Compare revisions

Botaniker (Bot) · Sheogorath · Sheogorath · Sheogorath · Sheogorath · Sheogorath
--- a/apps/k8s01/jellyfin/certificate.yaml
+++ b/apps/k8s01/jellyfin/certificate.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+    name: jellyfin-tls
+    namespace: jellyfin
+spec:
+    dnsNames:
+        - ENC[AES256_GCM,data:2e8sQpOq+p0Sj4/2l8fgOyIXWDvJj82big==,iv:WgUtIa0Lgel2gECJsSHKf14XM9SdSlwjTS452T6rEQ4=,tag:RIlQhsjyWGzdRjwIAV4nYQ==,type:str]
+    issuerRef:
+        name: letsencrypt
+        kind: ClusterIssuer
+    secretName: ingress-jellyfin-tls
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-01-11T09:22:19Z"
+    mac: ENC[AES256_GCM,data:KOyUIKATuGJJQP9fgLBCAno8JW5NRX14ao2ZtjcF5evK3S/a5f36wWwt1xF/FcrM8r23SoJTRSxYq5yyD9V9KolnxyzM49IIYdRks2mJSjdGNl9TcMMFX7vvnu0LgWA7u4ZAG8lI6Eny/63hwwfQWe8KEjHFySs+MnFIwwe4Ics=,iv:jE3yp1Yy0f3mN54076VHE4iYO116sbew7QgLltbQJKQ=,tag:iJ3xYIl5GQBEwnpn/0R1Fg==,type:str]
+    pgp:
+        - created_at: "2023-01-11T09:22:19Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFLA7kpg2bgzVHcAQ/3eJ8Gk/OoSKGL4SWsSeG3M7xGHTcXzVCyckzyTRxm4r1a
+            UIF1Z5ojiklkmlihncqntwQva8dW1eQsJdisJTfUXWWvY4pOKzVjrdg5BrLEa/DU
+            Ve1vnMw+byKCfySxAiaJk6PgXpUS+f7ytfNpLQeEmdorEuKWzltn+tC3qrqDvmzI
+            K2TZObpWGhfAd1ti/DDm7wbZ7ACCxRC3RSXsxfmQAnz/q/RA9ilZ5wiu3v1Mg6DF
+            Bq7bkcuz0fLbRYN7Zlj2QXjGFj6imBpfKrmFQNLPGJeu2mJ5LbhejeN2q6JOY3eg
+            KUrGwYtpg9JKZ/vmCIXOkgC4BTS2OrC0Nsq4B1dyReEvcMRRxVdD39tQmb2aJrC9
+            9XUn+DQFoaLjEsvpo9Rom4vdCjXcldqbMZooB5Hu0fGKjWvmq4SCy0bvrIrhrXHt
+            65diFjNdgJGJ/V7hfzrp8xOuMhyLh7XDYD0yBNNoK/Wtgk5+gU6pWD3dlEgr/QHx
+            aQ3RNkh4YZwsb+uwDqUccH0cC4smqQwhm8KuBCkqU5RlzF2N9FZdD03sUzpNt22u
+            JGWDq4F/dgdHxcuI1EALQO7uyu/w8H5OaWb9YpKelp/CM/lcPKmRl3cNAhtHmVzj
+            tBeNQ46yCjkMBPQAT6mGOUDMho7uRvFSqib/WHwuHbLd+naUZufP2wdNOtwX0dJR
+            ARDZ6xrzfna6A/0imkoeG3QJu+f1YGG7c/++Nha+DlySoYTk7AME2O+mnE6M9AR6
+            xPXWAVty2oOi74Yd5mE6FG/tDtlKucnnnk2DiK3kR8X4
+            =cRBa
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2023-01-11T09:22:19Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPAQ/+MDHT/V2JlwS5iFGqzQmFymkjXAqVvdQi+JmX3MX2zQpK
+            j6JjbcPTf1O9/LeAUNFgB8nDjzEWHpcHhO2MBkosFMmk+8iTNLpyBtxI4ypKRkj4
+            g4Z0oSOwMoDky0SQknDCIGodNu5CUAWtd+lpVVo5IJbUiuzPEtUB16KDNHLLcggN
+            1yYbCkdWPJ+S5lvL4MBn0ZkLKYnShEiptAjKzVMyUZLN9gCZGVAqJ2NKFprvuNd+
+            OAn+lpmSwf2rl3tVicE4+0/nj0kwUIKmR8ypPCmIPPvxQFqSPAPGjS6888VMDy7Z
+            bVoUIDewU5Ue1BmuUzl61l9nMfhcOqiOL1cHC6Gtc0XTqToyV8AyCAKe0GQHNiJB
+            HzhJ21L9g5L1WC/NjHqW1BMU8xBEpYqDMH+5jIxpsmfjtrCg7erELbzJNRG7HmNI
+            zY4R+mOuqhugNT8Bspun6zhZxuN8DMvG9ngHs5WlbwUFk27zyqcqer1idAtGj1TG
+            9Qw91ganx9yJ0thJSsFQtcMSWiI9cJBmpTWDKxEOp+g9R3TQ60NhFc+jh7I80cjv
+            IpLb7QYOluFGatijy1+5totqN11/bk/7UdK4vZOtPTQKhbUWdDxj/mbPIOtf2Ilp
+            4W7n1kOtT7G3cZH2J/aqYRYi6JiGaOzli4grPL4xFlgSo32GlItO4KuCgof1LInU
+            aAEJAhB5jfq4LKYP+r+IDltGS/F9areEjM9hykXhOmN9b2hmjRRIbdIFex5NYy6f
+            6XcHul2/j83X5o5TmlbZCAmXS0qJxnnHTqxVpdnwJCWdFU0daAjtxGqQF2aicmXy
+            FmW89z603wAV
+            =+g7F
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$
+    version: 3.7.3
--- a/apps/k8s01/jellyfin/deployment.yaml
+++ b/apps/k8s01/jellyfin/deployment.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jellyfin
+  labels:
+    app.kubernetes.io/name: jellyfin
+    app.kubernetes.io/component: jellyfin
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: jellyfin
+      app.kubernetes.io/component: jellyfin
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: jellyfin
+        app.kubernetes.io/component: jellyfin
+    spec:
+      containers:
+      - env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        image: docker.io/jellyfin/jellyfin:10.8.8
+        imagePullPolicy: IfNotPresent
+        name: jellyfin
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: 8096
+        ports:
+        - containerPort: 8096
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /data/media/shows
+          name: shows
+          readOnly: True
+        - mountPath: /data/media/movies
+          name: movies
+          readOnly: True
+        - mountPath: /data/media
+          name: media
+          readOnly: False
+        - mountPath: /config
+          name: jellyfin-config
+        - mountPath: /cache
+          name: jellyfin-cache
+        resources:
+          requests:
+            amd.com/gpu: 1
+            memory: 512Mi
+            cpu: 100m
+          limits:
+            amd.com/gpu: 1
+            memory: 2Gi
+            cpu: "1"
+      restartPolicy: Always
+      volumes:
+      - name: movies
+        persistentVolumeClaim:
+          claimName: jellyfin-movies
+      - name: shows
+        persistentVolumeClaim:
+          claimName: jellyfin-shows
+      - name: media
+        persistentVolumeClaim:
+          claimName: media
+      - name: jellyfin-config
+        persistentVolumeClaim:
+          claimName: jellyfin-config
+      - name: jellyfin-cache
+        emptyDir:
+          sizeLimit: 500Mi
--- a/apps/k8s01/jellyfin/ingress.yaml
+++ b/apps/k8s01/jellyfin/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+    name: jellyfin
+    namespace: jellyfin
+    labels:
+        app.kubernetes.io/name: jellyfin
+        app.kubernetes.io/component: jellyfin
+    annotations:
+        forecastle.stakater.com/expose: "true"
+        forecastle.stakater.com/appName: Jellyfin
+        forecastle.stakater.com/group: Apps
+        forecastle.stakater.com/network-restricted: "true"
+        nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/24
+spec:
+    rules:
+        - host: ENC[AES256_GCM,data:4+LBVSF1Hcsjjqc7/6sw5rjt+qhgkwnoeQ==,iv:8ydyWqCkYv7kItxoQxGFxVp4iSODurIe69xU+e64KIQ=,tag:/TSKzTs1e8AOc+pVuYy5xA==,type:str]
+          http:
+            paths:
+                - path: /
+                  pathType: Prefix
+                  backend:
+                    service:
+                        name: jellyfin
+                        port:
+                            number: 80
+    tls:
+        - hosts:
+            - ENC[AES256_GCM,data:mtrbDFZUudLTqptl8CVYwucJ523U3HbLfw==,iv:dB8b797YLz0VmSssw8PUGs4mZxYSWbTC566UtdzrESo=,tag:erBCXBzD0tFIhKn3S+tj4w==,type:str]
+          secretName: ingress-jellyfin-tls
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-01-12T11:17:37Z"
+    mac: ENC[AES256_GCM,data:tCDj/sZ8IyKAkEtR4kHgy+mJCSlk6VBmuoz3McgoAFSREQg7elT1HyDofy0WkQ+3/zvrd0DP57nDJTO5HPJdTZpSsrHWkNHJwIE+EzQDyzeCfsYA+8mjQAhrShItuIk00Bx5lRmso7FnZ4uFmLKQJmzeTnKFIesMUJ1/Ikj6+hE=,iv:D5mmYFF8C1A2h5qfeFrf4W86pOVRsWLAdfxjUQS9xH4=,tag:P/QwQoTEtW6GdUAXJ0fZkg==,type:str]
