diff --git a/apps/immich/README.md b/apps/immich/README.md
new file mode 100644
index 0000000..5787be4
--- /dev/null
+++ b/apps/immich/README.md
@@ -0,0 +1 @@
+# Immich App
diff --git a/apps/immich/config/example.env b/apps/immich/config/example.env
new file mode 100644
index 0000000..c78df0d
--- /dev/null
+++ b/apps/immich/config/example.env
@@ -0,0 +1,32 @@
+# Config
+IMMICH_DOMAIN=immich.$DOMAIN
+IMMICH_STORAGE=100Gi
+IMMICH_CACHE_STORAGE=10Gi
+TZ=UTC
+
+# Docker Images
+IMMICH_SERVER_IMAGE=ghcr.io/immich-app/immich-server:release
+IMMICH_ML_IMAGE=ghcr.io/immich-app/immich-machine-learning:release
+
+# Database Configuration
+DB_HOSTNAME=postgres.postgres
+DB_PORT=5432
+DB_USERNAME=immich
+DB_DATABASE_NAME=immich
+POSTGRES_ADMIN_USER=$POSTGRES_USER
+
+# Redis Configuration
+REDIS_HOSTNAME=redis.redis
+REDIS_PORT=6379
+
+# Machine Learning Configuration
+MACHINE_LEARNING_WORKERS=1
+MACHINE_LEARNING_MODEL_TTL=300
+
+# Immich Configuration
+IMMICH_ENV=production
+IMMICH_LOG_LEVEL=info
+
+# Secrets (populate these in config.env and secrets.env)
+DB_PASSWORD=
+POSTGRES_ADMIN_PASSWORD=$POSTGRES_PASSWORD
\ No newline at end of file
diff --git a/apps/immich/deployment.yaml b/apps/immich/deployment.yaml
new file mode 100644
index 0000000..0c7fbd1
--- /dev/null
+++ b/apps/immich/deployment.yaml
@@ -0,0 +1,138 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: immich-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: immich-server
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: immich-server
+        component: server
+    spec:
+      containers:
+        - image: ghcr.io/immich-app/immich-server:release
+          name: immich-server
+          ports:
+            - containerPort: 2283
+              protocol: TCP
+          envFrom:
+            - secretRef:
+                name: secrets
+            - configMapRef:
+                name: config
+          env:
+            - name: REDIS_HOSTNAME
+              value: redis.redis
+            - name: DB_HOSTNAME
+              value: postgres.postgres
+            - name: TZ
+              valueFrom:
+                configMapKeyRef:
+                  key: TZ
+                  name: config
+          volumeMounts:
+            - mountPath: /usr/src/app/upload
+              name: immich-storage
+              readOnly: false
+      volumes:
+        - name: immich-storage
+          persistentVolumeClaim:
+            claimName: immich-pvc
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: immich-microservices
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: immich-microservices
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: immich-microservices
+        component: microservices
+    spec:
+      containers:
+        - image: ghcr.io/immich-app/immich-server:release
+          name: immich-microservices
+          envFrom:
+            - secretRef:
+                name: secrets
+            - configMapRef:
+                name: config
+          env:
+            - name: REDIS_HOSTNAME
+              value: redis.redis
+            - name: DB_HOSTNAME
+              value: postgres.postgres
+            - name: TZ
+              valueFrom:
+                configMapKeyRef:
+                  key: TZ
+                  name: config
+            - name: IMMICH_WORKERS_INCLUDE
+              value: api
+          volumeMounts:
+            - mountPath: /usr/src/app/upload
+              name: immich-storage
+              readOnly: false
+      volumes:
+        - name: immich-storage
+          persistentVolumeClaim:
+            claimName: immich-pvc
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: immich-machine-learning
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: immich-machine-learning
+  template:
+    metadata:
+      labels:
+        app: immich-machine-learning
+        component: machine-learning
+    spec:
+      containers:
+        - image: ghcr.io/immich-app/immich-machine-learning:release
+          name: immich-machine-learning
+          ports:
+            - containerPort: 3003
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: config
+          env:
+            - name: TZ
+              valueFrom:
+                configMapKeyRef:
+                  key: TZ
+                  name: config
+          volumeMounts:
+            - mountPath: /cache
+              name: immich-cache
+              readOnly: false
+      volumes:
+        - name: immich-cache
+          persistentVolumeClaim:
+            claimName: immich-cache-pvc
\ No newline at end of file
diff --git a/apps/immich/ingress.yaml b/apps/immich/ingress.yaml
new file mode 100644
index 0000000..c956c77
--- /dev/null
+++ b/apps/immich/ingress.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: immich-public
+  annotations:
+    external-dns.alpha.kubernetes.io/target: your.immich.domain
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
+spec:
+  rules:
+    - host: your.immich.domain
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: immich-server
+                port:
+                  number: 3001
+  tls:
+    - secretName: wildcard-internal-sovereign-cloud-tls
+      hosts:
+        - your.immich.domain
\ No newline at end of file
diff --git a/apps/immich/init/db-init-job.yaml b/apps/immich/init/db-init-job.yaml
new file mode 100644
index 0000000..4ce3854
--- /dev/null
+++ b/apps/immich/init/db-init-job.yaml
@@ -0,0 +1,62 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: immich-db-init
+spec:
+  template:
+    spec:
+      containers:
+        - name: db-init
+          image: postgres:15
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              PGPASSWORD=${POSTGRES_ADMIN_PASSWORD} psql -h ${DB_HOSTNAME} -U postgres <<EOF
+              DO \$\$
+              BEGIN
+                IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '${DB_USERNAME}') THEN
+                  CREATE USER ${DB_USERNAME} WITH ENCRYPTED PASSWORD '${DB_PASSWORD}';
+                ELSE
+                  ALTER USER ${DB_USERNAME} WITH ENCRYPTED PASSWORD '${DB_PASSWORD}';
+                END IF;
+              END
+              \$\$;
+              
+              SELECT 'CREATE DATABASE ${DB_DATABASE_NAME}' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${DB_DATABASE_NAME}')\gexec
+              ALTER DATABASE ${DB_DATABASE_NAME} OWNER TO ${DB_USERNAME};
+              GRANT ALL PRIVILEGES ON DATABASE ${DB_DATABASE_NAME} TO ${DB_USERNAME};
+              EOF
+              
+              # Connect to the immich database and enable required extensions
+              PGPASSWORD=${POSTGRES_ADMIN_PASSWORD} psql -h ${DB_HOSTNAME} -U postgres -d ${DB_DATABASE_NAME} <<EOF
+              CREATE EXTENSION IF NOT EXISTS vector;
+              CREATE EXTENSION IF NOT EXISTS cube;
+              CREATE EXTENSION IF NOT EXISTS earthdistance;
+              EOF
+          env:
+            - name: POSTGRES_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: secrets
+                  key: POSTGRES_ADMIN_PASSWORD
+            - name: DB_HOSTNAME
+              valueFrom:
+                configMapKeyRef:
+                  name: config
+                  key: DB_HOSTNAME
+            - name: DB_DATABASE_NAME
+              valueFrom:
+                configMapKeyRef:
+                  name: config
+                  key: DB_DATABASE_NAME
+            - name: DB_USERNAME
+              valueFrom:
+                configMapKeyRef:
+                  name: config
+                  key: DB_USERNAME
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: secrets
+                  key: DB_PASSWORD
+      restartPolicy: OnFailure
\ No newline at end of file
diff --git a/apps/immich/init/kustomization.yaml b/apps/immich/init/kustomization.yaml
new file mode 100644
index 0000000..0630596
--- /dev/null
+++ b/apps/immich/init/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - db-init-job.yaml
\ No newline at end of file
diff --git a/apps/immich/kustomization.yaml b/apps/immich/kustomization.yaml
new file mode 100644
index 0000000..a6d5ab8
--- /dev/null
+++ b/apps/immich/kustomization.yaml
@@ -0,0 +1,87 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: immich
+labels:
+  - includeSelectors: true
+    pairs:
+      app: immich
+      managedBy: kustomize
+      partOf: sovereign-cloud
+resources:
+  - deployment.yaml
+  - ingress.yaml
+  - namespace.yaml
+  - pvc.yaml
+  - service.yaml
+  - init/
+configMapGenerator:
+  - name: config
+    envs:
+      - config/config.env
+secretGenerator:
+  - name: secrets
+    envs:
+      - config/secrets.env
+
+replacements:
+  - source:
+      kind: ConfigMap
+      name: config
+      fieldPath: data.DOMAIN
+    targets:
+      - select:
+          kind: Ingress
+          name: immich-public
+        fieldPaths:
+          - metadata.annotations.[external-dns.alpha.kubernetes.io/target]
+  - source:
+      kind: ConfigMap
+      name: config
+      fieldPath: data.IMMICH_DOMAIN
+    targets:
+      - select:
+          kind: Ingress
+          name: immich-public
+        fieldPaths:
+          - spec.rules.0.host
+          - spec.tls.0.hosts.0
+  - source:
+      kind: ConfigMap
+      name: config
+      fieldPath: data.IMMICH_STORAGE
+    targets:
+      - select:
+          kind: PersistentVolumeClaim
+          name: immich-pvc
+        fieldPaths:
+          - spec.resources.requests.storage
+  - source:
+      kind: ConfigMap
+      name: config
+      fieldPath: data.IMMICH_CACHE_STORAGE
+    targets:
+      - select:
+          kind: PersistentVolumeClaim
+          name: immich-cache-pvc
+        fieldPaths:
+          - spec.resources.requests.storage
+  - source:
+      kind: ConfigMap
+      name: config
+      fieldPath: data.IMMICH_SERVER_IMAGE
+    targets:
+      - select:
+          kind: Deployment
+          name: immich-server
+        fieldPaths:
+          - spec.template.spec.containers.0.image
+  - source:
+      kind: ConfigMap
+      name: config
+      fieldPath: data.IMMICH_ML_IMAGE
+    targets:
+      - select:
+          kind: Deployment
+          name: immich-machine-learning
+        fieldPaths:
+          - spec.template.spec.containers.0.image
\ No newline at end of file
diff --git a/apps/immich/manifest.yaml b/apps/immich/manifest.yaml
new file mode 100644
index 0000000..c720d94
--- /dev/null
+++ b/apps/immich/manifest.yaml
@@ -0,0 +1,8 @@
+name: immich
+install: true
+description: Immich is a self-hosted photo and video backup solution that allows you to store, manage, and share your media files securely.
+version: 1.0.0
+icon: https://immich.app/assets/images/logo.png
+requires:
+  - name: redis
+  - name: postgres
diff --git a/apps/immich/namespace.yaml b/apps/immich/namespace.yaml
new file mode 100644
index 0000000..7829a88
--- /dev/null
+++ b/apps/immich/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: immich
\ No newline at end of file
diff --git a/apps/immich/pvc.yaml b/apps/immich/pvc.yaml
new file mode 100644
index 0000000..c38967d
--- /dev/null
+++ b/apps/immich/pvc.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: immich-pvc
+spec:
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 250Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: immich-cache-pvc
+spec:
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
diff --git a/apps/immich/service.yaml b/apps/immich/service.yaml
new file mode 100644
index 0000000..476f257
--- /dev/null
+++ b/apps/immich/service.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: immich-server
+  namespace: immich
+  labels:
+    app: immich-server
+spec:
+  ports:
+    - port: 3001
+      targetPort: 2283
+  selector:
+    app: immich
+    component: server
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: immich-machine-learning
+  namespace: immich
+  labels:
+    app: immich-machine-learning
+spec:
+  ports:
+    - port: 3003
+  selector:
+    app: immich
+    component: machine-learning
diff --git a/infrastructure_setup/coredns/coredns-custom-config.yaml b/infrastructure_setup/coredns/coredns-custom-config.yaml
index 728a2d8..3bd7f43 100644
--- a/infrastructure_setup/coredns/coredns-custom-config.yaml
+++ b/infrastructure_setup/coredns/coredns-custom-config.yaml
@@ -16,6 +16,10 @@ data:
         match (.*)\.internal\.cloud\.payne\.io\.
         answer "{{ .Name }} 60 IN A 192.168.8.240"
       }
+      template IN AAAA {
+        match (.*)\.internal\.cloud\.payne\.io\.
+        rcode NXDOMAIN
+      }
     }
   # Custom override to set external resolvers.
   external.override: |