diff --git a/apps/base/jellyfin/allow-from-ingress.patch.yaml b/apps/base/jellyfin/allow-from-ingress.patch.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ed6a2bd895f0a63289fe4c3d4cd0c5d2aa85ac33
--- /dev/null
+++ b/apps/base/jellyfin/allow-from-ingress.patch.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-from-ingress
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: jellyfin
\ No newline at end of file
diff --git a/apps/base/jellyfin/allow-to-public-web.patch.yaml b/apps/base/jellyfin/allow-to-public-web.patch.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8ff73f3005d3835401e7fa704293022fe9eecae4
--- /dev/null
+++ b/apps/base/jellyfin/allow-to-public-web.patch.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-to-public-web
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: jellyfin
\ No newline at end of file
diff --git a/apps/base/jellyfin/deployment.yaml b/apps/base/jellyfin/deployment.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ea42f570ee43e92f98fead2683acffacd4275c40
--- /dev/null
+++ b/apps/base/jellyfin/deployment.yaml
@@ -0,0 +1,92 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: jellyfin
+spec:
+ strategy:
+ type: Recreate
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: jellyfin
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/component: jellyfin
+ spec:
+ serviceAccountName: jellyfin
+ containers:
+ - env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.nodeName
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ image: docker.io/jellyfin/jellyfin:10.8.13
+ imagePullPolicy: IfNotPresent
+ name: jellyfin
+ readinessProbe:
+ httpGet:
+ path: /health
+ port: 8096
+ ports:
+ - containerPort: 8096
+ protocol: TCP
+ volumeMounts:
+ - mountPath: /data/media
+ name: media
+ readOnly: False
+ - mountPath: /config/transcodes
+ name: transcodes-tmp
+ - mountPath: /config
+ name: jellyfin-config
+ - mountPath: /cache
+ name: jellyfin-cache
+ resources:
+ requests:
+ amd.com/gpu: 1
+ memory: 2Gi
+ cpu: 100m
+ limits:
+ amd.com/gpu: 1
+ memory: 3.5Gi
+ cpu: "4"
+ securityContext:
+ allowPrivilegeEscalation: false
+ restartPolicy: Always
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 1000
+ runAsGroup: 1000
+ fsGroup: 1000
+ seccompProfile:
+ type: "RuntimeDefault"
+ volumes:
+ - name: transcodes-tmp
+ ephemeral:
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 50Gi
+ - name: media
+ persistentVolumeClaim:
+ claimName: media
+ - name: jellyfin-config
+ persistentVolumeClaim:
+ claimName: jellyfin-config
+ - name: jellyfin-cache
+ emptyDir:
+ sizeLimit: 500Mi
diff --git a/apps/base/jellyfin/kustomization.yaml b/apps/base/jellyfin/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e9dcce4f76c87260ef3f1a1d596e3eb1ec8e5ad9
--- /dev/null
+++ b/apps/base/jellyfin/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: jellyfin
+
+resources:
+ - namespace.yaml
+ - deployment.yaml
+ - pvc.yaml
+ - service.yaml
+ - serviceaccount.yaml
+ - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
+ - ../../../shared/networkpolicies/deny-by-default-egress.yaml
+ - ../../../shared/networkpolicies/allow-from-ingress.yaml
+ - ../../../shared/networkpolicies/allow-to-public-web.yaml
+
+patches:
+ - path: allow-from-ingress.patch.yaml
+ - path: allow-to-public-web.patch.yaml
diff --git a/apps/base/jellyfin/namespace.yaml b/apps/base/jellyfin/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..3afecf79708b4213cf008b70f639b4e4ebcbc947
--- /dev/null
+++ b/apps/base/jellyfin/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: jellyfin
\ No newline at end of file
diff --git a/apps/base/jellyfin/pvc.yaml b/apps/base/jellyfin/pvc.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b7d0bf7f32cbb1822994dde76f08a59cd085a2d4
--- /dev/null
+++ b/apps/base/jellyfin/pvc.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: jellyfin-config
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: media
+spec:
+ accessModes:
+ - ReadWriteMany
+ resources:
+ requests:
+ storage: 10Gi
diff --git a/apps/k8s01/jellyfin/service.yaml b/apps/base/jellyfin/service.yaml
similarity index 62%
rename from apps/k8s01/jellyfin/service.yaml
rename to apps/base/jellyfin/service.yaml
index 24a579ce4a995b4d3ae7169d9e7d2dbb3e5eafa8..35fe4198c2509287d8e853912e4e2109fff69581 100644
--- a/apps/k8s01/jellyfin/service.yaml
+++ b/apps/base/jellyfin/service.yaml
@@ -2,9 +2,6 @@
apiVersion: v1
kind: Service
metadata:
- labels:
- app.kubernetes.io/name: jellyfin
- app.kubernetes.io/component: jellyfin
name: jellyfin
spec:
ports:
@@ -13,6 +10,5 @@ spec:
protocol: TCP
targetPort: 8096
selector:
- app.kubernetes.io/name: jellyfin
app.kubernetes.io/component: jellyfin
type: ClusterIP
diff --git a/apps/base/jellyfin/serviceaccount.yaml b/apps/base/jellyfin/serviceaccount.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4271ce2019de7060095162762d0b44c950e8f3e2
--- /dev/null
+++ b/apps/base/jellyfin/serviceaccount.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: jellyfin
+ namespace: jellyfin
+automountServiceAccountToken: false
\ No newline at end of file
diff --git a/apps/k8s01/jellyfin/deployment.yaml b/apps/k8s01/jellyfin/deployment.yaml
index 51d0c558fc8a5958e42eaa4e561a23d080a351e6..0f0a1d7713854725968c457f96a2b1cd0c167b3d 100644
--- a/apps/k8s01/jellyfin/deployment.yaml
+++ b/apps/k8s01/jellyfin/deployment.yaml
@@ -1,106 +1,22 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: jellyfin
- labels:
- app.kubernetes.io/name: jellyfin
- app.kubernetes.io/component: jellyfin
-spec:
- strategy:
- type: Recreate
- selector:
- matchLabels:
- app.kubernetes.io/name: jellyfin
- app.kubernetes.io/component: jellyfin
- template:
- metadata:
- labels:
- app.kubernetes.io/name: jellyfin
- app.kubernetes.io/component: jellyfin
- spec:
- containers:
- - env:
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- - name: POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- image: docker.io/jellyfin/jellyfin:10.8.13
- imagePullPolicy: IfNotPresent
- name: jellyfin
- readinessProbe:
- httpGet:
- path: /health
- port: 8096
- ports:
- - containerPort: 8096
- protocol: TCP
- volumeMounts:
- - mountPath: /data/media/shows
- name: shows
- - mountPath: /data/media/movies
- name: movies
- - mountPath: /data/media
- name: media
- readOnly: False
- - mountPath: /config/transcodes
- name: transcodes-tmp
- - mountPath: /config
- name: jellyfin-config
- - mountPath: /cache
- name: jellyfin-cache
- resources:
- requests:
- amd.com/gpu: 1
- memory: 2Gi
- cpu: 100m
- limits:
- amd.com/gpu: 1
- memory: 3.5Gi
- cpu: "4"
- securityContext:
- allowPrivilegeEscalation: false
- restartPolicy: Always
- securityContext:
- runAsNonRoot: true
- runAsUser: 1000
- runAsGroup: 1000
- fsGroup: 1000
- seccompProfile:
- type: "RuntimeDefault"
- volumes:
- - name: transcodes-tmp
- ephemeral:
- volumeClaimTemplate:
- spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 50Gi
- - name: movies
- persistentVolumeClaim:
- claimName: jellyfin-movies
- - name: shows
- persistentVolumeClaim:
- claimName: jellyfin-shows
- - name: media
- persistentVolumeClaim:
- claimName: media
- - name: jellyfin-config
- persistentVolumeClaim:
- claimName: jellyfin-config
- - name: jellyfin-cache
- emptyDir:
- sizeLimit: 500Mi
+- op: add
+ path: /spec/template/spec/volumes/0
+ value:
+ name: movies
+ persistentVolumeClaim:
+ claimName: jellyfin-movies
+- op: add
+ path: /spec/template/spec/volumes/0
+ value:
+ name: shows
+ persistentVolumeClaim:
+ claimName: jellyfin-shows
+- op: add
+ path: /spec/template/spec/containers/0/volumeMounts/0
+ value:
+ mountPath: /data/media/shows
+ name: shows
+- op: add
+ path: /spec/template/spec/containers/0/volumeMounts/0
+ value:
+ mountPath: /data/media/movies
+ name: movies
\ No newline at end of file
diff --git a/apps/k8s01/jellyfin/kustomization.yaml b/apps/k8s01/jellyfin/kustomization.yaml
index 93d58e9751c0408ab63c03016840e45b5ed3bf5b..c98b7c9f3ae8bc968ef4f2fbb27ff1fe57b4aab9 100644
--- a/apps/k8s01/jellyfin/kustomization.yaml
+++ b/apps/k8s01/jellyfin/kustomization.yaml
@@ -1,19 +1,24 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: jellyfin
+
+commonLabels:
+ app.kubernetes.io/name: jellyfin
+ app.kubernetes.io/instance: jellyfin
+
resources:
- - namespace.yaml
+ - ../../base/jellyfin
- pv.yaml
- pvc.yaml
- - deployment.yaml
- - service.yaml
- certificate.yaml
- ingress.yaml
- slo.yaml
- - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
- - ../../../shared/networkpolicies/deny-by-default-egress.yaml
- - ../../../shared/networkpolicies/allow-from-ingress.yaml
- - ../../../shared/networkpolicies/allow-to-public-web.yaml
- ../../../shared/resourcequotas/default.yaml
-patchesStrategicMerge:
- - networkpolicy.yaml
\ No newline at end of file
+
+patches:
+ - path: deployment.yaml
+ target:
+ kind: Deployment
+ group: apps
+ version: v1
+ name: jellyfin
\ No newline at end of file
diff --git a/apps/k8s01/jellyfin/namespace.yaml b/apps/k8s01/jellyfin/namespace.yaml
deleted file mode 100644
index 1dbc13b460e032f6018747da986ef1b0520df221..0000000000000000000000000000000000000000
--- a/apps/k8s01/jellyfin/namespace.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
- name: jellyfin
- labels:
- pod-security.kubernetes.io/audit: restricted
- pod-security.kubernetes.io/enforce: baseline
- pod-security.kubernetes.io/warn: restricted
- pod-security.kubernetes.io/audit-version: v1.26
- pod-security.kubernetes.io/enforce-version: v1.23
- pod-security.kubernetes.io/warn-version: v1.26
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: flux-reconciler
- namespace: jellyfin
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: flux-reconciler
- namespace: jellyfin
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: admin
-subjects:
- - kind: ServiceAccount
- name: flux-reconciler
- namespace: jellyfin
diff --git a/apps/k8s01/jellyfin/networkpolicy.yaml b/apps/k8s01/jellyfin/networkpolicy.yaml
deleted file mode 100644
index ab9a83f1d3e7c5c648bcd2d87d10c4866040a57d..0000000000000000000000000000000000000000
--- a/apps/k8s01/jellyfin/networkpolicy.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
- name: allow-from-ingress
- labels:
- app.kubernetes.io/name: jellyfin
- app.kubernetes.io/component: jellyfin
-spec:
- podSelector:
- matchLabels:
- app.kubernetes.io/name: jellyfin
- app.kubernetes.io/component: jellyfin
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
- name: allow-to-public-web
- labels:
- app.kubernetes.io/name: jellyfin
- app.kubernetes.io/component: jellyfin
-spec:
- podSelector:
- matchLabels:
- app.kubernetes.io/name: jellyfin
- app.kubernetes.io/component: jellyfin
\ No newline at end of file
diff --git a/apps/k8s01/jellyfin/pvc.yaml b/apps/k8s01/jellyfin/pvc.yaml
index 618a3a802fedfd7da8b35662583f70803d0f2503..1595358b44bc0620094ac1005bf1e28b00e6e9af 100644
--- a/apps/k8s01/jellyfin/pvc.yaml
+++ b/apps/k8s01/jellyfin/pvc.yaml
@@ -31,31 +31,3 @@ spec:
requests:
storage: 2Ti
volumeName: jellyfin-shows
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
- name: jellyfin-config
- labels:
- app.kubernetes.io/name: jellyfin
- app.kubernetes.io/component: jellyfin
-spec:
- accessModes:
- - ReadWriteOnce
- resources:
- requests:
- storage: 10Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
- name: media
- labels:
- app.kubernetes.io/name: jellyfin
- app.kubernetes.io/component: jellyfin
-spec:
- accessModes:
- - ReadWriteMany
- resources:
- requests:
- storage: 10Gi