github/workflows/dietpi-software.bash

@@ -315,6 +315,7 @@ Process_Software()
 			213) aSERVICES[i]='soju' aTCP[i]='6667';;
 			214) aSERVICES[i]='whodb' aTCP[i]='8091';;
 			215) aSERVICES[i]='immich' aTCP[i]='2283';;
+			216) aSERVICES[i]='immich-ml' aTCP[i]='3003';;
 			*) :;;
 		esac
 		aINSTALL[i]=1
@@ -344,6 +345,7 @@ do
 		213) Process_Software 17 188;;
 		183) Process_Software 87;;
 		215) Process_Software 7 9 91 194;;
+		216) Process_Software 130;;
 		138|187) Process_Software 152;;
 		75) Process_Software 83 87 89;;
 		76) Process_Software 83 88 89;;
@@ -497,7 +499,7 @@ then
 	# Forky
 	if (( $dist > 8 ))
 	then
-		G_EXEC mkdir rootfs/etc/systemd/system/{mariadb,systemd-logind,apache2,mpd,vaultwarden,blynkserver,gogs,whodb,lazylibrarian,bazarr,immich}.service.d
+		G_EXEC mkdir rootfs/etc/systemd/system/{mariadb,systemd-logind,apache2,mpd,vaultwarden,blynkserver,gogs,whodb,lazylibrarian,bazarr,immich,immich-ml}.service.d
 		# ProtectHome/ProtectSystem/PrivateTmp/...: "Failed to set up mount namespacing: Invalid argument": https://github.com/systemd/systemd/issues/39951
 		G_EXEC eval 'echo -e '\''[Service]\nProtectHome=0\nProtectSystem=0'\'' > rootfs/etc/systemd/system/mariadb.service.d/dietpi-container.conf'
 		G_EXEC eval 'echo -e '\''[Service]\nProtectHome=0\nProtectSystem=0\nPrivateTmp=0\nReadWritePaths=\nProtectKernelModules=0\nProtectControlGroups=0\nProtectKernelLogs=0'\'' > rootfs/etc/systemd/system/systemd-logind.service.d/dietpi-container.conf'
@@ -511,6 +513,7 @@ then
 		G_EXEC eval 'echo -e '\''[Service]\nProtectSystem=0\nProtectHome=0\nPrivateTmp=0\nPrivateDevices=0\nProtectKernelModules=0\nProtectControlGroups=0\nProtectKernelTunables=0\nProtectKernelLogs=0\nReadWritePaths='\'' > rootfs/etc/systemd/system/lazylibrarian.service.d/dietpi-container.conf'
 		G_EXEC eval 'echo -e '\''[Service]\nProtectSystem=0\nProtectHome=0\nPrivateTmp=0\nPrivateDevices=0\nProtectControlGroups=0\nProtectKernelTunables=0\nReadWritePaths='\'' > rootfs/etc/systemd/system/bazarr.service.d/dietpi-container.conf'
 		G_EXEC eval 'echo -e '\''[Service]\nProtectSystem=0\nProtectHome=0\nPrivateTmp=0\nPrivateDevices=0\nProtectKernelModules=0\nProtectControlGroups=0\nProtectKernelTunables=0\nProtectKernelLogs=0\nReadWritePaths='\'' > rootfs/etc/systemd/system/immich.service.d/dietpi-container.conf'
+		G_EXEC eval 'echo -e '\''[Service]\nProtectSystem=0\nProtectHome=0\nPrivateTmp=0\nPrivateDevices=0\nProtectKernelModules=0\nProtectControlGroups=0\nProtectKernelTunables=0\nProtectKernelLogs=0\nReadWritePaths='\'' > rootfs/etc/systemd/system/immich-ml.service.d/dietpi-container.conf'
 
 		# /dev/console == /dev/pts/0 seen as "Inappropriate ioctl for device" leading to failing console-getty.service and StandardOutput=tty
 		G_EXEC eval 'echo -e '\''#!/bin/dash\nexec /boot/dietpi/dietpi-login > /dev/console 2>&1'\'' > rootfs/var/lib/dietpi/postboot.d/dietpi-login'

.github/workflows/update_urls.bash

@@ -370,6 +370,18 @@ aCHECK[$software_id]='curl -sSf '\''https://api.github.com/repos/WebAssembly/bin
 aARCH[$software_id]='aarch64 x86_64'
 aREGEX[$software_id]='https://github.com/WebAssembly/binaryen/releases/download/.*/binaryen-.*-$arch-linux.tar.gz'
 
+# Immich Machine Learning (same Immich release)
+software_id=216
+aCHECK[$software_id]='curl -sSf '\''https://api.github.com/repos/immich-app/immich/releases/latest'\'' | mawk -F\" '\''/^ *"tag_name": "[^"]*",$/{print $4}'\'
+aREGEX[$software_id]='version='\''[^'\'']*'\'
+aREPLACE[$software_id]='version='\''$release'\'
+
+# uv (for Immich Machine Learning)
+software_id=216000
+aCHECK[$software_id]='curl -sSf '\''https://api.github.com/repos/astral-sh/uv/releases/latest'\'' | mawk -F\" "/^ *\"browser_download_url\": \".*\/uv-$arch-unknown-linux-gnu\.tar\.gz\"$/{print \$4}"'
+aARCH[$software_id]='aarch64 x86_64'
+aREGEX[$software_id]='https://github.com/astral-sh/uv/releases/download/.*/uv-$arch-unknown-linux-gnu.tar.gz'
+
 ### URL check loop ###
 
 for i in "${!aCHECK[@]}"

CHANGELOG.txt

@@ -5,6 +5,7 @@ New images:
 
 New software:
 - Immich | This high performance self-hosted photo and video management solution has been added to our software catalogue. Available on x86_64 and ARMv8 only.
+- Immich Machine Learning | The machine learning server for Immich, enabling facial recognition and smart search via CLIP embeddings, has been added as a separate software option. It can be installed on the same system as Immich or on a remote machine. Available on x86_64 and ARMv8 only.
 - RustDesk Client: Client software for the RustDesk desktop sharing platform. Fits perfect to our software package "RustDesk Server". An X11 desktop needs to be installed or will be installed during the RustDesk Client installation process.
 
 Enhancements:

README.md

@@ -351,6 +351,7 @@ Links to hardware and software manufacturers, sources and build instructions use
 - [Uptime Kuma](https://github.com/louislam/uptime-kuma)
 - [WhoDB](https://github.com/clidey/whodb)
 - [Immich](https://github.com/immich-app/immich)
+- [Immich Machine Learning](https://github.com/immich-app/immich)
 - [RustDesk Client](https://github.com/rustdesk/rustdesk)
 
 ---

dietpi/dietpi-services

@@ -211,6 +211,7 @@ _EOF_
 			'filebrowser'
 			'ocis'
 			'immich'
+			'immich-ml'
 
 			# - Emulation/Gaming
 			'mineos'

dietpi/dietpi-software

@@ -871,6 +871,15 @@ Available commands:
 		(( $G_DISTRO < 8 )) && aSOFTWARE_AVAIL_G_DISTRO[$software_id,$G_DISTRO]=0
 		# VectorChord only provides packages for amd64 and arm64
 		(( $G_HW_ARCH == 3 || $G_HW_ARCH == 10 )) || aSOFTWARE_AVAIL_G_HW_ARCH[$software_id,$G_HW_ARCH]=0
+		#------------------
+		software_id=216
+		aSOFTWARE_NAME[$software_id]='Immich Machine Learning'
+		aSOFTWARE_DESC[$software_id]='Machine learning server for Immich facial recognition and smart search'
+		aSOFTWARE_CATX[$software_id]=4
+		aSOFTWARE_DOCS[$software_id]='https://dietpi.com/docs/software/cloud/#immich'
+		aSOFTWARE_DEPS[$software_id]='130'
+		# onnxruntime only provides packages for amd64 and arm64
+		(( $G_HW_ARCH == 3 || $G_HW_ARCH == 10 )) || aSOFTWARE_AVAIL_G_HW_ARCH[$software_id,$G_HW_ARCH]=0
 
 		# Gaming & Emulation
 		#--------------------------------------------------------------------------------
@@ -12182,6 +12191,93 @@ ProtectClock=1
 NoNewPrivileges=1
 ReadWritePaths=-/mnt/dietpi_userdata/immich
 