+    pgp:
+        - created_at: "2023-01-11T09:22:23Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcAQ//VBiURBAjpkGmlAtGhHkKN4/zi6LbZIWeViMOIrajctKI
+            wldyYRR8Aej75UHN5gxcZbpJF+q1RbaBZxdxukKcgzA/JZ5eofKf8nZGXZh5YZx9
+            yYO3quytd0rRAnLc8TPuWPPJFcACcrHIG8diwWgAOjmnnIXbvSJaPYU3Y3ksOiHo
+            6ANng4qfTjN684jNtO7MlAREdykO8zeovWmUVaA97z+uMcAT/o0S5on10J+wiyTt
+            lR/qefaySJ1kDIrbVdBPSZC0ix0Aybs8E8R/EqhV8msxYJGh87ufLsEdQcKWJSXT
+            D7aOrHz9HikLldTQc3Z3rld7U80IqG51rySfwBzjlTCG2WEyY3XmMwAtBonnUDzY
+            41S4u7JdWAqGBWowLzZOXZa+Y30QjD5b58eOYlYeb0z2ONSm5esQH2p9ophKsS35
+            CzpPYBXG7ZB5CO4zYUkPhfRsW2QPB5zd90cIJBzoiXvQ6AceeeOy67Tzv8wsa2Iu
+            y9KqFoI3bO317G8ObaVL3mYXjdxFzrgT3f9kCPIi3oKiY99G/z4LLt1uWD9Z/ubQ
+            np302fqNWpVgj4bgki2LJyl0rR5icukrwlI/1OycJ66Bcg78AJ/N5h9kAe+jd/GQ
+            NLvbb36caMiQgxYIT3xw7Cf8lHQUpqO+dvDNfvnU/BO0WOtWjhjGpQFjl4yAZQjS
+            UQH0fDddNCGlv8wrn2rfn753yeXdaPWUSxFGiEggRYskFQxb69y1KIYiAl8Vyi8I
+            YVs1aWW04ZDtyCAwJsCpDmh2eAh9U4VytLVfbFb0VyCTAA==
+            =3wQL
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2023-01-11T09:22:23Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPARAAsYdfioZSRosaLy8WtDZzTJwforPpTKEOITT3j3UL/47V
+            qShg/s1sorcH0bniB8N0s79Z4Hnhyca6zKhk9g14OXqcM4z0u+IguRvpB1P/E0H4
+            mZ2AUcTzbuE+/QE7c4deqbMPYZ6OZIjv88c78qS+gO2Czq5a/2g3U8O4mz/6uWlc
+            fzYn9/3v2aQWTs9nSIuZHYmnbMkTGXdi/3lE75HQ8lNger7B+zHOpUpbT1h0SIrk
+            gmb3+qyANYYJiXu/JJsDGZQkTbgW0DfcNlh06l6qfeBd/Jggo30N41PU07H8lS0Q
+            /q8Mqha+2BYc39MHZMlu4IVERsmEm5AtVxl6ilVHYIdSyEu0fEi/XAVQegXS0JUt
+            P50mI1afPJuaudP5WweVO0G3ZelGvGKDHCg5nftn3LDAaVkVCCXDDxMWGMDWKFX2
+            y64Aah5Gm+vXvDWBlV/Tmkmpc3X1Lg5F8MMYGrqC2OGQqXmnDc4x3AOZzonmo4ci
+            HEyUe/Lu5u8eQyU8shXhqrziJkTotXtPKZ6msDNE2iLzGi26Ih5Ffadxg8OUArUw
+            NLxfl5sNd894DZu/U2X2kOfA1Fv72GXp5GKEievVx1LY4jLjLbSP+yyW8HsmTrPj
+            A+F/hK//vh/rkXGQuQbKyJpsjm26DedzmfQLEDdic9UjlcQ8SC/B2+8f1jQ+XbXU
+            aAEJAhDGc6mHvv2QpjFnn5B4VbzrvCzOK+q6ixP6mb/RGmUsgtc67vTxnmBCy5jO
+            gSGD4lAiOr+y2FFzj4GGUv7qq5wOfV8bcFb/ZFHyPjG42OHDWhLyOOB0NlgqNXeV
+            bXQwV0HyK91K
+            =GgFv
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$
+    version: 3.7.3
--- a/apps/k8s01/jellyfin/kustomization.yaml
+++ b/apps/k8s01/jellyfin/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: jellyfin
+resources:
+  - namespace.yaml
+  - pv.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - service.yaml
+  - certificate.yaml
+  - ingress.yaml
+  - ../../../shared/networkpolicies/allow-from-ingress.yaml
+  - ../../../shared/resourcequotas/default.yaml
+patchesStrategicMerge:
+  - networkpolicy.yaml
\ No newline at end of file
--- a/apps/k8s01/jellyfin/namespace.yaml
+++ b/apps/k8s01/jellyfin/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: jellyfin
+  labels:
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: v1.23
+    pod-security.kubernetes.io/enforce-version: v1.23
+    pod-security.kubernetes.io/warn-version: v1.23
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flux-reconciler
