bea/infra
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: bea:1d77b7850d8f905602fe085667c00393120c48b1
Branches Tags
bea:main bea:renovate/plane-ce-1.x
..
compare: bea:main
Branches Tags
bea:renovate/plane-ce-1.x bea:main

92 Commits
1d77b7850d ... main

Author SHA1 Message Date
Beatrice Dellacà
a536911c7f Update deploy/deluge/deluge-deploy.yaml 2025-05-11 13:44:06 +02:00
Beatrice Dellacà
ca6d8ece07 Merge pull request 'Update Helm release plane-ce to v1.1.0' (#3) from renovate/plane-ce-1.x into main 
Reviewed-on: #3
 2025-03-28 14:08:50 +01:00
Renovate Bot
403e0adc4a Update Helm release plane-ce to v1.1.0 2025-03-27 13:00:41 +00:00
Beatrice Dellacà
ded8953892 fix node selector 2025-03-27 00:09:57 +01:00
Beatrice Dellacà
5701c2fffe update drone 2025-03-26 23:30:31 +01:00
Beatrice Dellacà
23b96db049 fix drone perms 2025-03-26 17:54:04 +01:00
Beatrice Dellacà
e9f8b65f79 update drone runner 2025-03-26 17:51:45 +01:00
Beatrice Dellacà
fdc23b9b66 fix drone 2025-03-26 17:44:05 +01:00
Beatrice Dellacà
c0fbef2afa update drone 2025-03-26 17:41:14 +01:00
Beatrice Dellacà
f055fd498b update drone 2025-03-26 17:30:10 +01:00
Beatrice Dellacà
d3d2852c4c update drone logging 2025-03-26 17:18:31 +01:00
Beatrice Dellacà
7a9a87169a set debug level for drone 2025-03-26 17:13:36 +01:00
Beatrice Dellacà
44142581ec update drone 2025-03-26 17:09:58 +01:00
Beatrice Dellacà
2c05411617 update drone runners 2025-03-26 17:05:31 +01:00
Beatrice Dellacà
30a08f1b41 update drone amd64 2025-03-26 16:56:59 +01:00
Beatrice Dellacà
b3811f31cd update drone 2025-03-25 14:04:16 +01:00
Beatrice Dellacà
4973a38623 update drone 2025-03-25 14:02:45 +01:00
Beatrice Dellacà
5dd8427336 fix drone 2025-03-25 13:48:28 +01:00
Beatrice Dellacà
0a393b19c8 update droneupdate drone 2025-03-25 13:38:25 +01:00
Beatrice Dellacà
c33107f0d8 update drone 2025-03-25 04:20:53 +01:00
Beatrice Dellacà
27cbf5b35f fix name 2025-03-25 03:29:32 +01:00
Beatrice Dellacà
f014334375 update drone 2025-03-25 03:28:19 +01:00
Beatrice Dellacà
19d75c5179 update drone 2025-03-25 03:24:41 +01:00
Beatrice Dellacà
9a1c192d66 update deluge 2025-03-25 03:09:20 +01:00
Beatrice Dellacà
5d210d7c31 Merge pull request 'Configure Renovate' (#2) from renovate/configure into main 
Reviewed-on: #2
 2025-03-23 16:02:47 +01:00
Renovate Bot
20f384f59d Add renovate.json 2025-03-23 15:02:02 +00:00
Beatrice Dellacà
1a296f6630 Revert "try renovate config" 
This reverts commit 60fdb7794b.
 2025-03-23 16:01:18 +01:00
Beatrice Dellacà
aa7db1d91a update drone server 2025-03-23 15:57:25 +01:00
Beatrice Dellacà
35dd82d3fa update drone 2025-03-23 15:50:29 +01:00
Beatrice Dellacà
c2303473b5 update drone 2025-03-23 15:45:22 +01:00
Beatrice Dellacà
a5a6194ef5 ignore secrets 2025-03-22 23:41:46 +01:00
Beatrice Dellacà
60fdb7794b try renovate config 2025-03-22 23:39:19 +01:00
Beatrice Dellacà
647c088918 fix renovate? 2025-03-22 23:26:40 +01:00
Beatrice Dellacà
c35754b4ef add renovate 2025-03-22 23:23:31 +01:00
Beatrice Dellacà
04df9f7d56 fix storage 2025-03-22 23:05:52 +01:00
Beatrice Dellacà
0370e5fb11 fix storage 2025-03-22 23:05:11 +01:00
Beatrice Dellacà
09f8a52a4a update storage 2025-03-22 23:04:10 +01:00
Beatrice Dellacà
4a0a54eb6d use rabbitmq svc for host 2025-03-22 00:23:28 +01:00
Beatrice Dellacà
0493c177af fix stuff 2025-03-21 22:52:46 +01:00
Beatrice Dellacà
a2455e4b5b fix ver 2025-03-21 22:05:16 +01:00
Beatrice Dellacà
cfd2a59b62 fix ver 2025-03-21 22:03:07 +01:00
Beatrice Dellacà
d21f192a65 fix ver 2025-03-21 22:00:14 +01:00
Beatrice Dellacà
eb53c0e663 try plane 2025-03-21 21:58:38 +01:00
Beatrice Dellacà
12f7343c3b remove huly because it's terrible 2025-03-21 21:44:09 +01:00
Beatrice Dellacà
1e8af651a1 fix minio 2025-03-21 21:14:31 +01:00
Beatrice Dellacà
dbe81b336a Revert "use https" 
This reverts commit 4eb385d134.
 2025-03-21 20:51:36 +01:00
Beatrice Dellacà
4eb385d134 use https 2025-03-21 20:44:25 +01:00
Beatrice Dellacà
30a460fbc5 add namespace to huly 2025-03-21 20:31:38 +01:00
Beatrice Dellacà
406a470489 implement huly 2025-03-21 20:26:53 +01:00
Beatrice Dellacà
86d9b89769 scale drone runners 2025-03-20 03:22:20 +01:00
Beatrice Dellacà
d1fd69888a fix oauth2 longhorn proxy 2025-03-20 02:56:32 +01:00
Beatrice Dellacà
35af177b45 add longhorn oauth2 proxy 2025-03-20 01:10:09 +01:00
Beatrice Dellacà
012f70811f remove useless policy 2025-03-19 22:28:16 +01:00
Beatrice Dellacà
fd890b6042 update networkpolicy 2025-03-19 21:49:26 +01:00
Beatrice Dellacà
34552dc98b try networkpolicy 2025-03-19 21:46:55 +01:00
Beatrice Dellacà
2768705251 update arrs mountpoints 2025-03-19 21:35:46 +01:00
Beatrice Dellacà
2d5ed2648c fix typo 2025-03-19 20:37:10 +01:00
Beatrice Dellacà
40bf1df4f2 update ingresses 2025-03-19 20:36:00 +01:00
Beatrice Dellacà
2f3adc819b fix deluge ingress 2025-03-19 20:30:58 +01:00
Beatrice Dellacà
e64df393a4 update ingresses 2025-03-19 20:25:36 +01:00
Beatrice Dellacà
7c828dce5b fix media 2025-03-19 20:21:52 +01:00
Beatrice Dellacà
83e32e23af update deluge 2025-03-19 20:19:56 +01:00
Beatrice Dellacà
01f6e05fe0 remove namespace 2025-03-19 20:17:45 +01:00
Beatrice Dellacà
d8564be2cb fix namespace 2025-03-19 20:08:31 +01:00
Beatrice Dellacà
fbce2041af update flaresolverr 2025-03-19 20:05:43 +01:00
Beatrice Dellacà
ce802a4891 add media services 2025-03-19 20:00:55 +01:00
Beatrice Dellacà
923cc6dd52 update drone runner 2025-03-19 03:05:09 +01:00
Beatrice Dellacà
8b9a8ef750 update drone 2025-03-19 03:01:20 +01:00
Beatrice Dellacà
e254b05af8 update drone 2025-03-19 02:54:00 +01:00
Beatrice Dellacà
e9364cfb16 update drone 2025-03-19 02:37:33 +01:00
Beatrice Dellacà
d5dd8ce96c fix drone 2025-03-19 02:28:19 +01:00
Beatrice Dellacà
bbd06048e0 update drone ingress 2025-03-19 02:26:07 +01:00
Beatrice Dellacà
5840b67d04 update drone 2025-03-19 02:24:50 +01:00
Beatrice Dellacà
ea0feb3e59 update drone temp 2025-03-19 02:22:05 +01:00
Beatrice Dellacà
7d92cd9358 update drone temp 2025-03-19 02:20:11 +01:00
Beatrice Dellacà
c5a0b629c4 update drone 2025-03-19 02:19:07 +01:00
Beatrice Dellacà
8277398e2e update pvc 2025-03-19 02:03:10 +01:00
Beatrice Dellacà
f2d3ad28aa update drone 2025-03-19 02:01:58 +01:00
Beatrice Dellacà
09c38f3d6c update metrics-server 2025-03-19 01:50:32 +01:00
Beatrice Dellacà
22efed6f66 update metrics-server 2025-03-19 01:49:50 +01:00
Beatrice Dellacà
7b9e53414c add metrics-server 2025-03-19 01:46:03 +01:00
Beatrice Dellacà
4c4a383425 add volume migration job util 2025-03-19 01:25:32 +01:00
Beatrice Dellacà
5ee8569d96 remove comment 2025-03-19 01:25:11 +01:00
Beatrice Dellacà
e1216f9603 update jelly 2025-03-19 01:20:13 +01:00
Beatrice Dellacà
e1ac9db257 update media storage 2025-03-19 01:10:57 +01:00
Beatrice Dellacà
e3991e44fc update media storage 2025-03-19 01:08:43 +01:00
Beatrice Dellacà
94cff95854 update jelly 2025-03-19 00:53:56 +01:00
Beatrice Dellacà
01c05c82fc fix jelly pvc 2025-03-19 00:53:25 +01:00
Beatrice Dellacà
a65363dbea update jelly 2025-03-19 00:53:09 +01:00
Beatrice Dellacà
c0aedeaf85 Update deploy/jellyfin/media-storage.yaml 2025-03-17 23:55:25 +01:00
Beatrice Dellacà
237a9f9efd Update deploy/jellyfin/deployment.yaml 2025-03-17 23:54:56 +01:00
Beatrice Dellacà
c9a2d4b711 update jelly 2025-03-17 11:46:11 +01:00
47 changed files with 1209 additions and 109 deletions
Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
**/secret.yaml