+[Install]
+WantedBy=multi-user.target
+_EOF_
+		fi
+
+		if To_Install 216 immich-ml # Immich Machine Learning
+		then
+			# Download Immich source (machine-learning directory only)
+			local version=$(curl -sSfL 'https://api.github.com/repos/immich-app/immich/releases/latest' | mawk -F\" '/^ *"tag_name": "[^"]*",$/{print $4}')
+			[[ $version ]] || { version='v2.5.6'; G_DIETPI-NOTIFY 1 "Automatic latest ${aSOFTWARE_NAME[$software_id]} version detection failed. Version \"$version\" will be installed as fallback, but a newer version might be available. Please report this at: https://github.com/MichaIng/DietPi/issues"; }
+			aDEPS=('libgl1' 'libglib2.0-0' 'libgomp1')
+			Download_Install "https://github.com/immich-app/immich/archive/$version.tar.gz"
+			[[ -d '/opt/immich-ml' ]] && G_EXEC rm -R /opt/immich-ml
+			G_EXEC mv "immich-${version#v}/machine-learning" /opt/immich-ml
+			G_EXEC rm -R "immich-${version#v}"
+
+			# Install uv: https://github.com/astral-sh/uv
+			# NB: fallback_url is used by Download_Install when the dynamic URL detection fails
+			local arch='x86_64'
+			(( $G_HW_ARCH == 3 )) && arch='aarch64'
+			local fallback_url="https://github.com/astral-sh/uv/releases/download/0.8.15/uv-$arch-unknown-linux-gnu.tar.gz"
+			Download_Install "$(curl -sSfL 'https://api.github.com/repos/astral-sh/uv/releases/latest' | mawk -F\" "/^ *\"browser_download_url\": \".*\/uv-$arch-unknown-linux-gnu\.tar\.gz\"$/{print \$4}")"
+			G_EXEC mv uv /usr/local/bin/uv
+			G_EXEC rm -f uvx
+
+			# Install Python dependencies into a virtual environment
+			# NB: Python 3 (dep 130) provides Python >= 3.11 on Bookworm and Trixie, satisfying the ML requirement
+			# NB: --no-python-downloads prevents uv from fetching a Python runtime; uses system Python only
+			G_EXEC cd /opt/immich-ml
+			G_EXEC_OUTPUT=1 G_EXEC uv sync --frozen --extra cpu --no-dev --compile-bytecode --no-progress --no-python-downloads
+			G_EXEC cd "$G_WORKING_DIR"
+
+			# User: Reuse immich user if available, else create it
+			Create_User -d /mnt/dietpi_userdata/immich immich
+
+			# Data directory
+			G_EXEC mkdir -p /mnt/dietpi_userdata/immich/model-cache
+			G_EXEC chown -R immich:immich /mnt/dietpi_userdata/immich
+
+			# Env file
+			if [[ ! -f '/mnt/dietpi_userdata/immich/immich-ml.env' ]]
+			then
+				G_EXEC install -g immich -m 0640 /dev/null /mnt/dietpi_userdata/immich/immich-ml.env
+				cat << '_EOF_' > /mnt/dietpi_userdata/immich/immich-ml.env || exit 1
+# Immich Machine Learning port and bind host (use 127.0.0.1 for local, 0.0.0.0 for remote ML)
+IMMICH_PORT=3003
+IMMICH_HOST=127.0.0.1
+
+# Log level: verbose, debug, log, warn, error, fatal
+IMMICH_LOG_LEVEL=warn
+
+# Cache directory for downloaded AI model files
+MACHINE_LEARNING_CACHE_FOLDER=/mnt/dietpi_userdata/immich/model-cache
+_EOF_
+			fi
+
+			# Enable machine learning in Immich server config if present (no-op for standalone ML setups)
+			[[ -f '/mnt/dietpi_userdata/immich/immich.env' ]] && G_CONFIG_INJECT 'IMMICH_MACHINE_LEARNING_ENABLED=' 'IMMICH_MACHINE_LEARNING_ENABLED=true' /mnt/dietpi_userdata/immich/immich.env
+
+			# Service
+			cat << '_EOF_' > /etc/systemd/system/immich-ml.service || exit 1
+[Unit]
+Description=Immich Machine Learning (DietPi)
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+SyslogIdentifier=Immich-ML
+User=immich
+WorkingDirectory=/opt/immich-ml
+Environment=NO_COLOR=true
+EnvironmentFile=/mnt/dietpi_userdata/immich/immich-ml.env
+ExecStart=/opt/immich-ml/.venv/bin/python -m immich_ml
+
+# Hardening
+ProtectSystem=strict
+ProtectHome=1
+PrivateDevices=1
+PrivateTmp=1
+ProtectKernelTunables=1
+ProtectKernelModules=1
+ProtectControlGroups=1
+ProtectKernelLogs=1
+ProtectClock=1
+NoNewPrivileges=1
+ReadWritePaths=-/mnt/dietpi_userdata/immich
+
 [Install]
 WantedBy=multi-user.target
 _EOF_
@@ -14690,6 +14786,17 @@ _EOF_
 			[[ -d '/mnt/dietpi_userdata/immich' ]] && G_WHIP_BUTTON_CANCEL_TEXT='Skip' G_WHIP_YESNO "Shall all ${aSOFTWARE_NAME[$software_id]} data at /mnt/dietpi_userdata/immich be removed as well?" && G_EXEC rm -R /mnt/dietpi_userdata/immich
 		fi
 
+		if To_Uninstall 216 # Immich Machine Learning
+		then
+			Remove_Service immich-ml
+			[[ -d '/opt/immich-ml' ]] && G_EXEC rm -Rf /opt/immich-ml
+			# Disable machine learning in Immich server config if still installed
+			[[ -f '/mnt/dietpi_userdata/immich/immich.env' ]] && G_CONFIG_INJECT 'IMMICH_MACHINE_LEARNING_ENABLED=' 'IMMICH_MACHINE_LEARNING_ENABLED=false' /mnt/dietpi_userdata/immich/immich.env
+			# Remove immich user and group only if main Immich is not installed
+			(( ${aSOFTWARE_INSTALL_STATE[215]} > 0 )) || { getent passwd immich > /dev/null && G_EXEC userdel immich; getent group immich > /dev/null && G_EXEC groupdel immich; }
+			[[ -d '/mnt/dietpi_userdata/immich' ]] && G_WHIP_BUTTON_CANCEL_TEXT='Skip' G_WHIP_YESNO "Shall all ${aSOFTWARE_NAME[$software_id]} data at /mnt/dietpi_userdata/immich be removed as well?" && G_EXEC rm -R /mnt/dietpi_userdata/immich
+		fi
+
 		if To_Uninstall 169 # LazyLibrarian
 		then
 			Remove_Service lazylibrarian 1 1