diff --git a/k8s-peterg/argo-workflows/values.yaml b/k8s-peterg/argo-workflows/values.yaml index 7905e06..c0b32b5 100644 --- a/k8s-peterg/argo-workflows/values.yaml +++ b/k8s-peterg/argo-workflows/values.yaml @@ -311,34 +311,3 @@ extraObjects: kind: ClusterRole name: argo-workflows-view apiGroup: rbac.authorization.k8s.io - - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: argo-workflows-server-sso - namespace: argo-workflows - rules: - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create - - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: argo-workflows-server-sso - namespace: argo-workflows - subjects: - - kind: ServiceAccount - name: argo-workflows-server - namespace: argo-workflows - roleRef: - kind: Role - name: argo-workflows-server-sso - apiGroup: rbac.authorization.k8s.io diff --git a/k8s-peterg/argocd/applications-wheatley.yaml b/k8s-peterg/argocd/applications-wheatley.yaml index cd06c12..f0d4229 100644 --- a/k8s-peterg/argocd/applications-wheatley.yaml +++ b/k8s-peterg/argocd/applications-wheatley.yaml @@ -200,25 +200,6 @@ spec: --- apiVersion: argoproj.io/v1alpha1 kind: Application -metadata: - name: soulseekd - namespace: argocd -spec: - project: default - source: - repoURL: https://code.peterg.nl/wheatley/kubernetes.git - path: k8s-wheatley/soulseekd - targetRevision: HEAD - destination: - server: https://10.13.37.10:6443 - namespace: soulseekd - syncPolicy: - automated: - prune: true - selfHeal: true ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application metadata: name: plex namespace: argocd diff --git a/k8s-wheatley/qbittorrent/configmap.yaml b/k8s-wheatley/qbittorrent/configmap.yaml index 61c614d..beb69f9 100644 --- a/k8s-wheatley/qbittorrent/configmap.yaml +++ b/k8s-wheatley/qbittorrent/configmap.yaml @@ -12,7 +12,7 @@ data: VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh" VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh" FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 - FIREWALL_INPUT_PORTS: "8112" + FIREWALL_INPUT_PORTS: "8112,5030" --- apiVersion: v1 kind: ConfigMap @@ -43,6 +43,22 @@ data: --- apiVersion: v1 kind: ConfigMap +metadata: + name: slskd-envs +data: + TZ: Europe/Amsterdam + PUID: "1000" + PGID: "1000" + SLSKD_DOWNLOADS_DIR: /shared/media/downloads/_slsk-downloads + SLSKD_INCOMPLETE_DIR: /shared/media/downloads/_slsk-incomplete + SLSKD_SHARED_DIR: "[Music]/shared/media/downloads/_slsk-downloads" + SLSKD_REMOTE_CONFIGURATION: "true" + SLSKD_VPN: "true" + SLSKD_VPN_PORT_FORWARDING: "true" + SLSKD_VPN_GLUETUN_URL: http://localhost:8000 +--- +apiVersion: v1 +kind: ConfigMap metadata: name: unpackerr-envs data: diff --git a/k8s-wheatley/qbittorrent/deployments.yaml b/k8s-wheatley/qbittorrent/deployments.yaml index dd506bc..4eb27c3 100644 --- a/k8s-wheatley/qbittorrent/deployments.yaml +++ b/k8s-wheatley/qbittorrent/deployments.yaml @@ -24,6 +24,9 @@ spec: - name: qbit-http containerPort: 8112 protocol: TCP + - name: slskd-http + containerPort: 5030 + protocol: TCP envFrom: - configMapRef: name: gluetun-envs @@ -121,6 +124,30 @@ spec: capabilities: drop: - "ALL" + - name: slskd + image: docker.io/slskd/slskd + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: slskd-envs + - secretRef: + name: slskd-env-secrets + volumeMounts: + - mountPath: /config + name: slskd-config + - mountPath: /shared/media/downloads + name: nfs-media-downloads + securityContext: + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "SETUID" + - "SETGID" volumes: - name: dev-tun hostPath: @@ -129,6 +156,9 @@ spec: - name: qbittorrent-config persistentVolumeClaim: claimName: qbittorrent-storage + - name: slskd-config + persistentVolumeClaim: + claimName: slskd-storage - name: gluetun-wgconfig secret: secretName: gluetun-wgconfig diff --git a/k8s-wheatley/qbittorrent/ingress.yaml b/k8s-wheatley/qbittorrent/ingress.yaml index 38ddcdf..e599673 100644 --- a/k8s-wheatley/qbittorrent/ingress.yaml +++ b/k8s-wheatley/qbittorrent/ingress.yaml @@ -15,6 +15,23 @@ spec: - name: qbittorrent port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: slskd-route +spec: + parentRefs: + - name: internal + namespace: kube-system + sectionName: https + hostnames: + - "slskd.wheatley.in" + rules: + - backendRefs: + - name: slskd + port: 80 + --- apiVersion: v1 kind: Service @@ -27,3 +44,16 @@ spec: - port: 80 protocol: TCP targetPort: 8112 + +--- +apiVersion: v1 +kind: Service +metadata: + name: slskd +spec: + selector: + app: qbittorrent + ports: + - port: 80 + protocol: TCP + targetPort: 5030 diff --git a/k8s-wheatley/qbittorrent/kustomization.yaml b/k8s-wheatley/qbittorrent/kustomization.yaml index c0a83b0..52170ad 100644 --- a/k8s-wheatley/qbittorrent/kustomization.yaml +++ b/k8s-wheatley/qbittorrent/kustomization.yaml @@ -35,3 +35,5 @@ images: newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab - name: docker.io/qbittorrentofficial/qbittorrent-nox newTag: 5.1.4-2@sha256:85fe2690f418dabffc4907276b3cdffcb7880c7114157b32f932d3b97bac45af + - name: docker.io/slskd/slskd + newTag: 0.25.1@sha256:ab9ed50e028b524cefdb7c1dd8ebca368a076e18441ee8ac2326473eb850b4c3 diff --git a/k8s-wheatley/qbittorrent/pvc.yaml b/k8s-wheatley/qbittorrent/pvc.yaml index c352b02..4500768 100644 --- a/k8s-wheatley/qbittorrent/pvc.yaml +++ b/k8s-wheatley/qbittorrent/pvc.yaml @@ -10,3 +10,15 @@ spec: resources: requests: storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: slskd-storage +spec: + storageClassName: piraeus-lvmthin + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/k8s-wheatley/qbittorrent/secrets.yaml b/k8s-wheatley/qbittorrent/secrets.yaml index 7eebf6b..15021e4 100644 --- a/k8s-wheatley/qbittorrent/secrets.yaml +++ b/k8s-wheatley/qbittorrent/secrets.yaml @@ -18,6 +18,31 @@ spec: key: secrets/managed/qbittorrent/protonvpn-wgconfig property: config +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: slskd-env-secrets +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: slskd-env-secrets + data: + - secretKey: SLSKD_VPN_GLUETUN_API_KEY + remoteRef: + key: secrets/managed/qbittorrent/slskd-env-secrets + property: GLUETUN_API_KEY + - secretKey: SLSKD_SLSK_USERNAME + remoteRef: + key: secrets/managed/qbittorrent/slskd-env-secrets + property: SLSK_USERNAME + - secretKey: SLSKD_SLSK_PASSWORD + remoteRef: + key: secrets/managed/qbittorrent/slskd-env-secrets + property: SLSK_PASSWORD + --- apiVersion: external-secrets.io/v1 kind: ExternalSecret diff --git a/k8s-wheatley/sonarr/pvc.yaml b/k8s-wheatley/sonarr/pvc.yaml index 2cc9dcb..14d30b8 100644 --- a/k8s-wheatley/sonarr/pvc.yaml +++ b/k8s-wheatley/sonarr/pvc.yaml @@ -9,4 +9,4 @@ spec: - ReadWriteOnce resources: requests: - storage: 10Gi + storage: 5Gi diff --git a/k8s-wheatley/soulseekd/configmap.yaml b/k8s-wheatley/soulseekd/configmap.yaml deleted file mode 100644 index f27e944..0000000 --- a/k8s-wheatley/soulseekd/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: gluetun-envs -data: - TZ: Europe/Amsterdam - VPN_SERVICE_PROVIDER: "custom" - VPN_TYPE: "wireguard" - VPN_PORT_FORWARDING: on - VPN_PORT_FORWARDING_PROVIDER: protonvpn - FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 - FIREWALL_INPUT_PORTS: "5030" ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: slskd-envs -data: - TZ: Europe/Amsterdam - PUID: "1000" - PGID: "1000" - SLSKD_DOWNLOADS_DIR: /shared/media/downloads/_slsk-downloads - SLSKD_INCOMPLETE_DIR: /shared/media/downloads/_slsk-incomplete - SLSKD_SHARED_DIR: "[Music]/shared/media/music" - SLSKD_REMOTE_CONFIGURATION: "true" - SLSKD_VPN: "true" - SLSKD_VPN_PORT_FORWARDING: "true" - SLSKD_VPN_GLUETUN_URL: http://localhost:8000 diff --git a/k8s-wheatley/soulseekd/deployments.yaml b/k8s-wheatley/soulseekd/deployments.yaml deleted file mode 100644 index 481bf38..0000000 --- a/k8s-wheatley/soulseekd/deployments.yaml +++ /dev/null @@ -1,126 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: soulseekd - namespace: soulseekd - labels: - app: soulseekd -spec: - replicas: 1 - serviceName: soulseekd - selector: - matchLabels: - app: soulseekd - template: - metadata: - labels: - app: soulseekd - spec: - initContainers: - - name: gluetun - image: ghcr.io/qdm12/gluetun - ports: - - name: slskd-http - containerPort: 5030 - protocol: TCP - envFrom: - - configMapRef: - name: gluetun-envs - - secretRef: - name: gluetun-env-secrets - volumeMounts: - - mountPath: /dev/net/tun - name: dev-tun - - mountPath: /gluetun/wireguard - name: gluetun-wgconfig - readOnly: true - - name: gluetun-tmp - mountPath: /tmp/gluetun - restartPolicy: Always - lifecycle: - postStart: - exec: - command: - [ - "/bin/sh", - "-c", - "(ip rule del table 51820; ip -6 rule del table 51820) || true", - ] - readinessProbe: - exec: - command: - - sh - - -c - - "ping -c 1 9.9.9.9" - initialDelaySeconds: 5 - periodSeconds: 3 - timeoutSeconds: 2 - failureThreshold: 3 - livenessProbe: - exec: - command: - - sh - - -c - - "ping -c 1 9.9.9.9" - initialDelaySeconds: 10 - periodSeconds: 15 - timeoutSeconds: 2 - failureThreshold: 3 - securityContext: - seccompProfile: - type: RuntimeDefault - allowPrivilegeEscalation: true - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "NET_ADMIN" - - "NET_RAW" - containers: - - name: slskd - image: docker.io/slskd/slskd - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: slskd-envs - - secretRef: - name: slskd-env-secrets - volumeMounts: - - mountPath: /config - name: slskd-config - - mountPath: /shared/media/downloads - name: nfs-media-downloads - - mountPath: /shared/media/music - name: nfs-media-music - securityContext: - seccompProfile: - type: RuntimeDefault - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "SETUID" - - "SETGID" - volumes: - - name: dev-tun - hostPath: - path: /dev/net/tun - type: CharDevice - - name: slskd-config - persistentVolumeClaim: - claimName: slskd-storage - - name: gluetun-wgconfig - secret: - secretName: gluetun-wgconfig - - name: gluetun-tmp - emptyDir: {} - - name: nfs-media-downloads - persistentVolumeClaim: - claimName: nfs-media-downloads - - name: nfs-media-music - persistentVolumeClaim: - claimName: nfs-media-music diff --git a/k8s-wheatley/soulseekd/ingress.yaml b/k8s-wheatley/soulseekd/ingress.yaml deleted file mode 100644 index 9ddba90..0000000 --- a/k8s-wheatley/soulseekd/ingress.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: slskd-route -spec: - parentRefs: - - name: internal - namespace: kube-system - sectionName: https - hostnames: - - "slskd.wheatley.in" - rules: - - backendRefs: - - name: slskd - port: 80 ---- -apiVersion: v1 -kind: Service -metadata: - name: slskd -spec: - selector: - app: soulseekd - ports: - - port: 80 - protocol: TCP - targetPort: 5030 diff --git a/k8s-wheatley/soulseekd/kustomization.yaml b/k8s-wheatley/soulseekd/kustomization.yaml deleted file mode 100644 index 0667a41..0000000 --- a/k8s-wheatley/soulseekd/kustomization.