diff --git a/k8s-peterg/argo-workflows/values.yaml b/k8s-peterg/argo-workflows/values.yaml index 26b8dcf..7905e06 100644 --- a/k8s-peterg/argo-workflows/values.yaml +++ b/k8s-peterg/argo-workflows/values.yaml @@ -155,7 +155,7 @@ server: # -- Repository to use for the server repository: argoproj/argocli # -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`. - tag: "" + tag: "@sha256:4bd385f07e5245fb7028923cc03fc47515623f553a7e4ffcdd66fb3009133f15" rbac: # -- Adds Role and RoleBinding for the server. create: true @@ -311,3 +311,34 @@ extraObjects: kind: ClusterRole name: argo-workflows-view apiGroup: rbac.authorization.k8s.io + - apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: argo-workflows-server-sso + namespace: argo-workflows + rules: + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: argo-workflows-server-sso + namespace: argo-workflows + subjects: + - kind: ServiceAccount + name: argo-workflows-server + namespace: argo-workflows + roleRef: + kind: Role + name: argo-workflows-server-sso + apiGroup: rbac.authorization.k8s.io diff --git a/k8s-peterg/argocd/applications-wheatley.yaml b/k8s-peterg/argocd/applications-wheatley.yaml index f0d4229..cd06c12 100644 --- a/k8s-peterg/argocd/applications-wheatley.yaml +++ b/k8s-peterg/argocd/applications-wheatley.yaml @@ -200,6 +200,25 @@ spec: --- apiVersion: argoproj.io/v1alpha1 kind: Application +metadata: + name: soulseekd + namespace: argocd +spec: + project: default + source: + repoURL: https://code.peterg.nl/wheatley/kubernetes.git + path: k8s-wheatley/soulseekd + targetRevision: HEAD + destination: + server: https://10.13.37.10:6443 + namespace: soulseekd + syncPolicy: + automated: + prune: true + selfHeal: true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application metadata: name: plex namespace: argocd diff --git a/k8s-wheatley/lidarr/kustomization.yaml b/k8s-wheatley/lidarr/kustomization.yaml index adcf14d..d624a90 100644 --- a/k8s-wheatley/lidarr/kustomization.yaml +++ b/k8s-wheatley/lidarr/kustomization.yaml @@ -47,4 +47,4 @@ patches: images: - name: linuxserver/lidarr - newTag: 3.1.2-nightly + newTag: 3.1.2-nightly@sha256:854684b3df33139a8907fa3e316a3c030676e8e753b7fac78b98d297b8cc6fe0 diff --git a/k8s-wheatley/qbittorrent/configmap.yaml b/k8s-wheatley/qbittorrent/configmap.yaml index beb69f9..61c614d 100644 --- a/k8s-wheatley/qbittorrent/configmap.yaml +++ b/k8s-wheatley/qbittorrent/configmap.yaml @@ -12,7 +12,7 @@ data: VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh" VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh" FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 - FIREWALL_INPUT_PORTS: "8112,5030" + FIREWALL_INPUT_PORTS: "8112" --- apiVersion: v1 kind: ConfigMap @@ -43,22 +43,6 @@ data: --- apiVersion: v1 kind: ConfigMap -metadata: - name: slskd-envs -data: - TZ: Europe/Amsterdam - PUID: "1000" - PGID: "1000" - SLSKD_DOWNLOADS_DIR: /shared/media/downloads/_slsk-downloads - SLSKD_INCOMPLETE_DIR: /shared/media/downloads/_slsk-incomplete - SLSKD_SHARED_DIR: "[Music]/shared/media/downloads/_slsk-downloads" - SLSKD_REMOTE_CONFIGURATION: "true" - SLSKD_VPN: "true" - SLSKD_VPN_PORT_FORWARDING: "true" - SLSKD_VPN_GLUETUN_URL: http://localhost:8000 ---- -apiVersion: v1 -kind: ConfigMap metadata: name: unpackerr-envs data: diff --git a/k8s-wheatley/qbittorrent/deployments.yaml b/k8s-wheatley/qbittorrent/deployments.yaml index 4eb27c3..dd506bc 100644 --- a/k8s-wheatley/qbittorrent/deployments.yaml +++ b/k8s-wheatley/qbittorrent/deployments.yaml @@ -24,9 +24,6 @@ spec: - name: qbit-http containerPort: 8112 protocol: TCP - - name: slskd-http - containerPort: 5030 - protocol: TCP envFrom: - configMapRef: name: gluetun-envs @@ -124,30 +121,6 @@ spec: capabilities: drop: - "ALL" - - name: slskd - image: docker.io/slskd/slskd - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: slskd-envs - - secretRef: - name: slskd-env-secrets - volumeMounts: - - mountPath: /config - name: slskd-config - - mountPath: /shared/media/downloads - name: nfs-media-downloads - securityContext: - seccompProfile: - type: RuntimeDefault - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - add: - - "CHOWN" - - "SETUID" - - "SETGID" volumes: - name: dev-tun hostPath: @@ -156,9 +129,6 @@ spec: - name: qbittorrent-config persistentVolumeClaim: claimName: qbittorrent-storage - - name: slskd-config - persistentVolumeClaim: - claimName: slskd-storage - name: gluetun-wgconfig secret: secretName: gluetun-wgconfig diff --git a/k8s-wheatley/qbittorrent/ingress.yaml b/k8s-wheatley/qbittorrent/ingress.yaml index e599673..38ddcdf 100644 --- a/k8s-wheatley/qbittorrent/ingress.yaml +++ b/k8s-wheatley/qbittorrent/ingress.yaml @@ -15,23 +15,6 @@ spec: - name: qbittorrent port: 80 ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: slskd-route -spec: - parentRefs: - - name: internal - namespace: kube-system - sectionName: https - hostnames: - - "slskd.wheatley.in" - rules: - - backendRefs: - - name: slskd - port: 80 - --- apiVersion: v1 kind: Service @@ -44,16 +27,3 @@ spec: - port: 80 protocol: TCP targetPort: 8112 - ---- -apiVersion: v1 -kind: Service -metadata: - name: slskd -spec: - selector: - app: qbittorrent - ports: - - port: 80 - protocol: TCP - targetPort: 5030 diff --git a/k8s-wheatley/qbittorrent/kustomization.yaml b/k8s-wheatley/qbittorrent/kustomization.yaml index 772ec7b..c0a83b0 100644 --- a/k8s-wheatley/qbittorrent/kustomization.yaml +++ b/k8s-wheatley/qbittorrent/kustomization.yaml @@ -35,5 +35,3 @@ images: newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab - name: docker.io/qbittorrentofficial/qbittorrent-nox newTag: 5.1.4-2@sha256:85fe2690f418dabffc4907276b3cdffcb7880c7114157b32f932d3b97bac45af - - name: docker.io/slskd/slskd - newTag: 0.25.1 diff --git a/k8s-wheatley/qbittorrent/pvc.yaml b/k8s-wheatley/qbittorrent/pvc.yaml index 4500768..c352b02 100644 --- a/k8s-wheatley/qbittorrent/pvc.yaml +++ b/k8s-wheatley/qbittorrent/pvc.yaml @@ -10,15 +10,3 @@ spec: resources: requests: storage: 5Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: slskd-storage -spec: - storageClassName: piraeus-lvmthin - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi diff --git a/k8s-wheatley/qbittorrent/secrets.yaml b/k8s-wheatley/qbittorrent/secrets.yaml index 15021e4..7eebf6b 100644 --- a/k8s-wheatley/qbittorrent/secrets.yaml +++ b/k8s-wheatley/qbittorrent/secrets.yaml @@ -18,31 +18,6 @@ spec: key: secrets/managed/qbittorrent/protonvpn-wgconfig property: config ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: slskd-env-secrets -spec: - secretStoreRef: - name: vault-wheatley - kind: ClusterSecretStore - target: - name: slskd-env-secrets - data: - - secretKey: SLSKD_VPN_GLUETUN_API_KEY - remoteRef: - key: secrets/managed/qbittorrent/slskd-env-secrets - property: GLUETUN_API_KEY - - secretKey: SLSKD_SLSK_USERNAME - remoteRef: - key: secrets/managed/qbittorrent/slskd-env-secrets - property: SLSK_USERNAME - - secretKey: SLSKD_SLSK_PASSWORD - remoteRef: - key: secrets/managed/qbittorrent/slskd-env-secrets - property: SLSK_PASSWORD - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret diff --git a/k8s-wheatley/romm/kustomization.yaml b/k8s-wheatley/romm/kustomization.yaml index 3c4bb11..a49cfc5 100644 --- a/k8s-wheatley/romm/kustomization.yaml +++ b/k8s-wheatley/romm/kustomization.yaml @@ -48,6 +48,6 @@ patches: images: - name: mariadb - newTag: lts + newTag: lts@sha256:78a5047d3ba33975f183f183c2464cc7f1eab13ec8667e57cc9a5821d6da7577 - name: rommapp/romm - newTag: 4.8.1 + newTag: 4.8.1@sha256:2b7a1714b287f69b081ad2a63bb8c2fa673666a17b2f21322b580b0cd51cb266 diff --git a/k8s-wheatley/sonarr/pvc.yaml b/k8s-wheatley/sonarr/pvc.yaml index 14d30b8..2cc9dcb 100644 --- a/k8s-wheatley/sonarr/pvc.yaml +++ b/k8s-wheatley/sonarr/pvc.yaml @@ -9,4 +9,4 @@ spec: - ReadWriteOnce resources: requests: - storage: 5Gi + storage: 10Gi diff --git a/k8s-wheatley/soulseekd/configmap.yaml b/k8s-wheatley/soulseekd/configmap.yaml new file mode 100644 index 0000000..f27e944 --- /dev/null +++ b/k8s-wheatley/soulseekd/configmap.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: gluetun-envs +data: + TZ: Europe/Amsterdam + VPN_SERVICE_PROVIDER: "custom" + VPN_TYPE: "wireguard" + VPN_PORT_FORWARDING: on + VPN_PORT_FORWARDING_PROVIDER: protonvpn + FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 + FIREWALL_INPUT_PORTS: "5030" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: slskd-envs +data: + TZ: Europe/Amsterdam + PUID: "1000" + PGID: "1000" + SLSKD_DOWNLOADS_DIR: /shared/media/downloads/_slsk-downloads + SLSKD_INCOMPLETE_DIR: /shared/media/downloads/_slsk-incomplete + SLSKD_SHARED_DIR: "[Music]/shared/media/music" + SLSKD_REMOTE_CONFIGURATION: "true" + SLSKD_VPN: "true" + SLSKD_VPN_PORT_FORWARDING: "true" + SLSKD_VPN_GLUETUN_URL: http://localhost:8000 diff --git a/k8s-wheatley/soulseekd/deployments.yaml b/k8s-wheatley/soulseekd/deployments.yaml new file mode 100644 index 0000000..481bf38 --- /dev/null +++ b/k8s-wheatley/soulseekd/deployments.yaml @@ -0,0 +1,126 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: soulseekd + namespace: soulseekd + labels: + app: soulseekd +spec: + replicas: 1 + serviceName: soulseekd + selector: + matchLabels: + app: soulseekd + template: + metadata: + labels: + app: soulseekd + spec: + initContainers: + - name: gluetun + image: ghcr.io/qdm12/gluetun + ports: + - name: slskd-http + containerPort: 5030 + protocol: TCP + envFrom: + - configMapRef: + name: gluetun-envs + - secretRef: + name: gluetun-env-secrets + volumeMounts: + - mountPath: /dev/net/tun + name: dev-tun + - mountPath: /gluetun/wireguard + name: gluetun-wgconfig + readOnly: true + - name: gluetun-tmp + mountPath: /tmp/gluetun + restartPolicy: Always + lifecycle: + postStart: + exec: + command: + [ + "/bin/sh", + "-c", + "(ip rule del table 51820; ip -6 rule del table 51820) || true", + ] + readinessProbe: + exec: + command: + - sh + - -c + - "ping -c 1 9.9.9.9" + initialDelaySeconds: 5 + periodSeconds: 3 + timeoutSeconds: 2 + failureThreshold: 3 + livenessProbe: + exec: + command: + - sh + - -c + - "ping -c 1 9.9.9.9" + initialDelaySeconds: 10 + periodSeconds: 15 + timeoutSeconds: 2 + failureThreshold: 3 + securityContext: + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: true + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "NET_ADMIN" + - "NET_RAW" + containers: + - name: slskd + image: docker.io/slskd/slskd + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: slskd-envs + - secretRef: + name: slskd-env-secrets + volumeMounts: + - mountPath: /config + name: slskd-config + - mountPath: /shared/media/downloads + name: nfs-media-downloads + - mountPath: /shared/media/music + name: nfs-media-music + securityContext: + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "SETUID" + - "SETGID" + volumes: + - name: dev-tun + hostPath: + path: /dev/net/tun + type: CharDevice + - name: slskd-config + persistentVolumeClaim: + claimName: slskd-storage + - name: gluetun-wgconfig + secret: + secretName: gluetun-wgconfig + - name: gluetun-tmp + emptyDir: {} + - name: nfs-media-downloads + persistentVolumeClaim: + claimName: nfs-media-downloads + - name: nfs-media-music + persistentVolumeClaim: + claimName: nfs-media-music diff --git a/k8s-wheatley/soulseekd/ingress.yaml b/k8s-wheatley/soulseekd/ingress.yaml new file mode 100644 index 0000000..9ddba90 --- /dev/null +++ b/k8s-wheatley/soulseekd/ingress.