12
deploy/arrs-suite/kustomization.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- radarr-config-pvc.yaml
- sonarr-config-pvc.yaml
- sonarr-deploy.yaml
- radarr-deploy.yaml
- sonarr-svc.yaml
- radarr-svc.yaml
- sonarr-ingress.yaml
- radarr-ingress.yaml

12
deploy/arrs-suite/radarr-config-pvc.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: radarr-config
namespace: jellyfin
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi

44
deploy/arrs-suite/radarr-deploy.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: radarr
namespace: jellyfin
spec:
replicas: 1
selector:
matchLabels:
app: radarr
template:
metadata:
labels:
app: radarr
spec:
containers:
- name: radarr
image: lscr.io/linuxserver/radarr:latest
ports:
- containerPort: 7878
env:
- name: PUID
value: "0"
- name: PGID
value: "0"
- name: TZ
value: Europe/Rome
volumeMounts:
- name: config
mountPath: /config
- name: media
mountPath: /media
- name: downloads
mountPath: /downloads
volumes:
- name: config
persistentVolumeClaim:
claimName: radarr-config
- name: media
persistentVolumeClaim:
claimName: media-rwx-pvc
- name: downloads
persistentVolumeClaim:
claimName: deluge-downloads

25
deploy/arrs-suite/radarr-ingress.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: radarr-ingress
namespace: jellyfin
annotations:
kubernetes.io/ingress.class: "nginx"
acme.cert-manager.io/disable-http01-propagation-check: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- radarr.beatrice.wtf
secretName: radarr-tls
rules:
- host: radarr.beatrice.wtf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: radarr
port:
number: 80

12
deploy/arrs-suite/radarr-svc.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: radarr
namespace: jellyfin
spec:
selector:
app: radarr
ports:
- protocol: TCP
port: 80
targetPort: 7878

12
deploy/arrs-suite/sonarr-config-pvc.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: sonarr-config
namespace: jellyfin
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi

44
deploy/arrs-suite/sonarr-deploy.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: sonarr
namespace: jellyfin
spec:
replicas: 1
selector:
matchLabels:
app: sonarr
template:
metadata:
labels:
app: sonarr
spec:
containers:
- name: sonarr
image: lscr.io/linuxserver/sonarr:latest
ports:
- containerPort: 8989
env:
- name: PUID
value: "0"
- name: PGID
value: "0"
- name: TZ
value: Europe/Rome
volumeMounts:
- name: config
mountPath: /config
- name: media
mountPath: /media
- name: downloads
mountPath: /downloads
volumes:
- name: config
persistentVolumeClaim:
claimName: sonarr-config
- name: media
persistentVolumeClaim:
claimName: media-rwx-pvc
- name: downloads
persistentVolumeClaim:
claimName: deluge-downloads

25
deploy/arrs-suite/sonarr-ingress.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sonarr-ingress
namespace: jellyfin
annotations:
kubernetes.io/ingress.class: "nginx"
acme.cert-manager.io/disable-http01-propagation-check: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- sonarr.beatrice.wtf
secretName: sonarr-tls
rules:
- host: sonarr.beatrice.wtf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sonarr
port:
number: 80

12
deploy/arrs-suite/sonarr-svc.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: sonarr
namespace: jellyfin
spec:
selector:
app: sonarr
ports:
- protocol: TCP
port: 80
targetPort: 8989

12
deploy/deluge/deluge-config-pvc.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: deluge-config
namespace: jellyfin
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi

71
deploy/deluge/deluge-deploy.yaml Normal file
View File

@@ -0,0 +1,71 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: deluge
namespace: jellyfin
spec:
replicas: 1
selector:
matchLabels:
app: deluge
template:
metadata:
labels:
app: deluge
spec:
securityContext:
runAsUser: 0
containers:
- name: deluge
image: bottledpills/deluge-openvpn:v1.7
securityContext:
privileged: true # Often required for TUN/TAP devices
capabilities:
add:
- NET_ADMIN
ports:
- containerPort: 8112
protocol: TCP
- containerPort: 6881
protocol: TCP
- containerPort: 6881
protocol: UDP
- containerPort: 58846
protocol: TCP
env:
- name: TZ
value: Etc/UTC
- name: DELUGE_LOGLEVEL
value: "error"
- name: OPENVPN_PROVIDER
value: "nordvpn"
- name: OPENVPN_USERNAME
valueFrom:
secretKeyRef:
name: nordvpn-credentials
key: username
- name: OPENVPN_PASSWORD
valueFrom:
secretKeyRef:
name: nordvpn-credentials
key: password
- name: LOCAL_NETWORK
value: "10.10.10.0/24,10.244.0.0/24"
volumeMounts:
- name: config
mountPath: /config
- name: downloads
mountPath: /download
- name: dev-net-tun
mountPath: /dev/net/tun
volumes:
- name: config
persistentVolumeClaim:
claimName: deluge-config
- name: downloads
persistentVolumeClaim:
claimName: deluge-downloads
- name: dev-net-tun
hostPath:
path: /dev/net/tun
type: CharDevice

27
deploy/deluge/deluge-ingress.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: deluge-ingress
namespace: jellyfin
annotations:
kubernetes.io/ingress.class: "nginx"
acme.cert-manager.io/disable-http01-propagation-check: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- torrent.beatrice.wtf
secretName: deluge-tls
rules:
- host: torrent.beatrice.wtf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: deluge
port:
number: 80

25
deploy/deluge/deluge-svc.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: Service
metadata:
name: deluge
namespace: jellyfin
spec:
selector:
app: deluge
ports:
- name: web
protocol: TCP
port: 80
targetPort: 8112
- name: torrent-tcp
protocol: TCP
port: 6881
targetPort: 6881
- name: torrent-udp
protocol: UDP
port: 6881
targetPort: 6881
- name: daemon
protocol: TCP
port: 58846
targetPort: 58846

9
deploy/deluge/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- shared-downloads-pvc.yaml
- deluge-config-pvc.yaml
- deluge-deploy.yaml
- deluge-ingress.yaml
- deluge-svc.yaml

12
deploy/deluge/shared-downloads-pvc.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: deluge-downloads
namespace: jellyfin
spec:
accessModes:
- ReadWriteMany
storageClassName: longhorn
resources:
requests:
storage: 100Gi

