chore(deps): pin dependencies

2026-05-14 20:03:30 +00:00
16 changed files with 117 additions and 375 deletions
--- a/k8s-peterg/argo-workflows/values.yaml
+++ b/k8s-peterg/argo-workflows/values.yaml
@ -311,34 +311,3 @@ extraObjects:
      kind: ClusterRole
      name: argo-workflows-view
      apiGroup: rbac.authorization.k8s.io
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: argo-workflows-server-sso
      namespace: argo-workflows
    rules:
      - apiGroups:
          - ""
        resources:
          - serviceaccounts
        verbs:
          - get
      - apiGroups:
          - ""
        resources:
          - serviceaccounts/token
        verbs:
          - create
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: argo-workflows-server-sso
      namespace: argo-workflows
    subjects:
      - kind: ServiceAccount
        name: argo-workflows-server
        namespace: argo-workflows
    roleRef:
      kind: Role
      name: argo-workflows-server-sso
      apiGroup: rbac.authorization.k8s.io
--- a/k8s-peterg/argocd/applications-wheatley.yaml
+++ b/k8s-peterg/argocd/applications-wheatley.yaml
@ -200,25 +200,6 @@ spec:
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: soulseekd
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
    path: k8s-wheatley/soulseekd
    targetRevision: HEAD
  destination:
    server: https://10.13.37.10:6443
    namespace: soulseekd
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: plex
  namespace: argocd
--- a/k8s-wheatley/qbittorrent/configmap.yaml
+++ b/k8s-wheatley/qbittorrent/configmap.yaml
@ -12,7 +12,7 @@ data:
  VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh"
  VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh"
  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
-  FIREWALL_INPUT_PORTS: "8112"
+  FIREWALL_INPUT_PORTS: "8112,5030"
 ---
 apiVersion: v1
 kind: ConfigMap
@ -43,6 +43,22 @@ data:
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: slskd-envs
 data:
  TZ: Europe/Amsterdam
  PUID: "1000"
  PGID: "1000"
  SLSKD_DOWNLOADS_DIR: /shared/media/downloads/_slsk-downloads
  SLSKD_INCOMPLETE_DIR: /shared/media/downloads/_slsk-incomplete
  SLSKD_SHARED_DIR: "[Music]/shared/media/downloads/_slsk-downloads"
  SLSKD_REMOTE_CONFIGURATION: "true"
  SLSKD_VPN: "true"
  SLSKD_VPN_PORT_FORWARDING: "true"
  SLSKD_VPN_GLUETUN_URL: http://localhost:8000
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: unpackerr-envs
 data:
--- a/k8s-wheatley/qbittorrent/deployments.yaml
+++ b/k8s-wheatley/qbittorrent/deployments.yaml
@ -24,6 +24,9 @@ spec:
            - name: qbit-http
              containerPort: 8112
              protocol: TCP
            - name: slskd-http
              containerPort: 5030
              protocol: TCP
          envFrom:
            - configMapRef:
                name: gluetun-envs
@ -121,6 +124,30 @@ spec:
            capabilities:
              drop:
                - "ALL"
        - name: slskd
          image: docker.io/slskd/slskd
          imagePullPolicy: IfNotPresent
          envFrom:
            - configMapRef:
                name: slskd-envs
            - secretRef:
                name: slskd-env-secrets
          volumeMounts:
            - mountPath: /config
              name: slskd-config
            - mountPath: /shared/media/downloads
              name: nfs-media-downloads
          securityContext:
            seccompProfile:
              type: RuntimeDefault
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - "ALL"
              add:
                - "CHOWN"
                - "SETUID"
                - "SETGID"
      volumes:
        - name: dev-tun
          hostPath:
@ -129,6 +156,9 @@ spec:
        - name: qbittorrent-config
          persistentVolumeClaim:
            claimName: qbittorrent-storage
        - name: slskd-config
          persistentVolumeClaim:
            claimName: slskd-storage
        - name: gluetun-wgconfig
          secret:
            secretName: gluetun-wgconfig
--- a/k8s-wheatley/qbittorrent/ingress.yaml
+++ b/k8s-wheatley/qbittorrent/ingress.yaml
@ -15,6 +15,23 @@ spec:
        - name: qbittorrent
          port: 80
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: slskd-route
 spec:
  parentRefs:
    - name: internal
      namespace: kube-system
      sectionName: https
  hostnames:
    - "slskd.wheatley.in"
  rules:
    - backendRefs:
        - name: slskd
          port: 80
 ---
 apiVersion: v1
 kind: Service
@ -27,3 +44,16 @@ spec:
    - port: 80
      protocol: TCP
      targetPort: 8112
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: slskd
 spec:
  selector:
    app: qbittorrent
  ports:
    - port: 80
      protocol: TCP
      targetPort: 5030
--- a/k8s-wheatley/qbittorrent/kustomization.yaml
+++ b/k8s-wheatley/qbittorrent/kustomization.yaml
@ -35,3 +35,5 @@ images:
    newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab
  - name: docker.io/qbittorrentofficial/qbittorrent-nox
    newTag: 5.1.4-2@sha256:85fe2690f418dabffc4907276b3cdffcb7880c7114157b32f932d3b97bac45af
  - name: docker.io/slskd/slskd
    newTag: 0.25.1@sha256:ab9ed50e028b524cefdb7c1dd8ebca368a076e18441ee8ac2326473eb850b4c3
--- a/k8s-wheatley/qbittorrent/pvc.yaml
+++ b/k8s-wheatley/qbittorrent/pvc.yaml
@ -10,3 +10,15 @@ spec:
  resources:
    requests:
      storage: 5Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: slskd-storage
 spec:
  storageClassName: piraeus-lvmthin
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/k8s-wheatley/qbittorrent/secrets.yaml
+++ b/k8s-wheatley/qbittorrent/secrets.yaml
@ -18,6 +18,31 @@ spec:
        key: secrets/managed/qbittorrent/protonvpn-wgconfig
        property: config
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: slskd-env-secrets
 spec:
  secretStoreRef:
    name: vault-wheatley
    kind: ClusterSecretStore
  target:
    name: slskd-env-secrets
  data:
    - secretKey: SLSKD_VPN_GLUETUN_API_KEY
      remoteRef:
        key: secrets/managed/qbittorrent/slskd-env-secrets
        property: GLUETUN_API_KEY
    - secretKey: SLSKD_SLSK_USERNAME
      remoteRef:
        key: secrets/managed/qbittorrent/slskd-env-secrets
        property: SLSK_USERNAME
    - secretKey: SLSKD_SLSK_PASSWORD
      remoteRef:
        key: secrets/managed/qbittorrent/slskd-env-secrets
        property: SLSK_PASSWORD
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
--- a/k8s-wheatley/sonarr/pvc.yaml
+++ b/k8s-wheatley/sonarr/pvc.yaml
@ -9,4 +9,4 @@ spec:
    - ReadWriteOnce
  resources:
    requests:
-      storage: 10Gi
+      storage: 5Gi
--- a/k8s-wheatley/soulseekd/configmap.yaml
+++ b/k8s-wheatley/soulseekd/configmap.yaml
@ -1,29 +0,0 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: gluetun-envs
 data:
  TZ: Europe/Amsterdam
  VPN_SERVICE_PROVIDER: "custom"
  VPN_TYPE: "wireguard"
  VPN_PORT_FORWARDING: on
  VPN_PORT_FORWARDING_PROVIDER: protonvpn
  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
  FIREWALL_INPUT_PORTS: "5030"
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: slskd-envs
 data:
  TZ: Europe/Amsterdam
  PUID: "1000"
  PGID: "1000"
  SLSKD_DOWNLOADS_DIR: /shared/media/downloads/_slsk-downloads
  SLSKD_INCOMPLETE_DIR: /shared/media/downloads/_slsk-incomplete
  SLSKD_SHARED_DIR: "[Music]/shared/media/music"
  SLSKD_REMOTE_CONFIGURATION: "true"
  SLSKD_VPN: "true"
  SLSKD_VPN_PORT_FORWARDING: "true"
  SLSKD_VPN_GLUETUN_URL: http://localhost:8000
--- a/k8s-wheatley/soulseekd/deployments.yaml
+++ b/k8s-wheatley/soulseekd/deployments.yaml
@ -1,126 +0,0 @@
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: soulseekd
  namespace: soulseekd
  labels:
    app: soulseekd
 spec:
  replicas: 1
  serviceName: soulseekd
  selector:
    matchLabels:
      app: soulseekd
  template:
    metadata:
      labels:
        app: soulseekd
    spec:
      initContainers:
        - name: gluetun
          image: ghcr.io/qdm12/gluetun
          ports:
            - name: slskd-http
              containerPort: 5030
              protocol: TCP
          envFrom:
            - configMapRef:
                name: gluetun-envs
            - secretRef:
                name: gluetun-env-secrets
          volumeMounts:
            - mountPath: /dev/net/tun
              name: dev-tun
            - mountPath: /gluetun/wireguard
              name: gluetun-wgconfig
              readOnly: true
            - name: gluetun-tmp
              mountPath: /tmp/gluetun
          restartPolicy: Always
          lifecycle:
            postStart:
              exec:
                command:
                  [
                    "/bin/sh",
                    "-c",
                    "(ip rule del table 51820; ip -6 rule del table 51820) || true",
                  ]
          readinessProbe:
            exec:
              command:
                - sh
                - -c
                - "ping -c 1 9.9.9.9"
            initialDelaySeconds: 5
            periodSeconds: 3
            timeoutSeconds: 2
            failureThreshold: 3
          livenessProbe:
            exec:
              command:
                - sh
                - -c
                - "ping -c 1 9.9.9.9"
            initialDelaySeconds: 10
            periodSeconds: 15
            timeoutSeconds: 2
            failureThreshold: 3
          securityContext:
            seccompProfile:
              type: RuntimeDefault
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - "ALL"
              add:
                - "CHOWN"
                - "NET_ADMIN"
                - "NET_RAW"
      containers:
        - name: slskd
          image: docker.io/slskd/slskd
          imagePullPolicy: IfNotPresent
          envFrom:
            - configMapRef:
                name: slskd-envs
            - secretRef:
                name: slskd-env-secrets
          volumeMounts:
            - mountPath: /config
              name: slskd-config
            - mountPath: /shared/media/downloads
              name: nfs-media-downloads
            - mountPath: /shared/media/music
              name: nfs-media-music
          securityContext:
            seccompProfile:
              type: RuntimeDefault
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - "ALL"
              add:
                - "CHOWN"
                - "SETUID"
                - "SETGID"
      volumes:
        - name: dev-tun
          hostPath:
            path: /dev/net/tun
            type: CharDevice
        - name: slskd-config
          persistentVolumeClaim:
            claimName: slskd-storage
        - name: gluetun-wgconfig
          secret:
            secretName: gluetun-wgconfig
        - name: gluetun-tmp
          emptyDir: {}
        - name: nfs-media-downloads
          persistentVolumeClaim:
            claimName: nfs-media-downloads
        - name: nfs-media-music
          persistentVolumeClaim:
            claimName: nfs-media-music
--- a/k8s-wheatley/soulseekd/ingress.yaml
+++ b/k8s-wheatley/soulseekd/ingress.yaml
@ -1,28 +0,0 @@
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: slskd-route
 spec:
  parentRefs:
    - name: internal
      namespace: kube-system
      sectionName: https
  hostnames:
    - "slskd.wheatley.in"
  rules:
    - backendRefs:
        - name: slskd
          port: 80
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: slskd
 spec:
  selector:
    app: soulseekd
  ports:
    - port: 80
      protocol: TCP
      targetPort: 5030
--- a/k8s-wheatley/soulseekd/kustomization.yaml
+++ b/k8s-wheatley/soulseekd/kustomization.yaml
@ -1,52 +0,0 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: soulseekd
 resources:
  - configmap.yaml
  - deployments.yaml
  - ingress.yaml
  - pvc.yaml
  - secrets.yaml
  - namespace.yaml
 components:
  - ../../kustomize-bases/nfs-media/components/downloads
  - ../../kustomize-bases/nfs-media/components/music
 patches:
  - target:
      kind: PersistentVolume
      name: nfs-media-downloads
    patch: |
      - op: replace
        path: /metadata/name
        value: nfs-media-soulseekd-downloads
  - target:
      kind: PersistentVolumeClaim
      name: nfs-media-downloads
    patch: |
      - op: replace
        path: /spec/volumeName
        value: nfs-media-soulseekd-downloads
  - target:
      kind: PersistentVolume
      name: nfs-media-music
    patch: |
      - op: replace
        path: /metadata/name
        value: nfs-media-soulseekd-music
  - target:
      kind: PersistentVolumeClaim
      name: nfs-media-music
    patch: |
      - op: replace
        path: /spec/volumeName
        value: nfs-media-soulseekd-music
 images:
  - name: ghcr.io/qdm12/gluetun
    newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab
  - name: docker.io/slskd/slskd
    newTag: 0.25.1@sha256:ab9ed50e028b524cefdb7c1dd8ebca368a076e18441ee8ac2326473eb850b4c3
--- a/k8s-wheatley/soulseekd/namespace.yaml
+++ b/k8s-wheatley/soulseekd/namespace.yaml
@ -1,7 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: soulseekd
  labels:
    pod-security.kubernetes.io/enforce: privileged
--- a/k8s-wheatley/soulseekd/pvc.yaml
+++ b/k8s-wheatley/soulseekd/pvc.yaml
@ -1,12 +0,0 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: slskd-storage
 spec:
  storageClassName: piraeus-lvmthin
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/k8s-wheatley/soulseekd/secrets.yaml
+++ b/k8s-wheatley/soulseekd/secrets.yaml
@ -1,69 +0,0 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: gluetun-wgconfig
 spec:
  secretStoreRef:
    name: vault-wheatley
    kind: ClusterSecretStore
  target:
    name: gluetun-wgconfig
    template:
      data:
        wg0.conf: "{{ .config }}"
  data:
    - secretKey: config
      remoteRef:
        key: secrets/managed/soulseekd/protonvpn-wgconfig
        property: config
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: slskd-env-secrets
 spec:
  secretStoreRef:
    name: vault-wheatley
    kind: ClusterSecretStore
  target:
    name: slskd-env-secrets
  data:
    - secretKey: SLSKD_VPN_GLUETUN_API_KEY
      remoteRef:
        key: secrets/managed/soulseekd/slskd-env-secrets
        property: GLUETUN_API_KEY
    - secretKey: SLSKD_SLSK_USERNAME
      remoteRef:
        key: secrets/managed/soulseekd/slskd-env-secrets
        property: SLSK_USERNAME
    - secretKey: SLSKD_SLSK_PASSWORD
      remoteRef:
        key: secrets/managed/soulseekd/slskd-env-secrets
        property: SLSK_PASSWORD
    - secretKey: SLSKD_PASSWORD
      remoteRef:
        key: secrets/managed/soulseekd/slskd-env-secrets
        property: SLSKD_PASSWORD
    - secretKey: SLSKD_API_KEY
      remoteRef:
        key: secrets/managed/soulseekd/slskd-env-secrets
        property: API_KEY
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: gluetun-env-secrets
 spec:
  secretStoreRef:
    name: vault-wheatley
    kind: ClusterSecretStore
  target:
    name: gluetun-env-secrets
  data:
    - secretKey: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE
      remoteRef:
        key: secrets/managed/soulseekd/gluetun-env-secrets
        property: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE