Running the pod with no access to outside

[oryjkov]

Since there is no need for any of the immich containers to initiate connections to the outside world I've modified this pod setup to run without external network, i.e. Network=none in the pod config. This was prompted by the latest "immich buy me a license" nag, but it seems like a good idea on its own.

Access from outside to the immich server is done using "systemd socket activation". I've set it up in a way where a new nginx container runs in the pod. It takes 2 sockets from systemd (one for immich web, another for postgres db for backups) and proxies the connection to the appropriate pod ports via loopback.

Since I ended up using these configs as a starting point I would be happy to contribute my changes back if there is interest.

The setup works fine, the only relevant immich log is about a failure to check for a new github release.

[jbtrystram]

Contributions are welcome! Please open a PR ! At least we can document your approach, it's interesting

[jbtrystram]

I reviewed the PR. On a side note, this won't prevent the "buy a licence prompt", as everything is local.