+  namespace: jellyfin
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: flux-reconciler
+  namespace: jellyfin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+  - kind: ServiceAccount
+    name: flux-reconciler
+    namespace: jellyfin
--- a/apps/k8s01/jellyfin/networkpolicy.yaml
+++ b/apps/k8s01/jellyfin/networkpolicy.yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-ingress
+  labels:
+    app.kubernetes.io/name: jellyfin
+    app.kubernetes.io/component: jellyfin
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: jellyfin
+      app.kubernetes.io/component: jellyfin
\ No newline at end of file
--- a/apps/k8s01/jellyfin/pv.yaml
+++ b/apps/k8s01/jellyfin/pv.yaml
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: jellyfin-movies
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ""
+  capacity:
+    storage: 2Ti
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  nfs:
+    server: fs03.storage.si-infra.de
+    path: "/mnt/NAS/shares/movies"
+  mountOptions:
+    - hard
+    - noexec
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: jellyfin-shows
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ""
+  capacity:
+    storage: 2Ti
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  nfs:
+    server: fs03.storage.si-infra.de
+    path: "/mnt/NAS/shares/shows"
+  mountOptions:
+    - hard
+    - noexec
--- a/apps/k8s01/jellyfin/pvc.yaml
+++ b/apps/k8s01/jellyfin/pvc.yaml
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-movies
+  labels:
+    app.kubernetes.io/name: jellyfin
+    app.kubernetes.io/component: jellyfin
+spec:
+  storageClassName: ""
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 2Ti
+  volumeName: jellyfin-movies
+---
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-shows
+  labels:
+    app.kubernetes.io/name: jellyfin
+    app.kubernetes.io/component: jellyfin
+spec:
+  storageClassName: ""
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 2Ti
+  volumeName: jellyfin-shows
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-config
+  labels:
+    app.kubernetes.io/name: jellyfin
+    app.kubernetes.io/component: jellyfin
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: media
+  labels:
+    app.kubernetes.io/name: jellyfin
+    app.kubernetes.io/component: jellyfin
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
--- a/apps/k8s01/jellyfin/service.yaml
+++ b/apps/k8s01/jellyfin/service.yaml
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: jellyfin
+    app.kubernetes.io/component: jellyfin
+  name: jellyfin
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8096
+  selector:
+    app.kubernetes.io/name: jellyfin
+    app.kubernetes.io/component: jellyfin
+  type: ClusterIP
--- a/infrastructure/rook/cluster.yaml
+++ b/infrastructure/rook/cluster.yaml
@@ -12,7 +12,7 @@ spec:
        kind: HelmRepository
        name: rook-release
        namespace: rook-ceph
-      version: v1.10.6
+      version: v1.10.8
  interval: 5m
  install:
    crds: CreateReplace

--- a/infrastructure/rook/operator.yaml
+++ b/infrastructure/rook/operator.yaml
@@ -12,7 +12,7 @@ spec:
        kind: HelmRepository
        name: rook-release
        namespace: rook-ceph
-      version: v1.10.6
+      version: v1.10.8
  interval: 5m
  install:
    crds: CreateReplace
No results found