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: soulseekd - -resources: - - configmap.yaml - - deployments.yaml - - ingress.yaml - - pvc.yaml - - secrets.yaml - - namespace.yaml - -components: - - ../../kustomize-bases/nfs-media/components/downloads - - ../../kustomize-bases/nfs-media/components/music - -patches: - - target: - kind: PersistentVolume - name: nfs-media-downloads - patch: | - - op: replace - path: /metadata/name - value: nfs-media-soulseekd-downloads - - target: - kind: PersistentVolumeClaim - name: nfs-media-downloads - patch: | - - op: replace - path: /spec/volumeName - value: nfs-media-soulseekd-downloads - - target: - kind: PersistentVolume - name: nfs-media-music - patch: | - - op: replace - path: /metadata/name - value: nfs-media-soulseekd-music - - target: - kind: PersistentVolumeClaim - name: nfs-media-music - patch: | - - op: replace - path: /spec/volumeName - value: nfs-media-soulseekd-music - -images: - - name: ghcr.io/qdm12/gluetun - newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab - - name: docker.io/slskd/slskd - newTag: 0.25.1@sha256:ab9ed50e028b524cefdb7c1dd8ebca368a076e18441ee8ac2326473eb850b4c3 diff --git a/k8s-wheatley/soulseekd/namespace.yaml b/k8s-wheatley/soulseekd/namespace.yaml deleted file mode 100644 index 8e7a9f5..0000000 --- a/k8s-wheatley/soulseekd/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: soulseekd - labels: - pod-security.kubernetes.io/enforce: privileged diff --git a/k8s-wheatley/soulseekd/pvc.yaml b/k8s-wheatley/soulseekd/pvc.yaml deleted file mode 100644 index 214582c..0000000 --- a/k8s-wheatley/soulseekd/pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: slskd-storage -spec: - storageClassName: piraeus-lvmthin - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi diff --git a/k8s-wheatley/soulseekd/secrets.yaml b/k8s-wheatley/soulseekd/secrets.yaml deleted file mode 100644 index 41f76d1..0000000 --- a/k8s-wheatley/soulseekd/secrets.yaml +++ /dev/null @@ -1,69 +0,0 @@ ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gluetun-wgconfig -spec: - secretStoreRef: - name: vault-wheatley - kind: ClusterSecretStore - target: - name: gluetun-wgconfig - template: - data: - wg0.conf: "{{ .config }}" - data: - - secretKey: config - remoteRef: - key: secrets/managed/soulseekd/protonvpn-wgconfig - property: config - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: slskd-env-secrets -spec: - secretStoreRef: - name: vault-wheatley - kind: ClusterSecretStore - target: - name: slskd-env-secrets - data: - - secretKey: SLSKD_VPN_GLUETUN_API_KEY - remoteRef: - key: secrets/managed/soulseekd/slskd-env-secrets - property: GLUETUN_API_KEY - - secretKey: SLSKD_SLSK_USERNAME - remoteRef: - key: secrets/managed/soulseekd/slskd-env-secrets - property: SLSK_USERNAME - - secretKey: SLSKD_SLSK_PASSWORD - remoteRef: - key: secrets/managed/soulseekd/slskd-env-secrets - property: SLSK_PASSWORD - - secretKey: SLSKD_PASSWORD - remoteRef: - key: secrets/managed/soulseekd/slskd-env-secrets - property: SLSKD_PASSWORD - - secretKey: SLSKD_API_KEY - remoteRef: - key: secrets/managed/soulseekd/slskd-env-secrets - property: API_KEY - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gluetun-env-secrets -spec: - secretStoreRef: - name: vault-wheatley - kind: ClusterSecretStore - target: - name: gluetun-env-secrets - data: - - secretKey: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE - remoteRef: - key: secrets/managed/soulseekd/gluetun-env-secrets - property: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE