chore(deps): update helm release cilium to v1.19.4

Reviewed-on: #82

k8s-peterg/argo-workflows/kustomization.yaml

@@ -11,5 +11,5 @@ helmCharts:
     repo: https://argoproj.github.io/argo-helm
     namespace: argo-workflows
     releaseName: argo-workflows
-    version: 1.0.13
+    version: 1.0.14
     valuesFile: values.yaml

k8s-peterg/argo-workflows/values.yaml

@@ -154,8 +154,6 @@ server:
     registry: quay.io
     # -- Repository to use for the server
     repository: argoproj/argocli
-    # -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
-    tag: ""
   rbac:
     # -- Adds Role and RoleBinding for the server.
     create: true
@@ -311,3 +309,34 @@ extraObjects:
       kind: ClusterRole
       name: argo-workflows-view
       apiGroup: rbac.authorization.k8s.io
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: argo-workflows-server-sso
+      namespace: argo-workflows
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - serviceaccounts
+        verbs:
+          - get
+      - apiGroups:
+          - ""
+        resources:
+          - serviceaccounts/token
+        verbs:
+          - create
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: argo-workflows-server-sso
+      namespace: argo-workflows
+    subjects:
+      - kind: ServiceAccount
+        name: argo-workflows-server
+        namespace: argo-workflows
+    roleRef:
+      kind: Role
+      name: argo-workflows-server-sso
+      apiGroup: rbac.authorization.k8s.io

k8s-peterg/argocd/applications-peterg.yaml

@@ -17,6 +17,8 @@ spec:
     automated:
       prune: true
       selfHeal: true
+    syncOptions:
+      - ServerSideApply=true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -81,6 +83,31 @@ spec:
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
+metadata:
+  name: metrics-server-peterg
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://kubernetes-sigs.github.io/metrics-server
+    targetRevision: 3.13.0
+    chart: metrics-server
+    helm:
+      releaseName: metrics-server
+      values: |
+        args:
+          - --kubelet-insecure-tls=true
+          - --kubelet-preferred-address-types=InternalIP
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
 metadata:
   name: argo-workflows
   namespace: argocd

k8s-peterg/argocd/applications-wheatley.yaml

@@ -80,6 +80,31 @@ spec:
       selfHeal: true
     syncOptions:
       - ServerSideApply=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metrics-server-wheatley
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://kubernetes-sigs.github.io/metrics-server
+    targetRevision: 3.13.0
+    chart: metrics-server
+    helm:
+      releaseName: metrics-server
+      values: |
+        args:
+          - --kubelet-insecure-tls=true
+          - --kubelet-preferred-address-types=InternalIP
+  destination:
+    server: https://10.13.37.10:6443
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
 
 ---
 apiVersion: argoproj.io/v1alpha1
@@ -200,6 +225,25 @@ spec:
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
+metadata:
+  name: soulseekd
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
+    path: k8s-wheatley/soulseekd
+    targetRevision: HEAD
+  destination:
+    server: https://10.13.37.10:6443
+    namespace: soulseekd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
 metadata:
   name: plex
   namespace: argocd
@@ -216,3 +260,22 @@ spec:
     automated:
       prune: true
       selfHeal: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: romm
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
+    path: k8s-wheatley/romm
+    targetRevision: HEAD
+  destination:
+    server: https://10.13.37.10:6443
+    namespace: romm
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

k8s-peterg/external-secrets-operator/kustomization.yaml

@@ -12,4 +12,4 @@ helmCharts:
     repo: https://charts.external-secrets.io
     namespace: external-secrets
     releaseName: external-secrets
-    version: 2.4.0
+    version: 2.5.0

k8s-peterg/renovate-operator/kustomization.yaml

@@ -15,5 +15,5 @@ helmCharts:
     repo: https://helm.mogenius.com/public
     namespace: renovate-operator
     releaseName: renovate-operator
-    version: "4.7.0"
+    version: "4.8.1"
     valuesFile: values.yaml

k8s-wheatley/cloudnative-pg/kustomization.yaml

@@ -11,5 +11,5 @@ helmCharts:
     repo: https://cloudnative-pg.github.io/charts
     namespace: cnpg-system
     releaseName: cloudnative-pg
-    version: 0.28.0
+    version: 0.28.2
     valuesFile: values.yaml

k8s-wheatley/external-secrets-operator/kustomization.yaml

@@ -12,4 +12,4 @@ helmCharts:
     repo: https://charts.external-secrets.io
     namespace: external-secrets
     releaseName: external-secrets
-    version: 2.4.0
+    version: 2.5.0

k8s-wheatley/lidarr/kustomization.yaml

@@ -47,4 +47,4 @@ patches:
 
 images:
   - name: linuxserver/lidarr
-    newTag: 3.1.0@sha256:d2f944115de2ca6754ad142ee92f9db481b1574c7bc030974d624584106b78d7
+    newTag: 3.1.2-nightly@sha256:2643e3751213f544ca3fa082f41c5557efe7cf733989bc33e1455e3b2b523cd5

k8s-wheatley/lidarr/pvc.yaml

@@ -9,4 +9,4 @@ spec:
     - ReadWriteOnce
   resources:
     requests:
-      storage: 5Gi
+      storage: 10Gi

k8s-wheatley/plex/deployments.yaml

@@ -34,6 +34,8 @@ spec:
               name: nfs-media-series
             - mountPath: /data/anime
               name: nfs-media-anime
+            - mountPath: /data/music
+              name: nfs-media-music
           securityContext:
             seccompProfile:
               type: RuntimeDefault
@@ -58,3 +60,6 @@ spec:
         - name: nfs-media-anime
           persistentVolumeClaim:
             claimName: nfs-media-anime
+        - name: nfs-media-music
+          persistentVolumeClaim:
+            claimName: nfs-media-music

k8s-wheatley/plex/kustomization.yaml

@@ -16,6 +16,7 @@ components:
   - ../../kustomize-bases/nfs-media/components/movies
   - ../../kustomize-bases/nfs-media/components/series
   - ../../kustomize-bases/nfs-media/components/anime
+  - ../../kustomize-bases/nfs-media/components/music
 
 patches:
   - target:
@@ -78,6 +79,26 @@ patches:
       - op: replace
         path: /spec/accessModes/0
         value: ReadOnlyMany
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-music
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-plex-music
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-music
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-plex-music
+      - op: replace
+        path: /spec/accessModes/0
+        value: ReadOnlyMany
 
 images:
 - name: plexinc/pms-docker

k8s-wheatley/prowlarr/kustomization.yaml

@@ -16,4 +16,4 @@ images:
   - name: flaresolverr/flaresolverr
     newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e
   - name: linuxserver/prowlarr
-    newTag: 2.3.5@sha256:c5de2a8758a05594319263e7691c1dce56899442ed1720d6eca216c0958f4caf
+    newTag: 2.3.5@sha256:c9fe528f34b1fd3715438b6f6d6991d64e2965f2c055db36398bc66a0e7eab01

k8s-wheatley/qbittorrent/configmap.yaml

@@ -12,7 +12,7 @@ data:
   VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh"
   VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh"
   FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
-  FIREWALL_INPUT_PORTS: "8112,5030"
+  FIREWALL_INPUT_PORTS: "8112"
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -43,22 +43,6 @@ data:
 ---
 apiVersion: v1
 kind: ConfigMap
-metadata:
-  name: slskd-envs
-data:
-  TZ: Europe/Amsterdam
-  PUID: "1000"
-  PGID: "1000"
-  SLSKD_DOWNLOADS_DIR: /shared/media/downloads/_slsk-downloads
-  SLSKD_INCOMPLETE_DIR: /shared/media/downloads/_slsk-incomplete
-  SLSKD_SHARED_DIR: "[Music]/shared/media/downloads/_slsk-downloads"
-  SLSKD_REMOTE_CONFIGURATION: "true"
-  SLSKD_VPN: "true"
-  SLSKD_VPN_PORT_FORWARDING: "true"
-  SLSKD_VPN_GLUETUN_URL: http://localhost:8000
----
-apiVersion: v1
-kind: ConfigMap
 metadata:
   name: unpackerr-envs
 data:

k8s-wheatley/qbittorrent/deployments.yaml

@@ -17,6 +17,7 @@ spec:
       labels:
         app: qbittorrent
     spec:
+      nodeName: k8s-wheatley-worker02
       initContainers:
         - name: gluetun
           image: ghcr.io/qdm12/gluetun
@@ -24,9 +25,6 @@ spec:
             - name: qbit-http
               containerPort: 8112
               protocol: TCP
-            - name: slskd-http
-              containerPort: 5030
-              protocol: TCP
           envFrom:
             - configMapRef:
                 name: gluetun-envs
@@ -124,30 +122,6 @@ spec:
             capabilities:
               drop:
                 - "ALL"
-        - name: slskd
-          image: docker.io/slskd/slskd
-          imagePullPolicy: IfNotPresent
-          envFrom:
-            - configMapRef:
-                name: slskd-envs
-            - secretRef:
-                name: slskd-env-secrets
-          volumeMounts:
-            - mountPath: /config
-              name: slskd-config
-            - mountPath: /shared/media/downloads
-              name: nfs-media-downloads
-          securityContext:
-            seccompProfile:
-              type: RuntimeDefault
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - "ALL"
-              add:
-                - "CHOWN"
-                - "SETUID"
-                - "SETGID"
       volumes:
         - name: dev-tun
           hostPath:
@@ -156,9 +130,6 @@ spec:
         - name: qbittorrent-config
           persistentVolumeClaim:
             claimName: qbittorrent-storage
-        - name: slskd-config
-          persistentVolumeClaim:
-            claimName: slskd-storage
         - name: gluetun-wgconfig
           secret:
             secretName: gluetun-wgconfig

k8s-wheatley/qbittorrent/ingress.yaml

@@ -15,23 +15,6 @@ spec:
         - name: qbittorrent
           port: 80
 
----
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: slskd-route
-spec:
-  parentRefs:
-    - name: internal
-      namespace: kube-system
-      sectionName: https
-  hostnames:
-    - "slskd.wheatley.in"
-  rules:
-    - backendRefs:
-        - name: slskd
-          port: 80
-
 ---
 apiVersion: v1
 kind: Service
@@ -44,16 +27,3 @@ spec:
     - port: 80
       protocol: TCP
       targetPort: 8112
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: slskd
-spec:
-  selector:
-    app: qbittorrent
-  ports:
-    - port: 80
-      protocol: TCP
-      targetPort: 5030

k8s-wheatley/qbittorrent/kustomization.yaml

@@ -35,5 +35,3 @@ images:
     newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab
   - name: docker.io/qbittorrentofficial/qbittorrent-nox
     newTag: 5.1.4-2@sha256:85fe2690f418dabffc4907276b3cdffcb7880c7114157b32f932d3b97bac45af
-  - name: docker.io/slskd/slskd
-    newTag: 0.25.1

k8s-wheatley/qbittorrent/pvc.yaml

@@ -10,15 +10,3 @@ spec:
   resources:
     requests:
       storage: 5Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: slskd-storage
-spec:
-  storageClassName: piraeus-lvmthin
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi

k8s-wheatley/qbittorrent/secrets.yaml

@@ -18,31 +18,6 @@ spec:
         key: secrets/managed/qbittorrent/protonvpn-wgconfig
         property: config
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: slskd-env-secrets
-spec:
-  secretStoreRef:
-    name: vault-wheatley
-    kind: ClusterSecretStore
-  target:
-    name: slskd-env-secrets
-  data:
-    - secretKey: SLSKD_VPN_GLUETUN_API_KEY
-      remoteRef:
-        key: secrets/managed/qbittorrent/slskd-env-secrets
-        property: GLUETUN_API_KEY
-    - secretKey: SLSKD_SLSK_USERNAME
-      remoteRef:
-        key: secrets/managed/qbittorrent/slskd-env-secrets
-        property: SLSK_USERNAME
-    - secretKey: SLSKD_SLSK_PASSWORD
-      remoteRef:
-        key: secrets/managed/qbittorrent/slskd-env-secrets
-        property: SLSK_PASSWORD
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

k8s-wheatley/radarr/kustomization.yaml

@@ -48,4 +48,4 @@ patches:
 
 images:
   - name: linuxserver/radarr
-    newTag: 6.1.1@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
+    newTag: 6.1.1@sha256:079e48870584baf2a3e7e43e7ba6d3c834555931851a59c82c51cc792d285caf

k8s-wheatley/romm/configmap.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: romm-db-envs
+data:
+  MARIADB_DATABASE: romm
+  MARIADB_USER: romm
+  TZ: Europe/Amsterdam
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: romm-envs
+data:
+  DB_HOST: 127.0.0.1
+  DB_NAME: romm
+  DB_USER: romm
+  ROMM_PORT: "8080"
+  HASHEOUS_API_ENABLED: "true"
+  TZ: Europe/Amsterdam

k8s-wheatley/romm/deployments.yaml

@@ -0,0 +1,83 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: romm
+  labels:
+    app: romm
+spec:
+  replicas: 1
+  serviceName: romm
+  selector:
+    matchLabels:
+      app: romm
+  template:
+    metadata:
+      labels:
+        app: romm
+    spec:
+      initContainers:
+        - name: romm-db
+          image: mariadb
+          envFrom:
+            - configMapRef:
+                name: romm-db-envs
+            - secretRef:
+                name: romm-db-env-secrets
+          volumeMounts:
+            - mountPath: /var/lib/mysql
+              name: romm-db-data
+          restartPolicy: Always
+          readinessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "healthcheck.sh --connect --innodb_initialized"
+            initialDelaySeconds: 5
+            periodSeconds: 3
+            timeoutSeconds: 2
+            failureThreshold: 3
+          livenessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "healthcheck.sh --connect --innodb_initialized"
+            initialDelaySeconds: 10
+            periodSeconds: 15
+            timeoutSeconds: 2
+            failureThreshold: 3
+      containers:
+        - name: romm
+          image: rommapp/romm
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8080
+          envFrom:
+            - configMapRef:
+                name: romm-envs
+            - secretRef:
+                name: romm-env-secrets
+          volumeMounts:
+            - mountPath: /romm
+              name: romm-data
+            - mountPath: /romm/library
+              name: nfs-media-roms
+              readOnly: true
+            - mountPath: /romm/downloads
+              name: nfs-media-downloads
+              readOnly: true
+      volumes:
+        - name: romm-db-data
+          persistentVolumeClaim:
+            claimName: romm-db-storage
+        - name: romm-data
+          persistentVolumeClaim:
+            claimName: romm-storage
+        - name: nfs-media-roms
+          persistentVolumeClaim:
+            claimName: nfs-media-roms
+        - name: nfs-media-downloads
+          persistentVolumeClaim:
+            claimName: nfs-media-downloads

k8s-wheatley/romm/ingress.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: romm-route
+spec:
+  parentRefs:
+    - name: internal
+      namespace: kube-system
+      sectionName: https
+  hostnames:
+    - "roms.wheatley.in"
+  rules:
+    - backendRefs:
+        - name: romm
+          port: 80

k8s-wheatley/romm/kustomization.yaml

@@ -0,0 +1,53 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: romm
+
+resources:
+  - configmap.yaml
+  - deployments.yaml
+  - ingress.yaml
+  - pvc.yaml
+  - secrets.yaml
+  - services.yaml
+  - namespace.yaml
+
+components:
+  - ../../kustomize-bases/nfs-media/components/roms
+  - ../../kustomize-bases/nfs-media/components/downloads
+
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-roms
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-romm-roms
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-romm-downloads
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-roms
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-romm-roms
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-romm-downloads
+
+images:
+  - name: mariadb
+    newTag: lts@sha256:78185355dd49b54dd6909072531ce8d7e06aa0eccd7aa5b23c93ebb7e34c5aaa
+  - name: rommapp/romm
+    newTag: 4.8.1@sha256:2b7a1714b287f69b081ad2a63bb8c2fa673666a17b2f21322b580b0cd51cb266

k8s-wheatley/romm/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: romm

k8s-wheatley/romm/pvc.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: romm-db-storage
+spec:
+  storageClassName: piraeus-lvmthin
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: romm-storage
+spec:
+  storageClassName: piraeus-lvmthin
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

k8s-wheatley/romm/secrets.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: romm-db-env-secrets
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: romm-db-env-secrets
+  data:
+    - secretKey: MARIADB_ROOT_PASSWORD
+      remoteRef:
+        key: secrets/managed/romm/romm-db
+        property: ROOT_PASSWORD
+    - secretKey: MARIADB_PASSWORD
+      remoteRef:
+        key: secrets/managed/romm/romm-db
+        property: PASSWORD
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: romm-env-secrets
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: romm-env-secrets
+  data:
+    - secretKey: DB_PASSWD
+      remoteRef:
+        key: secrets/managed/romm/romm-db
+        property: PASSWORD
+    - secretKey: ROMM_AUTH_SECRET_KEY
+      remoteRef:
+        key: secrets/managed/romm/romm
+        property: SECRET_KEY
+    - secretKey: IGDB_CLIENT_ID
+      remoteRef:
+        key: secrets/managed/romm/romm
+        property: IGDB_CLIENT_ID
+    - secretKey: IGDB_CLIENT_SECRET
+      remoteRef:
+        key: secrets/managed/romm/romm
+        property: IGDB_CLIENT_SECRET
+    - secretKey: STEAMGRIDDB_API_KEY
+      remoteRef:
+        key: secrets/managed/romm/romm
+        property: STEAMGRIDDB_API_KEY

k8s-wheatley/romm/services.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: romm
+spec:
+  selector:
+    app: romm
+  ports:
+    - port: 80
+      protocol: TCP
+      targetPort: 8080

k8s-wheatley/sonarr/deployments.yaml

@@ -16,6 +16,7 @@ spec:
       labels:
         app: sonarr
     spec:
+      nodeName: k8s-wheatley-worker03
       containers:
         - name: sonarr
           image: linuxserver/sonarr

k8s-wheatley/sonarr/kustomization.yaml

@@ -63,4 +63,4 @@ patches:
 
 images:
   - name: linuxserver/sonarr
-    newTag: 4.0.17@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020
+    newTag: 4.0.17@sha256:0b5c4803f92456fb9b65bae8375716ea120b4ea17b3cced7da32b63f0085782b

k8s-wheatley/sonarr/pvc.yaml

@@ -9,4 +9,4 @@ spec:
     - ReadWriteOnce
   resources:
     requests:
-      storage: 5Gi
+      storage: 10Gi

k8s-wheatley/soulseekd/configmap.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gluetun-envs
+data:
+  TZ: Europe/Amsterdam
+  VPN_SERVICE_PROVIDER: "custom"
+  VPN_TYPE: "wireguard"
+  VPN_PORT_FORWARDING: on
+  VPN_PORT_FORWARDING_PROVIDER: protonvpn
+  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
+  FIREWALL_INPUT_PORTS: "5030"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: slskd-envs
+data:
+  TZ: Europe/Amsterdam
+  PUID: "1000"
+  PGID: "1000"
+  SLSKD_DOWNLOADS_DIR: /shared/media/downloads/_slsk-downloads
+  SLSKD_INCOMPLETE_DIR: /shared/media/downloads/_slsk-incomplete
+  SLSKD_SHARED_DIR: "[Music]/shared/media/music"
+  SLSKD_REMOTE_CONFIGURATION: "true"
+  SLSKD_VPN: "true"
+  SLSKD_VPN_PORT_FORWARDING: "true"
+  SLSKD_VPN_GLUETUN_URL: http://localhost:8000

k8s-wheatley/soulseekd/deployments.yaml

@@ -0,0 +1,127 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: soulseekd
+  namespace: soulseekd
+  labels:
+    app: soulseekd
+spec:
+  replicas: 1
+  serviceName: soulseekd
+  selector:
+    matchLabels:
+      app: soulseekd
+  template:
+    metadata:
+      labels:
+        app: soulseekd
+    spec:
+      nodeName: k8s-wheatley-worker01
+      initContainers:
+        - name: gluetun
+          image: ghcr.io/qdm12/gluetun
+          ports:
+            - name: slskd-http
+              containerPort: 5030
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: gluetun-envs
+            - secretRef:
+                name: gluetun-env-secrets
+          volumeMounts:
+            - mountPath: /dev/net/tun
+              name: dev-tun
+            - mountPath: /gluetun/wireguard
+              name: gluetun-wgconfig
+              readOnly: true
+            - name: gluetun-tmp
+              mountPath: /tmp/gluetun
+          restartPolicy: Always
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  [
+                    "/bin/sh",
+                    "-c",
+                    "(ip rule del table 51820; ip -6 rule del table 51820) || true",
+                  ]
+          readinessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "ping -c 1 9.9.9.9"
+            initialDelaySeconds: 5
+            periodSeconds: 3
+            timeoutSeconds: 2
+            failureThreshold: 3
+          livenessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - "ping -c 1 9.9.9.9"
+            initialDelaySeconds: 10
+            periodSeconds: 15
+            timeoutSeconds: 2
+            failureThreshold: 3
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - "ALL"
+              add:
+                - "CHOWN"
+                - "NET_ADMIN"
+                - "NET_RAW"
+      containers:
+        - name: slskd
+          image: docker.io/slskd/slskd
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: slskd-envs
+            - secretRef:
+                name: slskd-env-secrets
+          volumeMounts:
+            - mountPath: /config
+              name: slskd-config
+            - mountPath: /shared/media/downloads
+              name: nfs-media-downloads
+            - mountPath: /shared/media/music
+              name: nfs-media-music
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - "ALL"
+              add:
+                - "CHOWN"
+                - "SETUID"
+                - "SETGID"
+      volumes:
+        - name: dev-tun
+          hostPath:
+            path: /dev/net/tun
+            type: CharDevice
+        - name: slskd-config
+          persistentVolumeClaim:
+            claimName: slskd-storage
+        - name: gluetun-wgconfig
+          secret:
+            secretName: gluetun-wgconfig
+        - name: gluetun-tmp
+          emptyDir: {}
+        - name: nfs-media-downloads
+          persistentVolumeClaim:
+            claimName: nfs-media-downloads
+        - name: nfs-media-music
+          persistentVolumeClaim:
+            claimName: nfs-media-music

k8s-wheatley/soulseekd/ingress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: slskd-route
+spec:
+  parentRefs:
+    - name: internal
+      namespace: kube-system
+      sectionName: https
+  hostnames:
+    - "slskd.wheatley.in"
+  rules:
+    - backendRefs:
+        - name: slskd
+          port: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: slskd
+spec:
+  selector:
+    app: soulseekd
+  ports:
+    - port: 80
+      protocol: TCP
+      targetPort: 5030

k8s-wheatley/soulseekd/kustomization.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: soulseekd
+
+resources:
+  - configmap.yaml
+  - deployments.yaml
+  - ingress.yaml
+  - pvc.yaml
+  - secrets.yaml
+  - namespace.yaml
+
+components:
+  - ../../kustomize-bases/nfs-media/components/downloads
+  - ../../kustomize-bases/nfs-media/components/music
+
+patches:
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-soulseekd-downloads
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-downloads
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-soulseekd-downloads
+  - target:
+      kind: PersistentVolume
+      name: nfs-media-music
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: nfs-media-soulseekd-music
+  - target:
+      kind: PersistentVolumeClaim
+      name: nfs-media-music
+    patch: |
+      - op: replace
+        path: /spec/volumeName
+        value: nfs-media-soulseekd-music
+
+images:
+  - name: ghcr.io/qdm12/gluetun
+    newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab
+  - name: docker.io/slskd/slskd
+    newTag: 0.25.1@sha256:ab9ed50e028b524cefdb7c1dd8ebca368a076e18441ee8ac2326473eb850b4c3

k8s-wheatley/soulseekd/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: soulseekd
+  labels:
+    pod-security.kubernetes.io/enforce: privileged

k8s-wheatley/soulseekd/pvc.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: slskd-storage
+spec:
+  storageClassName: piraeus-lvmthin
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

k8s-wheatley/soulseekd/secrets.yaml

@@ -0,0 +1,69 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gluetun-wgconfig
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: gluetun-wgconfig
+    template:
+      data:
+        wg0.conf: "{{ .config }}"
+  data:
+    - secretKey: config
+      remoteRef:
+        key: secrets/managed/soulseekd/protonvpn-wgconfig
+        property: config
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: slskd-env-secrets
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: slskd-env-secrets
+  data:
+    - secretKey: SLSKD_VPN_GLUETUN_API_KEY
+      remoteRef:
+        key: secrets/managed/soulseekd/slskd-env-secrets
+        property: GLUETUN_API_KEY
+    - secretKey: SLSKD_SLSK_USERNAME
+      remoteRef:
+        key: secrets/managed/soulseekd/slskd-env-secrets
+        property: SLSK_USERNAME
+    - secretKey: SLSKD_SLSK_PASSWORD
+      remoteRef:
+        key: secrets/managed/soulseekd/slskd-env-secrets
+        property: SLSK_PASSWORD
+    - secretKey: SLSKD_PASSWORD
+      remoteRef:
+        key: secrets/managed/soulseekd/slskd-env-secrets
+        property: SLSKD_PASSWORD
+    - secretKey: SLSKD_API_KEY
+      remoteRef:
+        key: secrets/managed/soulseekd/slskd-env-secrets
+        property: API_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gluetun-env-secrets
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: gluetun-env-secrets
+  data:
+    - secretKey: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE
+      remoteRef:
+        key: secrets/managed/soulseekd/gluetun-env-secrets
+        property: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE

kustomize-bases/alloy/kustomization.yaml

@@ -9,7 +9,7 @@ resources:
 helmCharts:
   - name: alloy
     repo: https://grafana.github.io/helm-charts
-    version: "1.8.0"
+    version: "1.8.1"
     releaseName: alloy
     valuesFile: values.yaml
   - name: kube-state-metrics
@@ -18,5 +18,5 @@ helmCharts:
     releaseName: kube-state-metrics
   - name: prometheus-operator-crds
     repo: https://prometheus-community.github.io/helm-charts
-    version: "28.0.1"
+    version: "29.0.0"
     releaseName: prometheus-operator-crds

kustomize-bases/alloy/values.yaml

@@ -127,7 +127,7 @@ configReloader:
     # -- Repository to get config reloader image from.
     repository: prometheus-operator/prometheus-config-reloader
     # -- Tag of image to use for config reloading.
-    tag: v0.90.1@sha256:693faa0b87243cddca2cffb13586e4e2778b0cdf319cb2e601ba7af3fd19ef7d
+    tag: v0.91.0@sha256:7d9e4eea5f1139e602508871f422b0116c60e87c662f3dcd234d5ab60cd0d8c1
     # -- SHA256 digest of image to use for config reloading (either in format "sha256:XYZ" or "XYZ"). When set, will override `configReloader.image.tag`
     digest: ""
   # -- Override the args passed to the container.