105
deploy/drone/deploy.yaml
View File

@@ -1,105 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: drone-pv
namespace: drone
labels:
name: drone-server
spec:
storageClassName: longhorn
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: drone-server
namespace: drone
spec:
replicas: 1
selector:
matchLabels:
name: drone-server
template:
metadata:
labels:
name: drone-server
spec:
containers:
- name: drone-server
image: drone/drone:2.26.0
imagePullPolicy: Always
env:
- name: "DRONE_GITHUB_CLIENT_ID"
value: Ov23liTTrc709dX7YetV
- name: "DRONE_GITHUB_CLIENT_SECRET"
value: 7373d79bce815b380d503fb39c9373a53599897a
- name: "DRONE_RPC_SECRET"
value: f2ae9e7aea06ef9897a30c5e2b27f17c
- name: "DRONE_SERVER_HOST"
value: drone.diveedi.dev
- name: "DRONE_SERVER_PROTO"
value: https
- name: "DRONE_SERVER_PORT"
value: :80
- name: "DRONE_USER_CREATE"
value: "username:nicolag97,admin:true"
- name: "DRONE_USER_FILTER"
value: "ticketag,diveedi-lab"
- name: "DRONE_DATABASE_DRIVER"
value: "postgres"
- name: "DRONE_DATABASE_DATASOURCE"
value: "postgres://drone:be1932a990ec0d4a9720@postgres-rw.db:5432/drone?sslmode=disable"
volumeMounts:
- mountPath: /var/lib/drone
name: drone-lib
volumes:
- name: drone-lib
persistentVolumeClaim:
claimName: drone-pv
---
apiVersion: v1
kind: Service
metadata:
name: drone-server
namespace: drone
labels:
name: drone-server
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 80
targetPort: 80
selector:
name: drone-server
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: drone-ingress
namespace: drone
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- drone.panic.haus
secretName: drone-tls
rules:
- host: drone.panic.haus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: drone-server
port:
number: 80

26
deploy/drone/drone-ingress.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: drone-ingress
namespace: drone
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- drone.beatrice.wtf
secretName: drone-tls
rules:
- host: drone.beatrice.wtf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: drone-server
port:
number: 80

29
deploy/drone/drone-pvc.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: drone-lib-pvc
namespace: drone
labels:
name: drone-server
spec:
storageClassName: longhorn
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: drone-data-pvc
namespace: drone
labels:
name: drone-server
spec:
storageClassName: longhorn
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi

26
deploy/drone/drone-rbac.yaml Normal file
View File

@@ -0,0 +1,26 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: drone
name: drone
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "delete"]
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "create", "delete", "list", "watch", "update"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: drone
namespace: drone
subjects:
- kind: ServiceAccount
name: default
namespace: drone
roleRef:
kind: Role
name: drone
apiGroup: rbac.authorization.k8s.io

36
deploy/drone/drone-runner-amd64.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: drone-runner-amd64
namespace: drone
spec:
replicas: 1
selector:
matchLabels:
app: drone-runner-amd64
template:
metadata:
labels:
app: drone-runner-amd64
spec:
nodeSelector:
kubernetes.io/arch: "amd64"
containers:
- name: drone-runner-amd64
image: drone/drone-runner-kube:latest
imagePullPolicy: Always
env:
- name: DRONE_RPC_HOST
value: "drone.beatrice.wtf"
- name: DRONE_RPC_PROTO
value: "https"
- name: DRONE_RPC_SECRET
value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
- name: DRONE_RUNNER_CAPACITY
value: "3"
- name: DRONE_DEBUG
value: "true"
- name: DRONE_NAMESPACE_DEFAULT
value: "drone"
- name: DRONE_NODE_SELECTOR_DEFAULT
value: "kubernetes.io/arch:amd64"

36
deploy/drone/drone-runner-arm64.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: drone-runner-arm64
namespace: drone
spec:
replicas: 1
selector:
matchLabels:
app: drone-runner-arm64
template:
metadata:
labels:
app: drone-runner-arm64
spec:
nodeSelector:
kubernetes.io/arch: "arm64"
containers:
- name: drone-runner-arm64
image: drone/drone-runner-kube:latest
imagePullPolicy: Always
env:
- name: DRONE_RPC_HOST
value: "drone.beatrice.wtf"
- name: DRONE_RPC_PROTO
value: "https"
- name: DRONE_RPC_SECRET
value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
- name: DRONE_RUNNER_CAPACITY
value: "3"
- name: DRONE_DEBUG
value: "true"
- name: DRONE_NAMESPACE_DEFAULT
value: "drone"
- name: DRONE_NODE_SELECTOR_DEFAULT
value: "kubernetes.io/arch:arm64"

72
deploy/drone/drone-server.yaml Normal file
View File

@@ -0,0 +1,72 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: drone-server
namespace: drone
spec:
replicas: 1
selector:
matchLabels:
name: drone-server
template:
metadata:
labels:
name: drone-server
spec:
containers:
- name: drone-server
image: drone/drone:2
imagePullPolicy: Always
env:
- name: "DRONE_GITEA_CLIENT_ID"
value: "e6a4fb3b-e6b1-43dd-8f45-4def94742609"
- name: "DRONE_GITEA_CLIENT_SECRET"
value: "gto_4ggtzkrukdzsmheoa2b4wz5cza2jif6gpf7wunbrtxa74senlykq"
- name: "DRONE_GITEA_SERVER"
value: "https://git.beatrice.wtf"
- name: "DRONE_GIT_ALWAYS_AUTH"
value: "false"
- name: "DRONE_RPC_SECRET"
value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
- name: "DRONE_WEBHOOK_SECRET"
value: "9329e50de8f250dc3c997571f395d09e"
- name: "DRONE_SERVER_HOST"
value: "drone.beatrice.wtf"
- name: "DRONE_SERVER_PROTO"
value: "https"
- name: "DRONE_SERVER_PORT"
value: ":80"
- name: "DRONE_SERVER_BUILD_LIMIT"
value: "9"
- name: "DRONE_ALLOW_PRIVILEGED"
value: "true"
- name: "DRONE_LOGS_DEBUG"
value: "true"
volumeMounts:
- mountPath: /var/lib/drone
name: drone-lib
- mountPath: /data
name: drone-data
volumes:
- name: drone-lib
persistentVolumeClaim:
claimName: drone-lib-pvc
- name: drone-data
persistentVolumeClaim:
claimName: drone-data-pvc
---
apiVersion: v1
kind: Service
metadata:
name: drone-server
namespace: drone
labels:
name: drone-server
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 80
targetPort: 80
selector:
name: drone-server

7
deploy/drone/kustomization.yaml
View File

@@ -1,2 +1,7 @@
resources: resources:
- deploy.yaml - drone-rbac.yaml
- drone-server.yaml
- drone-runner-arm64.yaml
- drone-runner-amd64.yaml
- drone-ingress.yaml
- drone-pvc.yaml

32
deploy/jackett/flaresolverr-deploy.yaml Normal file
View File

@@ -0,0 +1,32 @@
# Flaresolverr Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: flaresolverr
namespace: jellyfin
spec:
replicas: 1
selector:
matchLabels:
app: flaresolverr
template:
metadata:
labels:
app: flaresolverr
spec:
containers:
- name: flaresolverr
image: ghcr.io/flaresolverr/flaresolverr:latest
ports:
- containerPort: 8191
env:
- name: LOG_LEVEL
value: "info"
- name: LOG_HTML
value: "false"
- name: CAPTCHA_SOLVER
value: "none"
- name: TZ
value: "Europe/Rome"
- name: HOME
value: "/tmp"

26
deploy/jackett/flaresolverr-ingress.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: flaresolverr-ingress
namespace: jellyfin
annotations:
kubernetes.io/ingress.class: "nginx"
acme.cert-manager.io/disable-http01-propagation-check: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- flaresolverr.beatrice.wtf
secretName: flaresolverr-tls
rules:
- host: flaresolverr.beatrice.wtf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: flaresolverr
port:
number: 80

14
deploy/jackett/flaresolverr-svc.yaml Normal file
View File

@@ -0,0 +1,14 @@
# Flaresolverr Service
apiVersion: v1
kind: Service
metadata:
name: flaresolverr
namespace: jellyfin
spec:
selector:
app: flaresolverr
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8191

13
deploy/jackett/jackett-blackhole-pvc.yaml Normal file
View File

@@ -0,0 +1,13 @@
# PVC for Jackett "blackhole" (downloads) folder
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jackett-blackhole
namespace: jellyfin
spec:
accessModes:
- ReadWriteMany
storageClassName: longhorn
resources:
requests:
storage: 10Gi

13
deploy/jackett/jackett-config-pvc.yaml Normal file
View File

@@ -0,0 +1,13 @@
# PVC for Jackett configuration
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jackett-config
namespace: jellyfin
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 10Gi

44
deploy/jackett/jackett-deploy.yaml Normal file
View File

@@ -0,0 +1,44 @@
# Jackett Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: jackett
namespace: jellyfin
spec:
replicas: 1
selector:
matchLabels:
app: jackett
template:
metadata:
labels:
app: jackett
spec:
containers:
- name: jackett
image: lscr.io/linuxserver/jackett:latest
ports:
- containerPort: 9117
env:
- name: PUID
value: "1000"
- name: PGID
value: "1000"
- name: TZ
value: "Etc/UTC"
- name: AUTO_UPDATE
value: "true"
- name: RUN_OPTS
value: ""
volumeMounts:
- name: config
mountPath: /config
- name: blackhole
mountPath: /downloads
volumes:
- name: config
persistentVolumeClaim:
claimName: jackett-config
- name: blackhole
persistentVolumeClaim:
claimName: jackett-blackhole

26
deploy/jackett/jackett-ingress.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jackett-ingress
namespace: jellyfin
annotations:
kubernetes.io/ingress.class: "nginx"
acme.cert-manager.io/disable-http01-propagation-check: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- jackett.beatrice.wtf
secretName: jackett-tls
rules:
- host: jackett.beatrice.wtf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jackett
port:
number: 80

14
deploy/jackett/jackett-svc.yaml Normal file
View File

@@ -0,0 +1,14 @@
# Jackett Service
apiVersion: v1
kind: Service
metadata:
name: jackett
namespace: jellyfin
spec:
selector:
app: jackett
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9117

12
deploy/jackett/kustomization.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- jackett-blackhole-pvc.yaml
- jackett-config-pvc.yaml
- jackett-deploy.yaml
- jackett-svc.yaml
- jackett-ingress.yaml
- flaresolverr-deploy.yaml
- flaresolverr-svc.yaml
- flaresolverr-ingress.yaml

2
deploy/jellyfin/deployment.yaml
View File

@@ -44,7 +44,7 @@ spec:
volumes: volumes:
- name: media - name: media
persistentVolumeClaim: persistentVolumeClaim:
claimName: media-pvc claimName: media-rwx-pvc
- name: jellyfin-config - name: jellyfin-config
persistentVolumeClaim: persistentVolumeClaim:
claimName: jellyfin-config claimName: jellyfin-config

4
deploy/jellyfin/media-storage.yaml
View File

@@ -21,7 +21,7 @@ metadata:
spec: spec:
storageClassName: media-storage storageClassName: media-storage
accessModes: accessModes:
- ReadWriteMany # Longhorn supports RWO; if RWX is needed, enable RWX mode in Longhorn UI - ReadWriteMany
resources: resources:
requests: requests:
storage: 1Ti storage: 1050Gi

27
deploy/longhorn/longhorn-dashboard.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: longhorn-dashboard
namespace: longhorn-system
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
spec:
tls:
- hosts:
- longhorn.panic.haus
secretName: longhorn-tls
rules:
- host: longhorn.panic.haus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: longhorn-frontend
port:
number: 80

33
deploy/longhorn/longhorn-ingress.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: longhorn-ingress
namespace: longhorn-system
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy-service.longhorn-system.svc.cluster.local:4180/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://longhorn.panic.haus/oauth2/start?rd=$escaped_request_uri"
spec:
tls:
- hosts:
- longhorn.panic.haus
secretName: longhorn-tls
rules:
- host: longhorn.panic.haus
http:
paths:
- path: /oauth2
pathType: Prefix
backend:
service:
name: oauth2-proxy-longhorn-service
port:
number: 4180
- path: /
pathType: Prefix
backend:
service:
name: longhorn-frontend
port:
number: 80

19
deploy/longhorn/oauth2-proxy-longhorn-ingress.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: oauth2-proxy-longhorn-ingress
namespace: longhorn-system
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: longhorn.panic.haus
http:
paths:
- path: /oauth2
pathType: Prefix
backend:
service:
name: oauth2-proxy-longhorn-service
port:
number: 4180

13
deploy/longhorn/oauth2-proxy-longhorn-svc.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy-longhorn-service
namespace: longhorn-system
spec:
ports:
- port: 4180
targetPort: 4180
protocol: TCP
name: http
selector:
app: oauth2-proxy-longhorn

