diff --git a/k8s-peterg/argo-workflows/values.yaml b/k8s-peterg/argo-workflows/values.yaml index 26b8dcf..2459293 100644 --- a/k8s-peterg/argo-workflows/values.yaml +++ b/k8s-peterg/argo-workflows/values.yaml @@ -311,3 +311,34 @@ extraObjects: kind: ClusterRole name: argo-workflows-view apiGroup: rbac.authorization.k8s.io + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: argo-workflows-server-sso + namespace: argo-workflows + rules: + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: argo-workflows-server-sso + namespace: argo-workflows + subjects: + - kind: ServiceAccount + name: argo-workflows-server + namespace: argo-workflows + roleRef: + kind: Role + name: argo-workflows-server-sso + apiGroup: rbac.authorization.k8s.io diff --git a/k8s-peterg/argocd/applications-wheatley.yaml b/k8s-peterg/argocd/applications-wheatley.yaml index eae54ce..f0d4229 100644 --- a/k8s-peterg/argocd/applications-wheatley.yaml +++ b/k8s-peterg/argocd/applications-wheatley.yaml @@ -216,3 +216,22 @@ spec: automated: prune: true selfHeal: true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: romm + namespace: argocd +spec: + project: default + source: + repoURL: https://code.peterg.nl/wheatley/kubernetes.git + path: k8s-wheatley/romm + targetRevision: HEAD + destination: + server: https://10.13.37.10:6443 + namespace: romm + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/k8s-peterg/external-secrets-operator/kustomization.yaml b/k8s-peterg/external-secrets-operator/kustomization.yaml index 52fe547..bed871c 100644 --- a/k8s-peterg/external-secrets-operator/kustomization.yaml +++ b/k8s-peterg/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.4.1 + version: 2.5.0 diff --git a/k8s-wheatley/external-secrets-operator/kustomization.yaml b/k8s-wheatley/external-secrets-operator/kustomization.yaml index 52fe547..bed871c 100644 --- a/k8s-wheatley/external-secrets-operator/kustomization.yaml +++ b/k8s-wheatley/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.4.1 + version: 2.5.0 diff --git a/k8s-wheatley/lidarr/deployments.yaml b/k8s-wheatley/lidarr/deployments.yaml index de9c4c5..f81dda7 100644 --- a/k8s-wheatley/lidarr/deployments.yaml +++ b/k8s-wheatley/lidarr/deployments.yaml @@ -28,8 +28,10 @@ spec: volumeMounts: - mountPath: /config name: lidarr-config - - mountPath: /shared/media - name: nfs-media + - mountPath: /shared/media/music + name: nfs-media-music + - mountPath: /shared/media/downloads + name: nfs-media-downloads securityContext: seccompProfile: type: RuntimeDefault @@ -45,6 +47,9 @@ spec: - name: lidarr-config persistentVolumeClaim: claimName: lidarr-storage - - name: nfs-media + - name: nfs-media-music persistentVolumeClaim: - claimName: nfs-media + claimName: nfs-media-music + - name: nfs-media-downloads + persistentVolumeClaim: + claimName: nfs-media-downloads diff --git a/k8s-wheatley/lidarr/kustomization.yaml b/k8s-wheatley/lidarr/kustomization.yaml index 018f13b..adcf14d 100644 --- a/k8s-wheatley/lidarr/kustomization.yaml +++ b/k8s-wheatley/lidarr/kustomization.yaml @@ -4,7 +4,6 @@ kind: Kustomization namespace: lidarr resources: - - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -12,22 +11,40 @@ resources: - services.yaml - namespace.yaml +components: + - ../../kustomize-bases/nfs-media/components/music + - ../../kustomize-bases/nfs-media/components/downloads + patches: - target: kind: PersistentVolume - name: nfs-media + name: nfs-media-music patch: | - op: replace path: /metadata/name - value: nfs-media-lidarr + value: nfs-media-lidarr-music - target: kind: PersistentVolumeClaim - name: nfs-media + name: nfs-media-music patch: | - op: replace path: /spec/volumeName - value: nfs-media-lidarr + value: nfs-media-lidarr-music + - target: + kind: PersistentVolume + name: nfs-media-downloads + patch: | + - op: replace + path: /metadata/name + value: nfs-media-lidarr-downloads + - target: + kind: PersistentVolumeClaim + name: nfs-media-downloads + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-lidarr-downloads images: - name: linuxserver/lidarr - newTag: 3.1.0@sha256:d2f944115de2ca6754ad142ee92f9db481b1574c7bc030974d624584106b78d7 + newTag: 3.1.2-nightly diff --git a/k8s-wheatley/lidarr/pvc.yaml b/k8s-wheatley/lidarr/pvc.yaml index e06965e..0953aac 100644 --- a/k8s-wheatley/lidarr/pvc.yaml +++ b/k8s-wheatley/lidarr/pvc.yaml @@ -9,4 +9,4 @@ spec: - ReadWriteOnce resources: requests: - storage: 5Gi + storage: 10Gi diff --git a/k8s-wheatley/plex/deployments.yaml b/k8s-wheatley/plex/deployments.yaml index 3e48bda..11e0717 100644 --- a/k8s-wheatley/plex/deployments.yaml +++ b/k8s-wheatley/plex/deployments.yaml @@ -28,8 +28,12 @@ spec: volumeMounts: - mountPath: /config name: plex-config - - mountPath: /data - name: nfs-media + - mountPath: /data/movies + name: nfs-media-movies + - mountPath: /data/series + name: nfs-media-series + - mountPath: /data/anime + name: nfs-media-anime securityContext: seccompProfile: type: RuntimeDefault @@ -45,6 +49,12 @@ spec: - name: plex-config persistentVolumeClaim: claimName: plex-storage - - name: nfs-media + - name: nfs-media-movies persistentVolumeClaim: - claimName: nfs-media + claimName: nfs-media-movies + - name: nfs-media-series + persistentVolumeClaim: + claimName: nfs-media-series + - name: nfs-media-anime + persistentVolumeClaim: + claimName: nfs-media-anime diff --git a/k8s-wheatley/plex/kustomization.yaml b/k8s-wheatley/plex/kustomization.yaml index 3bd4023..ccb0bdc 100644 --- a/k8s-wheatley/plex/kustomization.yaml +++ b/k8s-wheatley/plex/kustomization.yaml @@ -4,7 +4,6 @@ kind: Kustomization namespace: plex resources: - - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -13,24 +12,69 @@ resources: - services.yaml - namespace.yaml +components: + - ../../kustomize-bases/nfs-media/components/movies + - ../../kustomize-bases/nfs-media/components/series + - ../../kustomize-bases/nfs-media/components/anime + patches: - target: kind: PersistentVolume - name: nfs-media + name: nfs-media-movies patch: | - op: replace path: /metadata/name - value: nfs-media-plex + value: nfs-media-plex-movies - op: replace path: /spec/accessModes/0 value: ReadOnlyMany - target: kind: PersistentVolumeClaim - name: nfs-media + name: nfs-media-movies patch: | - op: replace path: /spec/volumeName - value: nfs-media-plex + value: nfs-media-plex-movies + - op: replace + path: /spec/accessModes/0 + value: ReadOnlyMany + - target: + kind: PersistentVolume + name: nfs-media-series + patch: | + - op: replace + path: /metadata/name + value: nfs-media-plex-series + - op: replace + path: /spec/accessModes/0 + value: ReadOnlyMany + - target: + kind: PersistentVolumeClaim + name: nfs-media-series + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-plex-series + - op: replace + path: /spec/accessModes/0 + value: ReadOnlyMany + - target: + kind: PersistentVolume + name: nfs-media-anime + patch: | + - op: replace + path: /metadata/name + value: nfs-media-plex-anime + - op: replace + path: /spec/accessModes/0 + value: ReadOnlyMany + - target: + kind: PersistentVolumeClaim + name: nfs-media-anime + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-plex-anime - op: replace path: /spec/accessModes/0 value: ReadOnlyMany diff --git a/k8s-wheatley/qbittorrent/configmap.yaml b/k8s-wheatley/qbittorrent/configmap.yaml index 61c614d..beb69f9 100644 --- a/k8s-wheatley/qbittorrent/configmap.yaml +++ b/k8s-wheatley/qbittorrent/configmap.yaml @@ -12,7 +12,7 @@ data: VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh" VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh" FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 - FIREWALL_INPUT_PORTS: "8112" + FIREWALL_INPUT_PORTS: "8112,5030" --- apiVersion: v1 kind: ConfigMap @@ -43,6 +43,22 @@ data: --- apiVersion: v1 kind: ConfigMap +metadata: + name: slskd-envs +data: + TZ: Europe/Amsterdam + PUID: "1000" + PGID: "1000" + SLSKD_DOWNLOADS_DIR: /shared/media/downloads/_slsk-downloads + SLSKD_INCOMPLETE_DIR: /shared/media/downloads/_slsk-incomplete + SLSKD_SHARED_DIR: "[Music]/shared/media/downloads/_slsk-downloads" + SLSKD_REMOTE_CONFIGURATION: "true" + SLSKD_VPN: "true" + SLSKD_VPN_PORT_FORWARDING: "true" + SLSKD_VPN_GLUETUN_URL: http://localhost:8000 +--- +apiVersion: v1 +kind: ConfigMap metadata: name: unpackerr-envs data: diff --git a/k8s-wheatley/qbittorrent/deployments.yaml b/k8s-wheatley/qbittorrent/deployments.yaml index 5dba05a..4eb27c3 100644 --- a/k8s-wheatley/qbittorrent/deployments.yaml +++ b/k8s-wheatley/qbittorrent/deployments.yaml @@ -21,16 +21,21 @@ spec: - name: gluetun image: ghcr.io/qdm12/gluetun ports: - - name: http + - name: qbit-http containerPort: 8112 protocol: TCP + - name: slskd-http + containerPort: 5030 + protocol: TCP envFrom: - configMapRef: name: gluetun-envs + - secretRef: + name: gluetun-env-secrets volumeMounts: - mountPath: /dev/net/tun name: dev-tun - - mountPath: "/gluetun/wireguard" + - mountPath: /gluetun/wireguard name: gluetun-wgconfig readOnly: true - name: gluetun-scripts @@ -89,7 +94,7 @@ spec: - mountPath: /config name: qbittorrent-config - mountPath: /shared/media/downloads - name: nfs-media + name: nfs-media-downloads securityContext: seccompProfile: type: RuntimeDefault @@ -109,7 +114,7 @@ spec: name: unpackerr-env-secrets volumeMounts: - mountPath: /shared/media/downloads - name: nfs-media + name: nfs-media-downloads securityContext: seccompProfile: type: RuntimeDefault @@ -119,6 +124,30 @@ spec: capabilities: drop: - "ALL" + - name: slskd + image: docker.io/slskd/slskd + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: slskd-envs + - secretRef: + name: slskd-env-secrets + volumeMounts: + - mountPath: /config + name: slskd-config + - mountPath: /shared/media/downloads + name: nfs-media-downloads + securityContext: + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "SETUID" + - "SETGID" volumes: - name: dev-tun hostPath: @@ -127,6 +156,9 @@ spec: - name: qbittorrent-config persistentVolumeClaim: claimName: qbittorrent-storage + - name: slskd-config + persistentVolumeClaim: + claimName: slskd-storage - name: gluetun-wgconfig secret: secretName: gluetun-wgconfig @@ -136,6 +168,6 @@ spec: defaultMode: 0755 - name: gluetun-tmp emptyDir: {} - - name: nfs-media + - name: nfs-media-downloads persistentVolumeClaim: - claimName: nfs-media + claimName: nfs-media-downloads diff --git a/k8s-wheatley/qbittorrent/ingress.yaml b/k8s-wheatley/qbittorrent/ingress.yaml index 4b77fad..e599673 100644 --- a/k8s-wheatley/qbittorrent/ingress.yaml +++ b/k8s-wheatley/qbittorrent/ingress.yaml @@ -14,3 +14,46 @@ spec: - backendRefs: - name: qbittorrent port: 80 + +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: slskd-route +spec: + parentRefs: + - name: internal + namespace: kube-system + sectionName: https + hostnames: + - "slskd.wheatley.in" + rules: + - backendRefs: + - name: slskd + port: 80 + +--- +apiVersion: v1 +kind: Service +metadata: + name: qbittorrent +spec: + selector: + app: qbittorrent + ports: + - port: 80 + protocol: TCP + targetPort: 8112 + +--- +apiVersion: v1 +kind: Service +metadata: + name: slskd +spec: + selector: + app: qbittorrent + ports: + - port: 80 + protocol: TCP + targetPort: 5030 diff --git a/k8s-wheatley/qbittorrent/kustomization.yaml b/k8s-wheatley/qbittorrent/kustomization.yaml index 68bd0ef..772ec7b 100644 --- a/k8s-wheatley/qbittorrent/kustomization.yaml +++ b/k8s-wheatley/qbittorrent/kustomization.yaml @@ -4,36 +4,36 @@ kind: Kustomization namespace: qbittorrent resources: - - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml - pvc.yaml - secrets.yaml - - services.yaml - namespace.yaml +components: + - ../../kustomize-bases/nfs-media/components/downloads + patches: - target: kind: PersistentVolume - name: nfs-media + name: nfs-media-downloads patch: | - op: replace path: /metadata/name - value: nfs-media-qbittorrent - - op: replace - path: /spec/nfs/path - value: /tank/media/downloads + value: nfs-media-qbittorrent-downloads - target: kind: PersistentVolumeClaim - name: nfs-media + name: nfs-media-downloads patch: | - op: replace path: /spec/volumeName - value: nfs-media-qbittorrent + value: nfs-media-qbittorrent-downloads images: - name: ghcr.io/qdm12/gluetun newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab - name: docker.io/qbittorrentofficial/qbittorrent-nox newTag: 5.1.4-2@sha256:85fe2690f418dabffc4907276b3cdffcb7880c7114157b32f932d3b97bac45af + - name: docker.io/slskd/slskd + newTag: 0.25.1 diff --git a/k8s-wheatley/qbittorrent/pvc.yaml b/k8s-wheatley/qbittorrent/pvc.yaml index c352b02..4500768 100644 --- a/k8s-wheatley/qbittorrent/pvc.yaml +++ b/k8s-wheatley/qbittorrent/pvc.yaml @@ -10,3 +10,15 @@ spec: resources: requests: storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: slskd-storage +spec: + storageClassName: piraeus-lvmthin + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/k8s-wheatley/qbittorrent/secrets.yaml b/k8s-wheatley/qbittorrent/secrets.yaml index 5e7e3bc..64e133e 100644 --- a/k8s-wheatley/qbittorrent/secrets.yaml +++ b/k8s-wheatley/qbittorrent/secrets.yaml @@ -17,6 +17,57 @@ spec: remoteRef: key: secrets/managed/qbittorrent/protonvpn-wgconfig property: config + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: slskd-env-secrets +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: slskd-env-secrets + data: + - secretKey: SLSKD_VPN_GLUETUN_API_KEY + remoteRef: + key: secrets/managed/qbittorrent/slskd-env-secrets + property: GLUETUN_API_KEY + - secretKey: SLSKD_SLSK_USERNAME + remoteRef: + key: secrets/managed/qbittorrent/slskd-env-secrets + property: SLSK_USERNAME + - secretKey: SLSKD_SLSK_PASSWORD + remoteRef: + key: secrets/managed/qbittorrent/slskd-env-secrets + property: SLSK_PASSWORD + - secretKey: SLSKD_PASSWORD + remoteRef: + key: secrets/managed/qbittorrent/slskd-env-secrets + property: SLSKD_PASSWORD + - secretKey: SLSKD_API_KEY + remoteRef: + key: secrets/managed/qbittorrent/slskd-env-secrets + property: API_KEY + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gluetun-env-secrets +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: gluetun-env-secrets + data: + - secretKey: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE + remoteRef: + key: secrets/managed/qbittorrent/gluetun-env-secrets + property: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE + --- apiVersion: external-secrets.io/v1 kind: ExternalSecret diff --git a/k8s-wheatley/radarr/deployments.yaml b/k8s-wheatley/radarr/deployments.yaml index a4042c0..41587c3 100644 --- a/k8s-wheatley/radarr/deployments.yaml +++ b/k8s-wheatley/radarr/deployments.yaml @@ -28,8 +28,10 @@ spec: volumeMounts: - mountPath: /config name: radarr-config - - mountPath: /shared/media - name: nfs-media + - mountPath: /shared/media/movies + name: nfs-media-movies + - mountPath: /shared/media/downloads + name: nfs-media-downloads securityContext: seccompProfile: type: RuntimeDefault @@ -45,6 +47,9 @@ spec: - name: radarr-config persistentVolumeClaim: claimName: radarr-storage - - name: nfs-media + - name: nfs-media-movies persistentVolumeClaim: - claimName: nfs-media + claimName: nfs-media-movies + - name: nfs-media-downloads + persistentVolumeClaim: + claimName: nfs-media-downloads diff --git a/k8s-wheatley/radarr/kustomization.yaml b/k8s-wheatley/radarr/kustomization.yaml index 445d2f3..7296e89 100644 --- a/k8s-wheatley/radarr/kustomization.yaml +++ b/k8s-wheatley/radarr/kustomization.yaml @@ -4,7 +4,6 @@ kind: Kustomization namespace: radarr resources: - - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -13,21 +12,39 @@ resources: - services.yaml - namespace.yaml +components: + - ../../kustomize-bases/nfs-media/components/movies + - ../../kustomize-bases/nfs-media/components/downloads + patches: - target: kind: PersistentVolume - name: nfs-media + name: nfs-media-movies patch: | - op: replace path: /metadata/name - value: nfs-media-radarr + value: nfs-media-radarr-movies - target: kind: PersistentVolumeClaim - name: nfs-media + name: nfs-media-movies patch: | - op: replace path: /spec/volumeName - value: nfs-media-radarr + value: nfs-media-radarr-movies + - target: + kind: PersistentVolume + name: nfs-media-downloads + patch: | + - op: replace + path: /metadata/name + value: nfs-media-radarr-downloads + - target: + kind: PersistentVolumeClaim + name: nfs-media-downloads + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-radarr-downloads images: - name: linuxserver/radarr diff --git a/k8s-wheatley/romm/configmap.yaml b/k8s-wheatley/romm/configmap.yaml new file mode 100644 index 0000000..e90220b --- /dev/null +++ b/k8s-wheatley/romm/configmap.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: romm-db-envs +data: + MARIADB_DATABASE: romm + MARIADB_USER: romm + TZ: Europe/Amsterdam +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: romm-envs +data: + DB_HOST: 127.0.0.1 + DB_NAME: romm + DB_USER: romm + ROMM_PORT: "8080" + HASHEOUS_API_ENABLED: "true" + TZ: Europe/Amsterdam diff --git a/k8s-wheatley/romm/deployments.yaml b/k8s-wheatley/romm/deployments.yaml new file mode 100644 index 0000000..79b7fd1 --- /dev/null +++ b/k8s-wheatley/romm/deployments.yaml @@ -0,0 +1,83 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: romm + labels: + app: romm +spec: + replicas: 1 + serviceName: romm + selector: + matchLabels: + app: romm + template: + metadata: + labels: + app: romm + spec: + initContainers: + - name: romm-db + image: mariadb + envFrom: + - configMapRef: + name: romm-db-envs + - secretRef: + name: romm-db-env-secrets + volumeMounts: + - mountPath: /var/lib/mysql + name: romm-db-data + restartPolicy: Always + readinessProbe: + exec: + command: + - sh + - -c + - "healthcheck.sh --connect --innodb_initialized" + initialDelaySeconds: 5 + periodSeconds: 3 + timeoutSeconds: 2 + failureThreshold: 3 + livenessProbe: + exec: + command: + - sh + - -c + - "healthcheck.sh --connect --innodb_initialized" + initialDelaySeconds: 10 + periodSeconds: 15 + timeoutSeconds: 2 + failureThreshold: 3 + containers: + - name: romm + image: rommapp/romm + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + envFrom: + - configMapRef: + name: romm-envs + - secretRef: + name: romm-env-secrets + volumeMounts: + - mountPath: /romm + name: romm-data + - mountPath: /romm/library + name: nfs-media-roms + readOnly: true + - mountPath: /romm/downloads + name: nfs-media-downloads + readOnly: true + volumes: + - name: romm-db-data + persistentVolumeClaim: + claimName: romm-db-storage + - name: romm-data + persistentVolumeClaim: + claimName: romm-storage + - name: nfs-media-roms + persistentVolumeClaim: + claimName: nfs-media-roms + - name: nfs-media-downloads + persistentVolumeClaim: + claimName: nfs-media-downloads diff --git a/k8s-wheatley/romm/ingress.yaml b/k8s-wheatley/romm/ingress.yaml new file mode 100644 index 0000000..8a7eae1 --- /dev/null +++ b/k8s-wheatley/romm/ingress.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: romm-route +spec: + parentRefs: + - name: internal + namespace: kube-system + sectionName: https + hostnames: + - "roms.wheatley.in" + rules: + - backendRefs: + - name: romm + port: 80 diff --git a/k8s-wheatley/romm/kustomization.yaml b/k8s-wheatley/romm/kustomization.yaml new file mode 100644 index 0000000..3c4bb11 --- /dev/null +++ b/k8s-wheatley/romm/kustomization.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: romm + +resources: + - configmap.yaml + - deployments.yaml + - ingress.yaml + - pvc.yaml + - secrets.yaml + - services.yaml + - namespace.yaml + +components: + - ../../kustomize-bases/nfs-media/components/roms + - ../../kustomize-bases/nfs-media/components/downloads + +patches: + - target: + kind: PersistentVolume + name: nfs-media-roms + patch: | + - op: replace + path: /metadata/name + value: nfs-media-romm-roms + - target: + kind: PersistentVolume + name: nfs-media-downloads + patch: | + - op: replace + path: /metadata/name + value: nfs-media-romm-downloads + - target: + kind: PersistentVolumeClaim + name: nfs-media-roms + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-romm-roms + - target: + kind: PersistentVolumeClaim + name: nfs-media-downloads + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-romm-downloads + +images: + - name: mariadb + newTag: lts + - name: rommapp/romm + newTag: 4.8.1 diff --git a/k8s-wheatley/romm/namespace.yaml b/k8s-wheatley/romm/namespace.yaml new file mode 100644 index 0000000..131f95c --- /dev/null +++ b/k8s-wheatley/romm/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: romm diff --git a/k8s-wheatley/romm/pvc.yaml b/k8s-wheatley/romm/pvc.yaml new file mode 100644 index 0000000..3d64e4c --- /dev/null +++ b/k8s-wheatley/romm/pvc.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: romm-db-storage +spec: + storageClassName: piraeus-lvmthin + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: romm-storage +spec: + storageClassName: piraeus-lvmthin + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/k8s-wheatley/romm/secrets.yaml b/k8s-wheatley/romm/secrets.yaml new file mode 100644 index 0000000..e1a9d82 --- /dev/null +++ b/k8s-wheatley/romm/secrets.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: romm-db-env-secrets +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: romm-db-env-secrets + data: + - secretKey: MARIADB_ROOT_PASSWORD + remoteRef: + key: secrets/managed/romm/romm-db + property: ROOT_PASSWORD + - secretKey: MARIADB_PASSWORD + remoteRef: + key: secrets/managed/romm/romm-db + property: PASSWORD +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: romm-env-secrets +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: romm-env-secrets + data: + - secretKey: DB_PASSWD + remoteRef: + key: secrets/managed/romm/romm-db + property: PASSWORD + - secretKey: ROMM_AUTH_SECRET_KEY + remoteRef: + key: secrets/managed/romm/romm + property: SECRET_KEY + - secretKey: IGDB_CLIENT_ID + remoteRef: + key: secrets/managed/romm/romm + property: IGDB_CLIENT_ID + - secretKey: IGDB_CLIENT_SECRET + remoteRef: + key: secrets/managed/romm/romm + property: IGDB_CLIENT_SECRET + - secretKey: STEAMGRIDDB_API_KEY + remoteRef: + key: secrets/managed/romm/romm + property: STEAMGRIDDB_API_KEY diff --git a/k8s-wheatley/qbittorrent/services.yaml b/k8s-wheatley/romm/services.yaml similarity index 62% rename from k8s-wheatley/qbittorrent/services.yaml rename to k8s-wheatley/romm/services.yaml index 323409e..1d89402 100644 --- a/k8s-wheatley/qbittorrent/services.yaml +++ b/k8s-wheatley/romm/services.yaml @@ -2,11 +2,11 @@ apiVersion: v1 kind: Service metadata: - name: qbittorrent + name: romm spec: selector: - app: qbittorrent + app: romm ports: - port: 80 protocol: TCP - targetPort: 8112 + targetPort: 8080 diff --git a/k8s-wheatley/sonarr/deployments.yaml b/k8s-wheatley/sonarr/deployments.yaml index 45e7ea9..79a8b50 100644 --- a/k8s-wheatley/sonarr/deployments.yaml +++ b/k8s-wheatley/sonarr/deployments.yaml @@ -28,8 +28,12 @@ spec: volumeMounts: - mountPath: /config name: sonarr-config - - mountPath: /shared/media - name: nfs-media + - mountPath: /shared/media/series + name: nfs-media-series + - mountPath: /shared/media/anime + name: nfs-media-anime + - mountPath: /shared/media/downloads + name: nfs-media-downloads securityContext: seccompProfile: type: RuntimeDefault @@ -45,6 +49,12 @@ spec: - name: sonarr-config persistentVolumeClaim: claimName: sonarr-storage - - name: nfs-media + - name: nfs-media-series persistentVolumeClaim: - claimName: nfs-media + claimName: nfs-media-series + - name: nfs-media-anime + persistentVolumeClaim: + claimName: nfs-media-anime + - name: nfs-media-downloads + persistentVolumeClaim: + claimName: nfs-media-downloads diff --git a/k8s-wheatley/sonarr/kustomization.yaml b/k8s-wheatley/sonarr/kustomization.yaml index 51ba92b..4c9f0c9 100644 --- a/k8s-wheatley/sonarr/kustomization.yaml +++ b/k8s-wheatley/sonarr/kustomization.yaml @@ -4,7 +4,6 @@ kind: Kustomization namespace: sonarr resources: - - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -13,21 +12,54 @@ resources: - services.yaml - namespace.yaml +components: + - ../../kustomize-bases/nfs-media/components/series + - ../../kustomize-bases/nfs-media/components/anime + - ../../kustomize-bases/nfs-media/components/downloads + patches: - target: kind: PersistentVolume - name: nfs-media + name: nfs-media-series patch: | - op: replace path: /metadata/name - value: nfs-media-sonarr + value: nfs-media-sonarr-series - target: kind: PersistentVolumeClaim - name: nfs-media + name: nfs-media-series patch: | - op: replace path: /spec/volumeName - value: nfs-media-sonarr + value: nfs-media-sonarr-series + - target: + kind: PersistentVolume + name: nfs-media-anime + patch: | + - op: replace + path: /metadata/name + value: nfs-media-sonarr-anime + - target: + kind: PersistentVolumeClaim + name: nfs-media-anime + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-sonarr-anime + - target: + kind: PersistentVolume + name: nfs-media-downloads + patch: | + - op: replace + path: /metadata/name + value: nfs-media-sonarr-downloads + - target: + kind: PersistentVolumeClaim + name: nfs-media-downloads + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-sonarr-downloads images: - name: linuxserver/sonarr diff --git a/k8s-wheatley/sonarr/pvc.yaml b/k8s-wheatley/sonarr/pvc.yaml index 14d30b8..2cc9dcb 100644 --- a/k8s-wheatley/sonarr/pvc.yaml +++ b/k8s-wheatley/sonarr/pvc.yaml @@ -9,4 +9,4 @@ spec: - ReadWriteOnce resources: requests: - storage: 5Gi + storage: 10Gi diff --git a/kustomize-bases/cilium/kustomization.yaml b/kustomize-bases/cilium/kustomization.yaml index 4cccdf0..db4bf50 100644 --- a/kustomize-bases/cilium/kustomization.yaml +++ b/kustomize-bases/cilium/kustomization.yaml @@ -13,5 +13,5 @@ helmCharts: repo: https://helm.cilium.io namespace: kube-system releaseName: cilium - version: 1.18.6 + version: 1.18.10 valuesFile: values.yaml diff --git a/kustomize-bases/nfs-media/components/anime/kustomization.yaml b/kustomize-bases/nfs-media/components/anime/kustomization.yaml new file mode 100644 index 0000000..9014f38 --- /dev/null +++ b/kustomize-bases/nfs-media/components/anime/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - pvc.yaml diff --git a/kustomize-bases/nfs-media/components/anime/pvc.yaml b/kustomize-bases/nfs-media/components/anime/pvc.yaml new file mode 100644 index 0000000..9471154 --- /dev/null +++ b/kustomize-bases/nfs-media/components/anime/pvc.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media-anime +spec: + capacity: + storage: 40Ti + accessModes: + - ReadWriteMany + nfs: + server: 10.0.69.10 + path: /tank/media/anime + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media-anime +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media-anime diff --git a/kustomize-bases/nfs-media/components/downloads/kustomization.yaml b/kustomize-bases/nfs-media/components/downloads/kustomization.yaml new file mode 100644 index 0000000..9014f38 --- /dev/null +++ b/kustomize-bases/nfs-media/components/downloads/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - pvc.yaml diff --git a/kustomize-bases/nfs-media/components/downloads/pvc.yaml b/kustomize-bases/nfs-media/components/downloads/pvc.yaml new file mode 100644 index 0000000..16b0b65 --- /dev/null +++ b/kustomize-bases/nfs-media/components/downloads/pvc.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media-downloads +spec: + capacity: + storage: 40Ti + accessModes: + - ReadWriteMany + nfs: + server: 10.0.69.10 + path: /tank/media/downloads + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media-downloads +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media-downloads diff --git a/kustomize-bases/nfs-media/components/movies/kustomization.yaml b/kustomize-bases/nfs-media/components/movies/kustomization.yaml new file mode 100644 index 0000000..9014f38 --- /dev/null +++ b/kustomize-bases/nfs-media/components/movies/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - pvc.yaml diff --git a/kustomize-bases/nfs-media/components/movies/pvc.yaml b/kustomize-bases/nfs-media/components/movies/pvc.yaml new file mode 100644 index 0000000..28af8e4 --- /dev/null +++ b/kustomize-bases/nfs-media/components/movies/pvc.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media-movies +spec: + capacity: + storage: 40Ti + accessModes: + - ReadWriteMany + nfs: + server: 10.0.69.10 + path: /tank/media/movies + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media-movies +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media-movies diff --git a/kustomize-bases/nfs-media/components/music/kustomization.yaml b/kustomize-bases/nfs-media/components/music/kustomization.yaml new file mode 100644 index 0000000..9014f38 --- /dev/null +++ b/kustomize-bases/nfs-media/components/music/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - pvc.yaml diff --git a/kustomize-bases/nfs-media/components/music/pvc.yaml b/kustomize-bases/nfs-media/components/music/pvc.yaml new file mode 100644 index 0000000..117fb3e --- /dev/null +++ b/kustomize-bases/nfs-media/components/music/pvc.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media-music +spec: + capacity: + storage: 40Ti + accessModes: + - ReadWriteMany + nfs: + server: 10.0.69.10 + path: /tank/media/music + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media-music +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media-music diff --git a/kustomize-bases/nfs-media/components/roms/kustomization.yaml b/kustomize-bases/nfs-media/components/roms/kustomization.yaml new file mode 100644 index 0000000..9014f38 --- /dev/null +++ b/kustomize-bases/nfs-media/components/roms/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - pvc.yaml diff --git a/kustomize-bases/nfs-media/components/roms/pvc.yaml b/kustomize-bases/nfs-media/components/roms/pvc.yaml new file mode 100644 index 0000000..6f2e6e6 --- /dev/null +++ b/kustomize-bases/nfs-media/components/roms/pvc.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media-roms +spec: + capacity: + storage: 40Ti + accessModes: + - ReadWriteMany + nfs: + server: 10.0.69.10 + path: /tank/media/roms + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media-roms +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media-roms diff --git a/kustomize-bases/nfs-media/components/series/kustomization.yaml b/kustomize-bases/nfs-media/components/series/kustomization.yaml new file mode 100644 index 0000000..9014f38 --- /dev/null +++ b/kustomize-bases/nfs-media/components/series/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - pvc.yaml diff --git a/kustomize-bases/nfs-media/components/series/pvc.yaml b/kustomize-bases/nfs-media/components/series/pvc.yaml new file mode 100644 index 0000000..0aec6a8 --- /dev/null +++ b/kustomize-bases/nfs-media/components/series/pvc.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media-series +spec: + capacity: + storage: 40Ti + accessModes: + - ReadWriteMany + nfs: + server: 10.0.69.10 + path: /tank/media/series + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media-series +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media-series diff --git a/kustomize-bases/nfs-media/kustomization.yaml b/kustomize-bases/nfs-media/kustomization.yaml deleted file mode 100644 index 482f897..0000000 --- a/kustomize-bases/nfs-media/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - pvc.yaml diff --git a/kustomize-bases/nfs-media/pvc.yaml b/kustomize-bases/nfs-media/pvc.yaml deleted file mode 100644 index 94091c9..0000000 --- a/kustomize-bases/nfs-media/pvc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Shared NFS media storage template — used by plex, sonarr, radarr, and qbittorrent. -# All apps on k8s-wheatley mount the same NFS server: 10.0.69.10 -# -# Each app overlays this base with JSON patches in its kustomization.yaml: -# - Always: rename PV (metadata.name) and update PVC volumeName to match -# - plex only: patch accessModes to ReadOnlyMany on both PV and PVC -# - qbittorrent only: patch nfs.path to /tank/media/downloads ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nfs-media # renamed per-app via JSON patch -spec: - capacity: - storage: 40Ti - accessModes: - - ReadWriteMany - nfs: - server: 10.0.69.10 - path: /tank/media - mountOptions: - - vers=4.1 - - rsize=1048576 - - wsize=1048576 - - hard - - timeo=600 - - noatime - persistentVolumeReclaimPolicy: Retain ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nfs-media -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 40Ti - volumeName: nfs-media # patched per-app to match PV name