chore(deps): update helm release cilium to v1.19.3

This reverts commit 775a28e4bb.

k8s-peterg/alloy/configmap.yaml

@@ -6,6 +6,11 @@ metadata:
 data:
   config.alloy: |-
     prometheus.exporter.unix "node" {
+      set_collectors = [
+        "cpu", "diskstats", "filesystem", "loadavg",
+        "meminfo", "netdev", "netstat", "os",
+        "pressure", "processes", "stat", "uname", "vmstat",
+      ]
     }
 
     discovery.kubernetes "kubernetes_apiservers" {
@@ -141,6 +146,11 @@ data:
         source_labels = ["__meta_kubernetes_pod_node_name"]
         target_label  = "node"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     discovery.relabel "kubernetes_services" {
@@ -249,6 +259,11 @@ data:
         source_labels = ["__meta_kubernetes_pod_node_name"]
         target_label  = "node"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     discovery.relabel "pod_logs" {
@@ -298,6 +313,11 @@ data:
         target_label  = "__path__"
         replacement   = "/var/log/pods/*$1/*.log"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     local.file_match "pod_logs" {
@@ -352,9 +372,19 @@ data:
       }
     }
 
+    prometheus.relabel "cadvisor" {
+      forward_to = [prometheus.remote_write.default.receiver]
+
+      rule {
+        source_labels = ["__name__"]
+        regex         = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)"
+        action        = "keep"
+      }
+    }
+
     prometheus.scrape "kubernetes_nodes_cadvisor" {
       targets    = discovery.relabel.kubernetes_nodes_cadvisor.output
-      forward_to = [prometheus.remote_write.default.receiver]
+      forward_to = [prometheus.relabel.cadvisor.receiver]
       job_name   = "kubernetes-nodes-cadvisor"
       scheme     = "https"
 

k8s-peterg/argo-workflows/kustomization.yaml

@@ -11,5 +11,5 @@ helmCharts:
     repo: https://argoproj.github.io/argo-helm
     namespace: argo-workflows
     releaseName: argo-workflows
-    version: 1.0.7
+    version: 1.0.13
     valuesFile: values.yaml

k8s-peterg/argo-workflows/secrets.yaml

@@ -22,6 +22,7 @@ spec:
         conversionStrategy: Default
         decodingStrategy: None
         metadataPolicy: None
+        nullBytePolicy: Ignore
     - secretKey: client-secret
       remoteRef:
         key: secrets/managed/argo-workflows/authentik-sso
@@ -29,3 +30,4 @@ spec:
         conversionStrategy: Default
         decodingStrategy: None
         metadataPolicy: None
+        nullBytePolicy: Ignore

k8s-peterg/argocd/applications-peterg.yaml

@@ -99,3 +99,22 @@ spec:
       selfHeal: true
     syncOptions:
       - ServerSideApply=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate-operator
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
+    path: k8s-peterg/renovate-operator
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: renovate-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

k8s-peterg/argocd/applications-wheatley.yaml

@@ -143,6 +143,25 @@ spec:
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
+metadata:
+  name: lidarr
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
+    path: k8s-wheatley/lidarr
+    targetRevision: HEAD
+  destination:
+    server: https://10.13.37.10:6443
+    namespace: lidarr
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
 metadata:
   name: prowlarr
   namespace: argocd

k8s-peterg/argocd/oidc.yaml

@@ -27,28 +27,3 @@ spec:
       remoteRef:
         key: secrets/managed/argocd/authentik-oidc-credentials
         property: clientSecret
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: argo-workflows-sso
-  namespace: argocd
-spec:
-  secretStoreRef:
-    name: vault-wheatley
-    kind: ClusterSecretStore
-  target:
-    name: argo-workflows-sso
-    template:
-      metadata:
-        labels:
-          app.kubernetes.io/part-of: argo-workflows
-  data:
-    - secretKey: client-id
-      remoteRef:
-        key: secrets/managed/argo-workflows/dex-sso
-        property: client-id
-    - secretKey: client-secret
-      remoteRef:
-        key: secrets/managed/argo-workflows/dex-sso
-        property: client-secret

k8s-peterg/external-secrets-operator/clustersecrets.yaml

@@ -27,6 +27,7 @@ spec:
           conversionStrategy: Default
           decodingStrategy: None
           metadataPolicy: None
+          nullBytePolicy: Ignore
       - secretKey: key
         remoteRef:
           key: secrets/provisioned/tls-wildcard-peterg-nl
@@ -34,3 +35,4 @@ spec:
           conversionStrategy: Default
           decodingStrategy: None
           metadataPolicy: None
+          nullBytePolicy: Ignore

k8s-peterg/external-secrets-operator/kustomization.yaml

@@ -12,4 +12,4 @@ helmCharts:
     repo: https://charts.external-secrets.io
     namespace: external-secrets
     releaseName: external-secrets
-    version: 2.3.0
+    version: 2.4.0

k8s-peterg/renovate-operator/configmap.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: renovate-config
+  namespace: renovate-operator
+data:
+  config.js: |-
+    module.exports = {
+      platform: 'forgejo',
+      endpoint: 'https://code.peterg.nl/api/v1/',
+      gitAuthor: 'Renovate <renovate@peterg.nl>',
+      username: 'renovate',
+      onboardingConfig: {
+        $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+        extends: ['config:recommended'],
+      },
+      optimizeForDisabled: true,
+      persistRepoData: true,
+    };

k8s-peterg/renovate-operator/kustomization.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: renovate-operator
+
+resources:
+  - configmap.yaml
+  - namespace.yaml
+  - policies.yaml
+  - renovate-job.yaml
+  - secrets.yaml
+
+helmCharts:
+  - name: renovate-operator
+    repo: https://helm.mogenius.com/public
+    namespace: renovate-operator
+    releaseName: renovate-operator
+    version: "4.7.0"
+    valuesFile: values.yaml

k8s-peterg/renovate-operator/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: renovate-operator

k8s-peterg/renovate-operator/policies.yaml

@@ -0,0 +1,37 @@
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-internet-only
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              - 10.0.0.0/8
+              - 192.168.0.0/16
+              - 172.16.0.0/12
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: kubernetes-egress
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+        - podSelector:
+            matchLabels:
+              k8s-app: kube-apiserver
+    - ports:
+        - protocol: TCP
+          port: 6443

k8s-peterg/renovate-operator/renovate-job.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: renovate-operator.mogenius.com/v1alpha1
+kind: RenovateJob
+metadata:
+  name: renovate
+  namespace: renovate-operator
+spec:
+  schedule: "0 * * * *"
+  provider:
+    name: forgejo
+    endpoint: https://code.peterg.nl/api/v1/
+  image: ghcr.io/renovatebot/renovate:43.161.0
+  secretRef: renovate-operator-secrets
+  parallelism: 1
+  skipForks: true
+  extraVolumes:
+    - name: renovate-config
+      configMap:
+        name: renovate-config
+  extraVolumeMounts:
+    - name: renovate-config
+      mountPath: /config
+  extraEnv:
+    - name: LOG_LEVEL
+      value: debug
+    - name: RENOVATE_CONFIG_FILE
+      value: /config/config.js

k8s-peterg/renovate-operator/secrets.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: renovate-operator-secrets
+  namespace: renovate-operator
+spec:
+  refreshInterval: "15s"
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: renovate-operator-secrets
+  data:
+    - secretKey: RENOVATE_TOKEN
+      remoteRef:
+        key: /secrets/managed/renovate/token
+        property: RENOVATE_TOKEN
+    - secretKey: GITHUB_COM_TOKEN
+      remoteRef:
+        key: /secrets/managed/renovate/token
+        property: GITHUB_COM_TOKEN

k8s-peterg/renovate-operator/values.yaml

@@ -0,0 +1,20 @@
+fullnameOverride: "renovate-operator"
+metrics:
+  enabled: true
+  serviceMonitor:
+    enabled: false
+
+crd:
+  install: true
+  mode: template
+
+rbac:
+  ownNamespaceOnly: true
+
+route:
+  enabled: true
+  hostnames:
+  parentRefs:
+    - name: internal
+      namespace: kube-system
+      sectionName: https

k8s-peterg/vault-wheatley-approle.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-data:
-  approle_id: MDE5YTdjOWQtMTYxOC0yZjg0LWE2NzUtOWQ5NmVkZWFiNzEyCg==
-  approle_secret: ZDZkOWU0MmUtZmVhNi05MGIzLWNlODktYzJlY2E2YWIxMjc3Cg==
-kind: Secret
-metadata:
-  name: vault-wheatley-approle
-  namespace: external-secrets
-type: Opaque