38
deploy/longhorn/oauth2-proxy-longhorn.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy-longhorn
namespace: longhorn-system
spec:
replicas: 1
selector:
matchLabels:
app: oauth2-proxy-longhorn
template:
metadata:
labels:
app: oauth2-proxy-longhorn
spec:
containers:
- name: oauth2-proxy-longhorn
image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
args:
- --provider=keycloak
- --client-id=longhorn
- --client-secret=0U2QuP1QMAXln8bzwJ3aJMIvaH9t2QvJ
- --cookie-secret=lDE7du7SlDuG1UySIZUhcHfuk5HlgFlgDWdHD_PQ9UI=
- --oidc-issuer-url=https://sso.beatrice.wtf/auth/realms/panic-haus
- --cookie-domain=longhorn.panic.haus
- --email-domain=*
- --http-address=0.0.0.0:4180
- --redirect-url=https://longhorn.panic.haus/oauth2/callback
- --upstream=http://longhorn-frontend.longhorn-system.svc.cluster.local:80
- --scope=openid
- --login-url=https://sso.beatrice.wtf/auth/realms/panic-haus/protocol/openid-connect/auth
- --validate-url=https://sso.beatrice.wtf/auth/realms/panic-haus/protocol/openid-connect/userinfo
- --redeem-url=https://sso.beatrice.wtf/auth/realms/panic-haus/protocol/openid-connect/token
- --skip-auth-regex=^(?:https?:\/\/)?longhorn\.panic\.haus\/(favicon\.ico|.*\.(?:js|css)(\.map)?)$|^\/(favicon\.ico|.*\.(?:js|css)(\.map)?)$
ports:
- name: http
containerPort: 4180
protocol: TCP

202
deploy/metrics-server/components.yaml Normal file
View File

@@ -0,0 +1,202 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: system:aggregated-metrics-reader
rules:
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
rules:
- apiGroups:
- ""
resources:
- nodes/metrics
verbs:
- get
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: metrics-server
name: metrics-server-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
k8s-app: metrics-server
name: metrics-server:system:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:metrics-server
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
k8s-app: metrics-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: metrics-server
strategy:
rollingUpdate:
maxUnavailable: 0
template:
metadata:
labels:
k8s-app: metrics-server
spec:
containers:
- args:
- --cert-dir=/tmp
- --secure-port=10250
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
- --metric-resolution=15s
- --kubelet-insecure-tls
image: registry.k8s.io/metrics-server/metrics-server:v0.7.2
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /livez
port: https
scheme: HTTPS
periodSeconds: 10
name: metrics-server
ports:
- containerPort: 10250
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: https
scheme: HTTPS
initialDelaySeconds: 20
periodSeconds: 10
resources:
requests:
cpu: 100m
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /tmp
name: tmp-dir
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-cluster-critical
serviceAccountName: metrics-server
volumes:
- emptyDir: {}
name: tmp-dir
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
k8s-app: metrics-server
name: v1beta1.metrics.k8s.io
spec:
group: metrics.k8s.io
groupPriorityMinimum: 100
insecureSkipTLSVerify: true
service:
name: metrics-server
namespace: kube-system
version: v1beta1
versionPriority: 100

5
deploy/metrics-server/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- components.yaml

24
deploy/plane-ce/kustomization.yaml Normal file
View File

@@ -0,0 +1,24 @@
namespace: plane-ce
helmCharts:
- name: plane-ce
repo: https://helm.plane.so/
version: 1.1.0
releaseName: plane-app
valuesInline:
planeVersion: stable
postgres:
local_setup: false
servicePort: 5432
env:
pgdb_remote_url: postgresql://plane:w20t4g8h244ivjz0kef1hi10@postgres-base-rw.postgres.svc.cluster.local:5432/plane_db
certManager: true
ingress:
ingressClass: nginx
tls: true
appHost: plane.panic.haus
minioHost: minio.plane.panic.haus
rabbitmqHost: plane-app-rabbitmq
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"

23
deploy/renovate/cronjob.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: renovate
namespace: renovate
spec:
schedule: '@hourly'
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
containers:
- name: renovate
# Update the image if needed
image: renovate/renovate:39.211
env:
- name: LOG_LEVEL
value: debug
envFrom:
- secretRef:
name: renovate-env
restartPolicy: Never

5
deploy/renovate/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cronjob.yaml

3
renovate.json Normal file
View File

@@ -0,0 +1,3 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json"
}

34
utils/migrate.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: batch/v1
kind: Job
metadata:
namespace: jellyfin # namespace where the PVC's exist
name: volume-migration
spec:
completions: 1
parallelism: 1
backoffLimit: 3
template:
metadata:
name: volume-migration
labels:
name: volume-migration
spec:
restartPolicy: Never
containers:
- name: volume-migration
image: ubuntu:xenial
tty: true
command: [ "/bin/sh" ]
args: [ "-c", "cp -r -v /mnt/old /mnt/new" ]
volumeMounts:
- name: old-vol
mountPath: /mnt/old
- name: new-vol
mountPath: /mnt/new
volumes:
- name: old-vol
persistentVolumeClaim:
claimName: media-pvc
- name: new-vol
persistentVolumeClaim:
claimName: media-rwx-pvc # change to data target PVC