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: slskd-route +spec: + parentRefs: + - name: internal + namespace: kube-system + sectionName: https + hostnames: + - "slskd.wheatley.in" + rules: + - backendRefs: + - name: slskd + port: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: slskd +spec: + selector: + app: soulseekd + ports: + - port: 80 + protocol: TCP + targetPort: 5030 diff --git a/k8s-wheatley/soulseekd/kustomization.yaml b/k8s-wheatley/soulseekd/kustomization.yaml new file mode 100644 index 0000000..0667a41 --- /dev/null +++ b/k8s-wheatley/soulseekd/kustomization.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: soulseekd + +resources: + - configmap.yaml + - deployments.yaml + - ingress.yaml + - pvc.yaml + - secrets.yaml + - namespace.yaml + +components: + - ../../kustomize-bases/nfs-media/components/downloads + - ../../kustomize-bases/nfs-media/components/music + +patches: + - target: + kind: PersistentVolume + name: nfs-media-downloads + patch: | + - op: replace + path: /metadata/name + value: nfs-media-soulseekd-downloads + - target: + kind: PersistentVolumeClaim + name: nfs-media-downloads + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-soulseekd-downloads + - target: + kind: PersistentVolume + name: nfs-media-music + patch: | + - op: replace + path: /metadata/name + value: nfs-media-soulseekd-music + - target: + kind: PersistentVolumeClaim + name: nfs-media-music + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-soulseekd-music + +images: + - name: ghcr.io/qdm12/gluetun + newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab + - name: docker.io/slskd/slskd + newTag: 0.25.1@sha256:ab9ed50e028b524cefdb7c1dd8ebca368a076e18441ee8ac2326473eb850b4c3 diff --git a/k8s-wheatley/soulseekd/namespace.yaml b/k8s-wheatley/soulseekd/namespace.yaml new file mode 100644 index 0000000..8e7a9f5 --- /dev/null +++ b/k8s-wheatley/soulseekd/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: soulseekd + labels: + pod-security.kubernetes.io/enforce: privileged diff --git a/k8s-wheatley/soulseekd/pvc.yaml b/k8s-wheatley/soulseekd/pvc.yaml new file mode 100644 index 0000000..214582c --- /dev/null +++ b/k8s-wheatley/soulseekd/pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: slskd-storage +spec: + storageClassName: piraeus-lvmthin + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/k8s-wheatley/soulseekd/secrets.yaml b/k8s-wheatley/soulseekd/secrets.yaml new file mode 100644 index 0000000..41f76d1 --- /dev/null +++ b/k8s-wheatley/soulseekd/secrets.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gluetun-wgconfig +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: gluetun-wgconfig + template: + data: + wg0.conf: "{{ .config }}" + data: + - secretKey: config + remoteRef: + key: secrets/managed/soulseekd/protonvpn-wgconfig + property: config + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: slskd-env-secrets +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: slskd-env-secrets + data: + - secretKey: SLSKD_VPN_GLUETUN_API_KEY + remoteRef: + key: secrets/managed/soulseekd/slskd-env-secrets + property: GLUETUN_API_KEY + - secretKey: SLSKD_SLSK_USERNAME + remoteRef: + key: secrets/managed/soulseekd/slskd-env-secrets + property: SLSK_USERNAME + - secretKey: SLSKD_SLSK_PASSWORD + remoteRef: + key: secrets/managed/soulseekd/slskd-env-secrets + property: SLSK_PASSWORD + - secretKey: SLSKD_PASSWORD + remoteRef: + key: secrets/managed/soulseekd/slskd-env-secrets + property: SLSKD_PASSWORD + - secretKey: SLSKD_API_KEY + remoteRef: + key: secrets/managed/soulseekd/slskd-env-secrets + property: API_KEY + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gluetun-env-secrets +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: gluetun-env-secrets + data: + - secretKey: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE + remoteRef: + key: secrets/managed/soulseekd/gluetun-env-secrets + property: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE