diff --git a/apps/base/jellyfin/deployment.yaml b/apps/base/jellyfin/deployment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f56784cd283424f6e11b8789a2fa45a09d365faa --- /dev/null +++ b/apps/base/jellyfin/deployment.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jellyfin + labels: + app.kubernetes.io/name: jellyfin + app.kubernetes.io/component: jellyfin +spec: + selector: + matchLabels: + app.kubernetes.io/name: jellyfin + app.kubernetes.io/component: jellyfin + template: + metadata: + labels: + app.kubernetes.io/name: jellyfin + app.kubernetes.io/component: jellyfin + spec: + containers: + - env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: docker.io/jellyfin/jellyfin:10.8.8 + imagePullPolicy: IfNotPresent + name: jellyfin + readinessProbe: + httpGet: + path: /health + port: 8096 + ports: + - containerPort: 8096 + protocol: TCP + volumeMounts: + - mountPath: /data/media + name: media + readOnly: True + - mountPath: /config + name: jellyfin-config + - mountPath: /cache + name: jellyfin-cache + resources: + requests: + amd.com/gpu: 1 + memory: 512Mi + cpu: 100m + limits: + memory: 2Gi + restartPolicy: Always + volumes: + - name: media + persistentVolumeClaim: + claimName: media + - name: jellyfin-config + persistentVolumeClaim: + claimName: jellyfin-config + - name: jellyfin-cache + emptyDir: + sizeLimit: 500Mi diff --git a/apps/base/jellyfin/kustomization.yaml b/apps/base/jellyfin/kustomization.yaml new file mode 100644 index 0000000000000000000000000000000000000000..35c0a6332f3c686bbf410768eb452125eb4600c5 --- /dev/null +++ b/apps/base/jellyfin/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: jellyfin +resources: +- namespace.yaml +- pvc.yaml +- deployment.yaml +- service.yaml +- ../../../shared/networkpolicies/allow-from-ingress.yaml +patchesStrategicMerge: + - networkpolicy.yaml diff --git a/apps/base/jellyfin/namespace.yaml b/apps/base/jellyfin/namespace.yaml new file mode 100644 index 0000000000000000000000000000000000000000..39fb12d96fcadce4bd12217865bb5a1ad2259c9f --- /dev/null +++ b/apps/base/jellyfin/namespace.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: jellyfin + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/audit-version: v1.23 + pod-security.kubernetes.io/enforce-version: v1.23 + pod-security.kubernetes.io/warn-version: v1.23 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flux-reconciler + namespace: jellyfin +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: flux-reconciler + namespace: jellyfin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin +subjects: + - kind: ServiceAccount + name: flux-reconciler + namespace: jellyfin diff --git a/apps/base/jellyfin/networkpolicy.yaml b/apps/base/jellyfin/networkpolicy.yaml new file mode 100644 index 0000000000000000000000000000000000000000..66e15f631745d8a2e55a78f1f1cde92aabb3525c --- /dev/null +++ b/apps/base/jellyfin/networkpolicy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-ingress + labels: + app.kubernetes.io/name: jellyfin + app.kubernetes.io/component: jellyfin +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: jellyfin + app.kubernetes.io/component: jellyfin \ No newline at end of file diff --git a/apps/base/jellyfin/pvc.yaml b/apps/base/jellyfin/pvc.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7e944051a895eb1ba0191ee98a197ed41cf041b1 --- /dev/null +++ b/apps/base/jellyfin/pvc.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: jellyfin-config + labels: + app.kubernetes.io/name: jellyfin + app.kubernetes.io/component: jellyfin +spec: + accessModes: + - ReadWriteOnce + storageClassName: rook-ceph-block + resources: + requests: + storage: 10Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: media + labels: + app.kubernetes.io/name: jellyfin + app.kubernetes.io/component: jellyfin +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Mi + volumeName: jellyfin-media diff --git a/apps/base/jellyfin/service.yaml b/apps/base/jellyfin/service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..24a579ce4a995b4d3ae7169d9e7d2dbb3e5eafa8 --- /dev/null +++ b/apps/base/jellyfin/service.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: jellyfin + app.kubernetes.io/component: jellyfin + name: jellyfin +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8096 + selector: + app.kubernetes.io/name: jellyfin + app.kubernetes.io/component: jellyfin + type: ClusterIP diff --git a/apps/k8s01/jellyfin/certificate.yaml b/apps/k8s01/jellyfin/certificate.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3f9c5a77eb199e17bb89d2404432e56a45a1062f --- /dev/null +++ b/apps/k8s01/jellyfin/certificate.yaml @@ -0,0 +1,64 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: jellyfin-tls + namespace: jellyfin +spec: + dnsNames: + - ENC[AES256_GCM,data:2e8sQpOq+p0Sj4/2l8fgOyIXWDvJj82big==,iv:WgUtIa0Lgel2gECJsSHKf14XM9SdSlwjTS452T6rEQ4=,tag:RIlQhsjyWGzdRjwIAV4nYQ==,type:str] + issuerRef: + name: letsencrypt + kind: ClusterIssuer + secretName: ingress-jellyfin-tls +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-01-11T09:22:19Z" + mac: ENC[AES256_GCM,data:KOyUIKATuGJJQP9fgLBCAno8JW5NRX14ao2ZtjcF5evK3S/a5f36wWwt1xF/FcrM8r23SoJTRSxYq5yyD9V9KolnxyzM49IIYdRks2mJSjdGNl9TcMMFX7vvnu0LgWA7u4ZAG8lI6Eny/63hwwfQWe8KEjHFySs+MnFIwwe4Ics=,iv:jE3yp1Yy0f3mN54076VHE4iYO116sbew7QgLltbQJKQ=,tag:iJ3xYIl5GQBEwnpn/0R1Fg==,type:str] + pgp: + - created_at: "2023-01-11T09:22:19Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFLA7kpg2bgzVHcAQ/3eJ8Gk/OoSKGL4SWsSeG3M7xGHTcXzVCyckzyTRxm4r1a + UIF1Z5ojiklkmlihncqntwQva8dW1eQsJdisJTfUXWWvY4pOKzVjrdg5BrLEa/DU + Ve1vnMw+byKCfySxAiaJk6PgXpUS+f7ytfNpLQeEmdorEuKWzltn+tC3qrqDvmzI + K2TZObpWGhfAd1ti/DDm7wbZ7ACCxRC3RSXsxfmQAnz/q/RA9ilZ5wiu3v1Mg6DF + Bq7bkcuz0fLbRYN7Zlj2QXjGFj6imBpfKrmFQNLPGJeu2mJ5LbhejeN2q6JOY3eg + KUrGwYtpg9JKZ/vmCIXOkgC4BTS2OrC0Nsq4B1dyReEvcMRRxVdD39tQmb2aJrC9 + 9XUn+DQFoaLjEsvpo9Rom4vdCjXcldqbMZooB5Hu0fGKjWvmq4SCy0bvrIrhrXHt + 65diFjNdgJGJ/V7hfzrp8xOuMhyLh7XDYD0yBNNoK/Wtgk5+gU6pWD3dlEgr/QHx + aQ3RNkh4YZwsb+uwDqUccH0cC4smqQwhm8KuBCkqU5RlzF2N9FZdD03sUzpNt22u + JGWDq4F/dgdHxcuI1EALQO7uyu/w8H5OaWb9YpKelp/CM/lcPKmRl3cNAhtHmVzj + tBeNQ46yCjkMBPQAT6mGOUDMho7uRvFSqib/WHwuHbLd+naUZufP2wdNOtwX0dJR + ARDZ6xrzfna6A/0imkoeG3QJu+f1YGG7c/++Nha+DlySoYTk7AME2O+mnE6M9AR6 + xPXWAVty2oOi74Yd5mE6FG/tDtlKucnnnk2DiK3kR8X4 + =cRBa + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2023-01-11T09:22:19Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPAQ/+MDHT/V2JlwS5iFGqzQmFymkjXAqVvdQi+JmX3MX2zQpK + j6JjbcPTf1O9/LeAUNFgB8nDjzEWHpcHhO2MBkosFMmk+8iTNLpyBtxI4ypKRkj4 + g4Z0oSOwMoDky0SQknDCIGodNu5CUAWtd+lpVVo5IJbUiuzPEtUB16KDNHLLcggN + 1yYbCkdWPJ+S5lvL4MBn0ZkLKYnShEiptAjKzVMyUZLN9gCZGVAqJ2NKFprvuNd+ + OAn+lpmSwf2rl3tVicE4+0/nj0kwUIKmR8ypPCmIPPvxQFqSPAPGjS6888VMDy7Z + bVoUIDewU5Ue1BmuUzl61l9nMfhcOqiOL1cHC6Gtc0XTqToyV8AyCAKe0GQHNiJB + HzhJ21L9g5L1WC/NjHqW1BMU8xBEpYqDMH+5jIxpsmfjtrCg7erELbzJNRG7HmNI + zY4R+mOuqhugNT8Bspun6zhZxuN8DMvG9ngHs5WlbwUFk27zyqcqer1idAtGj1TG + 9Qw91ganx9yJ0thJSsFQtcMSWiI9cJBmpTWDKxEOp+g9R3TQ60NhFc+jh7I80cjv + IpLb7QYOluFGatijy1+5totqN11/bk/7UdK4vZOtPTQKhbUWdDxj/mbPIOtf2Ilp + 4W7n1kOtT7G3cZH2J/aqYRYi6JiGaOzli4grPL4xFlgSo32GlItO4KuCgof1LInU + aAEJAhB5jfq4LKYP+r+IDltGS/F9areEjM9hykXhOmN9b2hmjRRIbdIFex5NYy6f + 6XcHul2/j83X5o5TmlbZCAmXS0qJxnnHTqxVpdnwJCWdFU0daAjtxGqQF2aicmXy + FmW89z603wAV + =+g7F + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$ + version: 3.7.3 diff --git a/apps/k8s01/jellyfin/ingress.yaml b/apps/k8s01/jellyfin/ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f92a5c7054b9297f6f0f31d8815d15e3e7fe49ab --- /dev/null +++ b/apps/k8s01/jellyfin/ingress.yaml @@ -0,0 +1,80 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: jellyfin + namespace: jellyfin + labels: + app.kubernetes.io/name: jellyfin + app.kubernetes.io/component: jellyfin + annotations: + forecastle.stakater.com/expose: "true" + forecastle.stakater.com/appName: Jellyfin + forecastle.stakater.com/group: Apps +spec: + rules: + - host: ENC[AES256_GCM,data:4+LBVSF1Hcsjjqc7/6sw5rjt+qhgkwnoeQ==,iv:8ydyWqCkYv7kItxoQxGFxVp4iSODurIe69xU+e64KIQ=,tag:/TSKzTs1e8AOc+pVuYy5xA==,type:str] + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: jellyfin + port: + number: 80 + tls: + hosts: + - ENC[AES256_GCM,data:mtrbDFZUudLTqptl8CVYwucJ523U3HbLfw==,iv:dB8b797YLz0VmSssw8PUGs4mZxYSWbTC566UtdzrESo=,tag:erBCXBzD0tFIhKn3S+tj4w==,type:str] + secretName: ingress-jellyfin-tls +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-01-11T09:22:23Z" + mac: ENC[AES256_GCM,data:EWA9hcHeYZ8lbrQT2mPIUhhze6Le1pHEXHoF4yRm4uuzySIkq1fsl2pTNf4++fGk5ht3L2Oi9u/S7YC8M8m6cP5J37DfahzWEmFHmbbbH6q2qRO8gvS9qADChHU6i/z82k/WtKUeNujJtRluumPKnexvRg/7MBbtSAeaDQubkks=,iv:C0rmi53xz0eK6hbRq0cRG3C/aj6Ai0FcJ0q81xdTDSo=,tag:PPIipe4LdG4s/tClTtQP6Q==,type:str] + pgp: + - created_at: "2023-01-11T09:22:23Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcAQ//VBiURBAjpkGmlAtGhHkKN4/zi6LbZIWeViMOIrajctKI + wldyYRR8Aej75UHN5gxcZbpJF+q1RbaBZxdxukKcgzA/JZ5eofKf8nZGXZh5YZx9 + yYO3quytd0rRAnLc8TPuWPPJFcACcrHIG8diwWgAOjmnnIXbvSJaPYU3Y3ksOiHo + 6ANng4qfTjN684jNtO7MlAREdykO8zeovWmUVaA97z+uMcAT/o0S5on10J+wiyTt + lR/qefaySJ1kDIrbVdBPSZC0ix0Aybs8E8R/EqhV8msxYJGh87ufLsEdQcKWJSXT + D7aOrHz9HikLldTQc3Z3rld7U80IqG51rySfwBzjlTCG2WEyY3XmMwAtBonnUDzY + 41S4u7JdWAqGBWowLzZOXZa+Y30QjD5b58eOYlYeb0z2ONSm5esQH2p9ophKsS35 + CzpPYBXG7ZB5CO4zYUkPhfRsW2QPB5zd90cIJBzoiXvQ6AceeeOy67Tzv8wsa2Iu + y9KqFoI3bO317G8ObaVL3mYXjdxFzrgT3f9kCPIi3oKiY99G/z4LLt1uWD9Z/ubQ + np302fqNWpVgj4bgki2LJyl0rR5icukrwlI/1OycJ66Bcg78AJ/N5h9kAe+jd/GQ + NLvbb36caMiQgxYIT3xw7Cf8lHQUpqO+dvDNfvnU/BO0WOtWjhjGpQFjl4yAZQjS + UQH0fDddNCGlv8wrn2rfn753yeXdaPWUSxFGiEggRYskFQxb69y1KIYiAl8Vyi8I + YVs1aWW04ZDtyCAwJsCpDmh2eAh9U4VytLVfbFb0VyCTAA== + =3wQL + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2023-01-11T09:22:23Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPARAAsYdfioZSRosaLy8WtDZzTJwforPpTKEOITT3j3UL/47V + qShg/s1sorcH0bniB8N0s79Z4Hnhyca6zKhk9g14OXqcM4z0u+IguRvpB1P/E0H4 + mZ2AUcTzbuE+/QE7c4deqbMPYZ6OZIjv88c78qS+gO2Czq5a/2g3U8O4mz/6uWlc + fzYn9/3v2aQWTs9nSIuZHYmnbMkTGXdi/3lE75HQ8lNger7B+zHOpUpbT1h0SIrk + gmb3+qyANYYJiXu/JJsDGZQkTbgW0DfcNlh06l6qfeBd/Jggo30N41PU07H8lS0Q + /q8Mqha+2BYc39MHZMlu4IVERsmEm5AtVxl6ilVHYIdSyEu0fEi/XAVQegXS0JUt + P50mI1afPJuaudP5WweVO0G3ZelGvGKDHCg5nftn3LDAaVkVCCXDDxMWGMDWKFX2 + y64Aah5Gm+vXvDWBlV/Tmkmpc3X1Lg5F8MMYGrqC2OGQqXmnDc4x3AOZzonmo4ci + HEyUe/Lu5u8eQyU8shXhqrziJkTotXtPKZ6msDNE2iLzGi26Ih5Ffadxg8OUArUw + NLxfl5sNd894DZu/U2X2kOfA1Fv72GXp5GKEievVx1LY4jLjLbSP+yyW8HsmTrPj + A+F/hK//vh/rkXGQuQbKyJpsjm26DedzmfQLEDdic9UjlcQ8SC/B2+8f1jQ+XbXU + aAEJAhDGc6mHvv2QpjFnn5B4VbzrvCzOK+q6ixP6mb/RGmUsgtc67vTxnmBCy5jO + gSGD4lAiOr+y2FFzj4GGUv7qq5wOfV8bcFb/ZFHyPjG42OHDWhLyOOB0NlgqNXeV + bXQwV0HyK91K + =GgFv + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$ + version: 3.7.3 diff --git a/apps/k8s01/jellyfin/kustomization.yaml b/apps/k8s01/jellyfin/kustomization.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1988a3221a6dba95f797c6ecb2d39076ee301e68 --- /dev/null +++ b/apps/k8s01/jellyfin/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: jellyfin +resources: + - ../../base/jellyfin + - certificate.yaml + - ingress.yaml + - ../../../shared/resourcequotas/default.yaml