immich-app · zackpollard · Mar 5, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
@@ -0,0 +1,72 @@
+name: Build and Push outline-role-sync Image
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  pre-job:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+    steps:
+      - name: Check what should run
+        id: check
+        uses: immich-app/devtools/actions/pre-job@eed0f8b8165ffcb951f2ba854b2dd031935e1d73 # pre-job-action-v2.0.2
+        with:
+          github-token: ${{ github.token }}
+          filters: |
+            outline-role-sync:
+              - 'services/outline-role-sync/**'
+              - '.github/workflows/build-outline-role-sync.yml'
+
+  build_and_push:
+    needs: [pre-job]
+    permissions:
+      packages: write
+    if: ${{ fromJSON(needs.pre-job.outputs.should_run).outline-role-sync == true }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        if: ${{ !github.event.pull_request.head.repo.fork }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate docker image tags
+        id: metadata
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        with:
+          flavor: |
+            # Disable latest tag
+            latest=false
+          images: |
+            name=ghcr.io/${{ github.repository_owner }}/outline-role-sync
+
+      - name: Build and push image
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        with:
+          context: ./services/outline-role-sync
+          platforms: linux/amd64
+          push: ${{ !github.event.pull_request.head.repo.fork && steps.metadata.outputs.tags != '' }}
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
@@ -7,3 +7,4 @@ resources:
   - ./discord-bot/ks.yaml
   - ./containerssh/ks.yaml
   - ./outline/ks.yaml
+  - ./outline-role-sync/ks.yaml
@@ -0,0 +1,64 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: outline-role-sync
+  namespace: tools
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      outline-role-sync:
+        containers:
+          app:
+            image:
+              repository: ghcr.io/immich-app/outline-role-sync
+              tag: main
+              pullPolicy: Always
+            env:
+              OUTLINE_BASE_URL: "https://outline.immich.cloud"
+              ZITADEL_BASE_URL: "https://zitadel.internal.immich.cloud"
+              PORT: "8080"
+            envFrom:
+              - secretRef:
+                  name: outline-role-sync
+            probes:
+              liveness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /health
+                    port: 8080
+                  periodSeconds: 30
+              readiness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /health
+                    port: 8080
+                  periodSeconds: 10
+    service:
+      app:
+        controller: outline-role-sync
+        ports:
+          http:
+            port: 8080
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app outline-role-sync-secrets
+  namespace: flux-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: external-secrets-stores
+  path: ./kubernetes/apps/tools/outline-role-sync/secrets
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: immich-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app outline-role-sync
+  namespace: flux-system
+spec:
+  targetNamespace: tools
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: outline-role-sync-secrets
+    - name: outline
+  path: ./kubernetes/apps/tools/outline-role-sync/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: immich-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.yaml
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: outline-role-sync
+  namespace: tools
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1p-tf
+  refreshInterval: "20s"
+  data:
+    - secretKey: OUTLINE_API_TOKEN
+      remoteRef:
+        key: OUTLINE_ROLE_SYNC_OUTLINE_API_TOKEN
+    - secretKey: OUTLINE_WEBHOOK_SECRET
+      remoteRef:
+        key: OUTLINE_ROLE_SYNC_WEBHOOK_SECRET
+    - secretKey: ZITADEL_SERVICE_ACCOUNT_TOKEN
+      remoteRef:
+        key: OUTLINE_ROLE_SYNC_ZITADEL_TOKEN
+    - secretKey: ZITADEL_OUTLINE_PROJECT_ID
+      remoteRef:
+        key: OUTLINE_ROLE_SYNC_ZITADEL_PROJECT_ID
@@ -0,0 +1,14 @@
+FROM denoland/deno:2.1.4
+
+WORKDIR /app
+
+COPY deno.json .
+COPY src/ src/
+
+RUN deno cache src/main.ts
+
+USER deno
+
+EXPOSE 8080
+
+CMD ["deno", "run", "--allow-net", "--allow-env", "src/main.ts"]
@@ -0,0 +1,9 @@
+{
+  "tasks": {
+    "start": "deno run --allow-net --allow-env src/main.ts",
+    "dev": "deno run --watch --allow-net --allow-env src/main.ts"
+  },
+  "compilerOptions": {
+    "strict": true
+  }
+}