k8s-wheatley/alloy/configmap.yaml

@@ -5,7 +5,13 @@ metadata:
   name: alloy-config
 data:
   config.alloy: |-
-    prometheus.exporter.unix "node" {}
+    prometheus.exporter.unix "node" {
+      set_collectors = [
+        "cpu", "diskstats", "filesystem", "loadavg",
+        "meminfo", "netdev", "netstat", "os",
+        "pressure", "processes", "stat", "uname", "vmstat",
+      ]
+    }
 
     discovery.kubernetes "kubernetes_apiservers" {
       role = "endpoints"
@@ -152,6 +158,11 @@ data:
         source_labels = ["__meta_kubernetes_pod_node_name"]
         target_label  = "node"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     discovery.relabel "kubernetes_services" {
@@ -260,6 +271,11 @@ data:
         source_labels = ["__meta_kubernetes_pod_node_name"]
         target_label  = "node"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     discovery.relabel "pod_logs" {
@@ -309,6 +325,11 @@ data:
         target_label  = "__path__"
         replacement   = "/var/log/pods/*$1/*.log"
       }
+
+      rule {
+        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
+        action = "labeldrop"
+      }
     }
 
     local.file_match "pod_logs" {
@@ -369,9 +390,19 @@ data:
       }
     }
 
+    prometheus.relabel "cadvisor" {
+      forward_to = [prometheus.remote_write.default.receiver]
+
+      rule {
+        source_labels = ["__name__"]
+        regex         = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)"
+        action        = "keep"
+      }
+    }
+
     prometheus.scrape "kubernetes_nodes_cadvisor" {
       targets    = discovery.relabel.kubernetes_nodes_cadvisor.output
-      forward_to = [prometheus.remote_write.default.receiver]
+      forward_to = [prometheus.relabel.cadvisor.receiver]
       job_name   = "kubernetes-nodes-cadvisor"
       scheme     = "https"
       clustering {

k8s-wheatley/external-secrets-operator/clustersecrets.yaml

@@ -27,6 +27,7 @@ spec:
           conversionStrategy: Default
           decodingStrategy: None
           metadataPolicy: None
+          nullBytePolicy: Ignore
       - secretKey: key
         remoteRef:
           key: secrets/provisioned/tls-wildcard-wheatley-in
@@ -34,3 +35,4 @@ spec:
           conversionStrategy: Default
           decodingStrategy: None
           metadataPolicy: None
+          nullBytePolicy: Ignore

k8s-wheatley/external-secrets-operator/kustomization.yaml

@@ -12,4 +12,4 @@ helmCharts:
     repo: https://charts.external-secrets.io
     namespace: external-secrets
     releaseName: external-secrets
-    version: 2.3.0
+    version: 2.4.0

k8s-wheatley/lidarr/configmap.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: lidarr-envs
+data:
+  PUID: "1000"
+  PGID: "1000"
+  TZ: Europe/Amsterdam

k8s-wheatley/lidarr/deployments.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: lidarr
+  labels:
+    app: lidarr
+spec:
+  replicas: 1
+  serviceName: lidarr
+  selector:
+    matchLabels:
+      app: lidarr
+  template:
+    metadata:
+      labels:
+        app: lidarr
+    spec:
+      containers:
+        - name: lidarr
+          image: linuxserver/lidarr
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8686
+          envFrom:
+            - configMapRef:
+                name: lidarr-envs
+          volumeMounts:
+            - mountPath: /config
+              name: lidarr-config
+            - mountPath: /shared/media
+              name: nfs-media
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+              add:
+                - "CHOWN"
+                - "SETUID"
+                - "SETGID"
+      volumes:
+        - name: lidarr-config
+          persistentVolumeClaim:
+            claimName: lidarr-storage
+        - name: nfs-media
+          persistentVolumeClaim:
+            claimName: nfs-media

k8s-wheatley/lidarr/ingress.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: lidarr-route
+spec:
+  parentRefs:
+    - name: internal
+      namespace: kube-system
+      sectionName: https
+  hostnames:
+    - "lidarr.wheatley.in"
+  rules:
+    - backendRefs:
+        - name: lidarr
+          port: 80

k8s-wheatley/lidarr/kustomization.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: lidarr
+
+resources:
+  - ../../kustomize-bases/nfs-media
+  - configmap.yaml
+  - deployments.yaml
+  - ingress.yaml
+  - pvc.yaml
+  - services.yaml
+  - namespace.yaml
+
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-lidarr
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-lidarr
+
+images:
+  - name: linuxserver/lidarr
+    newTag: 3.1.0@sha256:d2f944115de2ca6754ad142ee92f9db481b1574c7bc030974d624584106b78d7

k8s-wheatley/lidarr/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: lidarr

k8s-wheatley/lidarr/pvc.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: lidarr-storage
+spec:
+  storageClassName: piraeus-lvmthin
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi

k8s-wheatley/lidarr/services.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: lidarr
+spec:
+  selector:
+    app: lidarr
+  ports:
+    - port: 80
+      protocol: TCP
+      targetPort: 8686

k8s-wheatley/plex/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: plex
 
 resources:
+  - ../../kustomize-bases/nfs-media
   - configmap.yaml
   - deployments.yaml
   - ingress.yaml
@@ -12,6 +13,28 @@ resources:
   - services.yaml
   - namespace.yaml
 
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-plex
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-plex
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
+
 images:
 - name: plexinc/pms-docker
   newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c

k8s-wheatley/plex/pvc.yaml

@@ -10,36 +10,3 @@ spec:
   resources:
     requests:
       storage: 20Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nfs-media
-spec:
-  accessModes:
-    - ReadOnlyMany
-  resources:
-    requests:
-      storage: 40Ti
-  volumeName: nfs-media-plex
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nfs-media-plex
-spec:
-  capacity:
-    storage: 40Ti
-  accessModes:
-    - ReadOnlyMany
-  nfs:
-    server: 10.0.69.10
-    path: /tank/media
-  mountOptions:
-    - vers=4.1
-    - rsize=1048576
-    - wsize=1048576
-    - hard
-    - timeo=600
-    - noatime
-  persistentVolumeReclaimPolicy: Retain

k8s-wheatley/prowlarr/kustomization.yaml

@@ -16,4 +16,4 @@ images:
   - name: flaresolverr/flaresolverr
     newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e
   - name: linuxserver/prowlarr
-    newTag: 2.3.5@sha256:35f48abb3e976fcf077fae756866c582e4a90f8b24810ae4067b3558f7cdbbdf
+    newTag: 2.3.5@sha256:c5de2a8758a05594319263e7691c1dce56899442ed1720d6eca216c0958f4caf

k8s-wheatley/qbittorrent/configmap.yaml

@@ -9,22 +9,26 @@ data:
   VPN_TYPE: "wireguard"
   VPN_PORT_FORWARDING: on
   VPN_PORT_FORWARDING_PROVIDER: protonvpn
-  VPN_PORT_FORWARDING_UP_COMMAND: |
-    /bin/sh -c '
+  VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh"
+  VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh"
+  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
+  FIREWALL_INPUT_PORTS: "8112"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gluetun-scripts
+data:
+  port-up.sh: |
+    #!/bin/sh
     wget -O- --retry-connrefused \
       --post-data "json={\"listen_port\":{{PORTS}},\"current_network_interface\":\"tun0\",\"random_port\":false,\"upnp\":false}" \
       http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1
-    '
-  VPN_PORT_FORWARDING_DOWN_COMMAND: |
-    /bin/sh -c '
+  port-down.sh: |
+    #!/bin/sh
     wget -O- --retry-connrefused \
       --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo\"}" \
       http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1
-    '
-  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
-  FIREWALL_INPUT_PORTS: "8112"
-  DNS_KEEP_NAMESERVER: on
-  DOT: off
 ---
 apiVersion: v1
 kind: ConfigMap

k8s-wheatley/qbittorrent/deployments.yaml

@@ -33,6 +33,8 @@ spec:
             - mountPath: "/gluetun/wireguard"
               name: gluetun-wgconfig
               readOnly: true
+            - name: gluetun-scripts
+              mountPath: /scripts
             - name: gluetun-tmp
               mountPath: /tmp/gluetun
           restartPolicy: Always
@@ -128,6 +130,10 @@ spec:
         - name: gluetun-wgconfig
           secret:
             secretName: gluetun-wgconfig
+        - name: gluetun-scripts
+          configMap:
+            name: gluetun-scripts
+            defaultMode: 0755
         - name: gluetun-tmp
           emptyDir: {}
         - name: nfs-media

k8s-wheatley/qbittorrent/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: qbittorrent
 
 resources:
+  - ../../kustomize-bases/nfs-media
   - configmap.yaml
   - deployments.yaml
   - ingress.yaml
@@ -12,6 +13,25 @@ resources:
   - services.yaml
   - namespace.yaml
 
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-qbittorrent
+      - op: replace
+        path: /spec/nfs/path
+        value: /tank/media/downloads
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-qbittorrent
+
 images:
   - name: ghcr.io/qdm12/gluetun
     newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab

k8s-wheatley/qbittorrent/pvc.yaml

@@ -10,36 +10,3 @@ spec:
   resources:
     requests:
       storage: 5Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nfs-media
-spec:
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 40Ti
-  volumeName: nfs-media-qbittorrent
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nfs-media-qbittorrent
-spec:
-  capacity:
-    storage: 40Ti
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    server: 10.0.69.10
-    path: /tank/media/downloads
-  mountOptions:
-    - vers=4.1
-    - rsize=1048576
-    - wsize=1048576
-    - hard
-    - timeo=600
-    - noatime
-  persistentVolumeReclaimPolicy: Retain

k8s-wheatley/radarr/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: radarr
 
 resources:
+  - ../../kustomize-bases/nfs-media
   - configmap.yaml
   - deployments.yaml
   - ingress.yaml
@@ -12,6 +13,22 @@ resources:
   - services.yaml
   - namespace.yaml
 
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-radarr
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-radarr
+
 images:
   - name: linuxserver/radarr
-    newTag: 6.1.1@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
+    newTag: 6.1.1@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d

k8s-wheatley/radarr/pvc.yaml

@@ -10,36 +10,3 @@ spec:
   resources:
     requests:
       storage: 5Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nfs-media
-spec:
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 40Ti
-  volumeName: nfs-media-radarr
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nfs-media-radarr
-spec:
-  capacity:
-    storage: 40Ti
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    server: 10.0.69.10
-    path: /tank/media
-  mountOptions:
-    - vers=4.1
-    - rsize=1048576
-    - wsize=1048576
-    - hard
-    - timeo=600
-    - noatime
-  persistentVolumeReclaimPolicy: Retain

k8s-wheatley/sonarr/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: sonarr
 
 resources:
+  - ../../kustomize-bases/nfs-media
   - configmap.yaml
   - deployments.yaml
   - ingress.yaml
@@ -12,6 +13,22 @@ resources:
   - services.yaml
   - namespace.yaml
 
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-sonarr
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-sonarr
+
 images:
   - name: linuxserver/sonarr
-    newTag: 4.0.17@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13
+    newTag: 4.0.17@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020

k8s-wheatley/sonarr/pvc.yaml

@@ -10,36 +10,3 @@ spec:
   resources:
     requests:
       storage: 5Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: nfs-media
-spec:
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 40Ti
-  volumeName: nfs-media-sonarr
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: nfs-media-sonarr
-spec:
-  capacity:
-    storage: 40Ti
-  accessModes:
-    - ReadWriteMany
-  nfs:
-    server: 10.0.69.10
-    path: /tank/media
-  mountOptions:
-    - vers=4.1
-    - rsize=1048576
-    - wsize=1048576
-    - hard
-    - timeo=600
-    - noatime
-  persistentVolumeReclaimPolicy: Retain

kustomize-bases/alloy/kustomization.yaml

@@ -9,12 +9,12 @@ resources:
 helmCharts:
   - name: alloy
     repo: https://grafana.github.io/helm-charts
-    version: "1.7.0"
+    version: "1.8.0"
     releaseName: alloy
     valuesFile: values.yaml
   - name: kube-state-metrics
     repo: https://prometheus-community.github.io/helm-charts
-    version: "7.2.2"
+    version: "7.3.0"
     releaseName: kube-state-metrics
   - name: prometheus-operator-crds
     repo: https://prometheus-community.github.io/helm-charts

kustomize-bases/nfs-media/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - pvc.yaml

kustomize-bases/nfs-media/pvc.yaml

@@ -0,0 +1,40 @@
+# Shared NFS media storage template — used by plex, sonarr, radarr, and qbittorrent.
+# All apps on k8s-wheatley mount the same NFS server: 10.0.69.10
+#
+# Each app overlays this base with JSON patches in its kustomization.yaml:
+#   - Always: rename PV (metadata.name) and update PVC volumeName to match
+#   - plex only: patch accessModes to ReadOnlyMany on both PV and PVC
+#   - qbittorrent only: patch nfs.path to /tank/media/downloads
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nfs-media  # renamed per-app via JSON patch
+spec:
+  capacity:
+    storage: 40Ti
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: 10.0.69.10
+    path: /tank/media
+  mountOptions:
+    - vers=4.1
+    - rsize=1048576
+    - wsize=1048576
+    - hard
+    - timeo=600
+    - noatime
+  persistentVolumeReclaimPolicy: Retain
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nfs-media
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 40Ti
+  volumeName: nfs-media  # patched per-app to match PV name