Update Helm release plane-ce to v1.4.0

Reviewed-on: #3

.gitignore

@@ -0,0 +1 @@
+**/secret.yaml

deploy/arrs-suite/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - radarr-config-pvc.yaml
+  - sonarr-config-pvc.yaml
+  - sonarr-deploy.yaml
+  - radarr-deploy.yaml
+  - sonarr-svc.yaml
+  - radarr-svc.yaml
+  - sonarr-ingress.yaml
+  - radarr-ingress.yaml

deploy/arrs-suite/radarr-config-pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: radarr-config
+  namespace: jellyfin
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 5Gi

deploy/arrs-suite/radarr-deploy.yaml

@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: radarr
+  namespace: jellyfin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: radarr
+  template:
+    metadata:
+      labels:
+        app: radarr
+    spec:
+      containers:
+        - name: radarr
+          image: lscr.io/linuxserver/radarr:latest
+          ports:
+            - containerPort: 7878
+          env:
+            - name: PUID
+              value: "0"
+            - name: PGID
+              value: "0"
+            - name: TZ
+              value: Europe/Rome
+          volumeMounts:
+            - name: config
+              mountPath: /config
+            - name: media
+              mountPath: /media
+            - name: downloads
+              mountPath: /downloads
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: radarr-config
+        - name: media
+          persistentVolumeClaim:
+            claimName: media-rwx-pvc
+        - name: downloads
+          persistentVolumeClaim:
+            claimName: deluge-downloads

deploy/arrs-suite/radarr-ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: radarr-ingress
+  namespace: jellyfin
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    acme.cert-manager.io/disable-http01-propagation-check: "true"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  tls:
+  - hosts:
+    - radarr.beatrice.wtf
+    secretName: radarr-tls
+  rules:
+  - host: radarr.beatrice.wtf
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: radarr
+            port:
+              number: 80

deploy/arrs-suite/radarr-svc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: radarr
+  namespace: jellyfin
+spec:
+  selector:
+    app: radarr
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 7878

deploy/arrs-suite/sonarr-config-pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: sonarr-config
+  namespace: jellyfin
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 5Gi

deploy/arrs-suite/sonarr-deploy.yaml

@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sonarr
+  namespace: jellyfin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sonarr
+  template:
+    metadata:
+      labels:
+        app: sonarr
+    spec:
+      containers:
+        - name: sonarr
+          image: lscr.io/linuxserver/sonarr:latest
+          ports:
+            - containerPort: 8989
+          env:
+            - name: PUID
+              value: "0"
+            - name: PGID
+              value: "0"
+            - name: TZ
+              value: Europe/Rome
+          volumeMounts:
+            - name: config
+              mountPath: /config
+            - name: media
+              mountPath: /media
+            - name: downloads
+              mountPath: /downloads
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: sonarr-config
+        - name: media
+          persistentVolumeClaim:
+            claimName: media-rwx-pvc
+        - name: downloads
+          persistentVolumeClaim:
+            claimName: deluge-downloads

deploy/arrs-suite/sonarr-ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: sonarr-ingress
+  namespace: jellyfin
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    acme.cert-manager.io/disable-http01-propagation-check: "true"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  tls:
+  - hosts:
+    - sonarr.beatrice.wtf
+    secretName: sonarr-tls
+  rules:
+  - host: sonarr.beatrice.wtf
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: sonarr
+            port:
+              number: 80

deploy/arrs-suite/sonarr-svc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sonarr
+  namespace: jellyfin
+spec:
+  selector:
+    app: sonarr
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8989

deploy/deluge/deluge-config-pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: deluge-config
+  namespace: jellyfin
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 5Gi

deploy/deluge/deluge-deploy.yaml

@@ -0,0 +1,71 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deluge
+  namespace: jellyfin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: deluge
+  template:
+    metadata:
+      labels:
+        app: deluge
+    spec:
+      securityContext:
+        runAsUser: 0
+      containers:
+        - name: deluge
+          image: bottledpills/deluge-openvpn:v1.7
+          securityContext:
+            privileged: true  # Often required for TUN/TAP devices
+            capabilities:
+              add:
+                - NET_ADMIN
+          ports:
+            - containerPort: 8112
+              protocol: TCP
+            - containerPort: 6881
+              protocol: TCP
+            - containerPort: 6881
+              protocol: UDP
+            - containerPort: 58846
+              protocol: TCP
+          env:
+            - name: TZ
+              value: Etc/UTC
+            - name: DELUGE_LOGLEVEL
+              value: "error"
+            - name: OPENVPN_PROVIDER
+              value: "nordvpn"
+            - name: OPENVPN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: nordvpn-credentials
+                  key: username
+            - name: OPENVPN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: nordvpn-credentials
+                  key: password
+            - name: LOCAL_NETWORK
+              value: "10.10.10.0/24,10.244.0.0/24"
+          volumeMounts:
+            - name: config
+              mountPath: /config
+            - name: downloads
+              mountPath: /download
+            - name: dev-net-tun
+              mountPath: /dev/net/tun
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: deluge-config
+        - name: downloads
+          persistentVolumeClaim:
+            claimName: deluge-downloads
+        - name: dev-net-tun
+          hostPath:
+            path: /dev/net/tun
+            type: CharDevice

deploy/deluge/deluge-ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: deluge-ingress
+  namespace: jellyfin
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    acme.cert-manager.io/disable-http01-propagation-check: "true"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  tls:
+  - hosts:
+    - torrent.beatrice.wtf
+    secretName: deluge-tls
+  rules:
+  - host: torrent.beatrice.wtf
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: deluge
+            port:
+              number: 80
+

deploy/deluge/deluge-svc.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: deluge
+  namespace: jellyfin
+spec:
+  selector:
+    app: deluge
+  ports:
+    - name: web
+      protocol: TCP
+      port: 80
+      targetPort: 8112
+    - name: torrent-tcp
+      protocol: TCP
+      port: 6881
+      targetPort: 6881
+    - name: torrent-udp
+      protocol: UDP
+      port: 6881
+      targetPort: 6881
+    - name: daemon
+      protocol: TCP
+      port: 58846
+      targetPort: 58846

deploy/deluge/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - shared-downloads-pvc.yaml
+  - deluge-config-pvc.yaml
+  - deluge-deploy.yaml
+  - deluge-ingress.yaml
+  - deluge-svc.yaml

deploy/deluge/shared-downloads-pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: deluge-downloads
+  namespace: jellyfin
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 100Gi

deploy/drone/deploy.yaml

@@ -1,105 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: drone-pv
-  namespace: drone
-  labels:
-    name: drone-server
-spec:
-  storageClassName: longhorn
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 20Gi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: drone-server
-  namespace: drone
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      name: drone-server
-  template:
-    metadata:
-      labels:
-        name: drone-server
-    spec:
-      containers:
-        - name: drone-server
-          image: drone/drone:2.26.0
-          imagePullPolicy: Always
-          env:
-            - name: "DRONE_GITHUB_CLIENT_ID"
-              value: Ov23liTTrc709dX7YetV
-            - name: "DRONE_GITHUB_CLIENT_SECRET"
-              value: 7373d79bce815b380d503fb39c9373a53599897a
-            - name: "DRONE_RPC_SECRET"
-              value: f2ae9e7aea06ef9897a30c5e2b27f17c
-            - name: "DRONE_SERVER_HOST"
-              value: drone.diveedi.dev
-            - name: "DRONE_SERVER_PROTO"
-              value: https
-            - name: "DRONE_SERVER_PORT"
-              value: :80
-            - name: "DRONE_USER_CREATE"
-              value: "username:nicolag97,admin:true"
-            - name: "DRONE_USER_FILTER"
-              value: "ticketag,diveedi-lab"
-            - name: "DRONE_DATABASE_DRIVER"
-              value: "postgres"
-            - name: "DRONE_DATABASE_DATASOURCE"
-              value: "postgres://drone:be1932a990ec0d4a9720@postgres-rw.db:5432/drone?sslmode=disable"
-          volumeMounts:
-            - mountPath: /var/lib/drone
-              name: drone-lib
-      volumes:
-        - name: drone-lib
-          persistentVolumeClaim:
-            claimName: drone-pv
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: drone-server
-  namespace: drone
-  labels:
-    name: drone-server
-spec:
-  type: ClusterIP
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 80
-  selector:
-    name: drone-server
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: drone-ingress
-  namespace: drone
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-spec:
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - drone.panic.haus
-      secretName: drone-tls
-
-  rules:
-    - host: drone.panic.haus
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: drone-server
-                port:
-                  number: 80

deploy/drone/drone-ingress.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: drone-ingress
+  namespace: drone
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:  
+        - drone.beatrice.wtf
+      secretName: drone-tls
+  
+  rules: 
+    - host: drone.beatrice.wtf
+      http:
+        paths:   
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: drone-server
+                port: 
+                  number: 80

deploy/drone/drone-pvc.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: drone-lib-pvc
+  namespace: drone
+  labels:
+    name: drone-server
+spec:
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: drone-data-pvc
+  namespace: drone
+  labels:
+    name: drone-server
+spec:
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi

deploy/drone/drone-rbac.yaml

@@ -0,0 +1,26 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: drone
+  name: drone
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "delete"]
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "create", "delete", "list", "watch", "update"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: drone
+  namespace: drone
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: drone
+roleRef:
+  kind: Role
+  name: drone
+  apiGroup: rbac.authorization.k8s.io

deploy/drone/drone-runner-amd64.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-runner-amd64
+  namespace: drone
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drone-runner-amd64
+  template:
+    metadata:
+      labels:
+        app: drone-runner-amd64
+    spec:
+      nodeSelector:
+        kubernetes.io/arch: "amd64"
+      containers:
+        - name: drone-runner-amd64
+          image: drone/drone-runner-kube:latest
+          imagePullPolicy: Always
+          env:
+            - name: DRONE_RPC_HOST
+              value: "drone.beatrice.wtf"
+            - name: DRONE_RPC_PROTO
+              value: "https"
+            - name: DRONE_RPC_SECRET
+              value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
+            - name: DRONE_RUNNER_CAPACITY
+              value: "3"
+            - name: DRONE_DEBUG
+              value: "true"
+            - name: DRONE_NAMESPACE_DEFAULT
+              value: "drone"
+            - name: DRONE_NODE_SELECTOR_DEFAULT
+              value: "kubernetes.io/arch:amd64"

deploy/drone/drone-runner-arm64.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-runner-arm64
+  namespace: drone
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drone-runner-arm64
+  template:
+    metadata:
+      labels:
+        app: drone-runner-arm64
+    spec:
+      nodeSelector:
+        kubernetes.io/arch: "arm64"
+      containers:
+        - name: drone-runner-arm64
+          image: drone/drone-runner-kube:latest
+          imagePullPolicy: Always
+          env:
+            - name: DRONE_RPC_HOST
+              value: "drone.beatrice.wtf"
+            - name: DRONE_RPC_PROTO
+              value: "https"
+            - name: DRONE_RPC_SECRET
+              value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
+            - name: DRONE_RUNNER_CAPACITY
+              value: "3"
+            - name: DRONE_DEBUG
+              value: "true"
+            - name: DRONE_NAMESPACE_DEFAULT
+              value: "drone"
+            - name: DRONE_NODE_SELECTOR_DEFAULT
+              value: "kubernetes.io/arch:arm64"

deploy/drone/drone-server.yaml

@@ -0,0 +1,72 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-server
+  namespace: drone
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: drone-server
+  template:
+    metadata:
+      labels:
+        name: drone-server
+    spec:
+      containers:
+        - name: drone-server
+          image: drone/drone:2
+          imagePullPolicy: Always
+          env:
+            - name: "DRONE_GITEA_CLIENT_ID"
+              value: "e6a4fb3b-e6b1-43dd-8f45-4def94742609"
+            - name: "DRONE_GITEA_CLIENT_SECRET"
+              value: "gto_4ggtzkrukdzsmheoa2b4wz5cza2jif6gpf7wunbrtxa74senlykq"
+            - name: "DRONE_GITEA_SERVER"
+              value: "https://git.beatrice.wtf"
+            - name: "DRONE_GIT_ALWAYS_AUTH"
+              value: "false"
+            - name: "DRONE_RPC_SECRET"
+              value: "26a2221fd8090ea38720fc445eca6a45a39a63fcce3ba30712e7153b855f8"
+            - name: "DRONE_WEBHOOK_SECRET"
+              value: "9329e50de8f250dc3c997571f395d09e"
+            - name: "DRONE_SERVER_HOST"
+              value: "drone.beatrice.wtf"
+            - name: "DRONE_SERVER_PROTO"
+              value: "https"
+            - name: "DRONE_SERVER_PORT"
+              value: ":80"
+            - name: "DRONE_SERVER_BUILD_LIMIT"
+              value: "9"
+            - name: "DRONE_ALLOW_PRIVILEGED"
+              value: "true"
+            - name: "DRONE_LOGS_DEBUG"
+              value: "true"
+          volumeMounts:
+            - mountPath: /var/lib/drone
+              name: drone-lib
+            - mountPath: /data
+              name: drone-data
+      volumes:
+        - name: drone-lib
+          persistentVolumeClaim:
+            claimName: drone-lib-pvc
+        - name: drone-data
+          persistentVolumeClaim:
+            claimName: drone-data-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: drone-server
+  namespace: drone
+  labels:
+    name: drone-server
+spec:
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+  selector:
+    name: drone-server

deploy/drone/kustomization.yaml

@@ -1,2 +1,7 @@
 resources:
-  - deploy.yaml
+  - drone-rbac.yaml
+  - drone-server.yaml
+  - drone-runner-arm64.yaml
+  - drone-runner-amd64.yaml
+  - drone-ingress.yaml
+  - drone-pvc.yaml

deploy/jackett/flaresolverr-deploy.yaml

@@ -0,0 +1,32 @@
+# Flaresolverr Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: flaresolverr
+  namespace: jellyfin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: flaresolverr
+  template:
+    metadata:
+      labels:
+        app: flaresolverr
+    spec:
+      containers:
+      - name: flaresolverr
+        image: ghcr.io/flaresolverr/flaresolverr:latest
+        ports:
+        - containerPort: 8191
+        env:
+        - name: LOG_LEVEL
+          value: "info"
+        - name: LOG_HTML
+          value: "false"
+        - name: CAPTCHA_SOLVER
+          value: "none"
+        - name: TZ
+          value: "Europe/Rome"
+        - name: HOME
+          value: "/tmp"

deploy/jackett/flaresolverr-ingress.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: flaresolverr-ingress
+  namespace: jellyfin
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    acme.cert-manager.io/disable-http01-propagation-check: "true"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  tls:
+  - hosts:
+    - flaresolverr.beatrice.wtf
+    secretName: flaresolverr-tls
+  rules:
+  - host: flaresolverr.beatrice.wtf
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: flaresolverr
+            port:
+              number: 80

deploy/jackett/flaresolverr-svc.yaml

@@ -0,0 +1,14 @@
+# Flaresolverr Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: flaresolverr
+  namespace: jellyfin
+spec:
+  selector:
+    app: flaresolverr
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: 8191

deploy/jackett/jackett-blackhole-pvc.yaml

@@ -0,0 +1,13 @@
+# PVC for Jackett "blackhole" (downloads) folder
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jackett-blackhole
+  namespace: jellyfin
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 10Gi

deploy/jackett/jackett-config-pvc.yaml

@@ -0,0 +1,13 @@
+# PVC for Jackett configuration
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jackett-config
+  namespace: jellyfin
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 10Gi

deploy/jackett/jackett-deploy.yaml

@@ -0,0 +1,44 @@
+# Jackett Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jackett
+  namespace: jellyfin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jackett
+  template:
+    metadata:
+      labels:
+        app: jackett
+    spec:
+      containers:
+      - name: jackett
+        image: lscr.io/linuxserver/jackett:latest
+        ports:
+        - containerPort: 9117
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Etc/UTC"
+        - name: AUTO_UPDATE
+          value: "true"
+        - name: RUN_OPTS
+          value: ""
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        - name: blackhole
+          mountPath: /downloads
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: jackett-config
+      - name: blackhole
+        persistentVolumeClaim:
+          claimName: jackett-blackhole

deploy/jackett/jackett-ingress.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jackett-ingress
+  namespace: jellyfin
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    acme.cert-manager.io/disable-http01-propagation-check: "true"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  tls:
+  - hosts:
+    - jackett.beatrice.wtf
+    secretName: jackett-tls
+  rules:
+  - host: jackett.beatrice.wtf
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: jackett
+            port:
+              number: 80

deploy/jackett/jackett-svc.yaml

@@ -0,0 +1,14 @@
+# Jackett Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: jackett
+  namespace: jellyfin
+spec:
+  selector:
+    app: jackett
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: 9117

deploy/jackett/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - jackett-blackhole-pvc.yaml
+  - jackett-config-pvc.yaml
+  - jackett-deploy.yaml
+  - jackett-svc.yaml
+  - jackett-ingress.yaml
+  - flaresolverr-deploy.yaml
+  - flaresolverr-svc.yaml
+  - flaresolverr-ingress.yaml

deploy/jellyfin/media-storage.yaml

@@ -21,7 +21,7 @@ metadata:
 spec:
   storageClassName: media-storage
   accessModes:
-    - ReadWriteMany  # Longhorn supports RWO; if RWX is needed, enable RWX mode in Longhorn UI
+    - ReadWriteMany
   resources:
     requests:
-      storage: 500Gi
+      storage: 1050Gi

deploy/longhorn/longhorn-dashboard.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: longhorn-dashboard
+  namespace: longhorn-system
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
+    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
+spec:
+  tls:
+    - hosts:
+        - longhorn.panic.haus
+      secretName: longhorn-tls
+  rules:
+    - host: longhorn.panic.haus
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: longhorn-frontend
+                port:
+                  number: 80
+

deploy/longhorn/longhorn-ingress.yaml

@@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: longhorn-ingress
+  namespace: longhorn-system
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy-service.longhorn-system.svc.cluster.local:4180/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "https://longhorn.panic.haus/oauth2/start?rd=$escaped_request_uri"
+spec:
+  tls:
+    - hosts:
+        - longhorn.panic.haus
+      secretName: longhorn-tls
+  rules:
+    - host: longhorn.panic.haus
+      http:
+        paths:
+          - path: /oauth2
+            pathType: Prefix
+            backend:
+              service:
+                name: oauth2-proxy-longhorn-service
+                port:
+                  number: 4180
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: longhorn-frontend
+                port:
+                  number: 80

deploy/longhorn/oauth2-proxy-longhorn-ingress.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: oauth2-proxy-longhorn-ingress
+  namespace: longhorn-system
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  rules:
+    - host: longhorn.panic.haus
+      http:
+        paths:
+          - path: /oauth2
+            pathType: Prefix
+            backend:
+              service:
+                name: oauth2-proxy-longhorn-service
+                port:
+                  number: 4180

deploy/longhorn/oauth2-proxy-longhorn-svc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: oauth2-proxy-longhorn-service
+  namespace: longhorn-system
+spec:
+  ports:
+  - port: 4180
+    targetPort: 4180
+    protocol: TCP
+    name: http
+  selector:
+    app: oauth2-proxy-longhorn

deploy/longhorn/oauth2-proxy-longhorn.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth2-proxy-longhorn
+  namespace: longhorn-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: oauth2-proxy-longhorn
+  template:
+    metadata:
+      labels:
+        app: oauth2-proxy-longhorn
+    spec:
+      containers:
+      - name: oauth2-proxy-longhorn
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
+        args:
+          - --provider=keycloak
+          - --client-id=longhorn
+          - --client-secret=0U2QuP1QMAXln8bzwJ3aJMIvaH9t2QvJ
+          - --cookie-secret=lDE7du7SlDuG1UySIZUhcHfuk5HlgFlgDWdHD_PQ9UI=
+          - --oidc-issuer-url=https://sso.beatrice.wtf/auth/realms/panic-haus
+          - --cookie-domain=longhorn.panic.haus
+          - --email-domain=*
+          - --http-address=0.0.0.0:4180
+          - --redirect-url=https://longhorn.panic.haus/oauth2/callback
+          -  --upstream=http://longhorn-frontend.longhorn-system.svc.cluster.local:80
+          - --scope=openid
+          - --login-url=https://sso.beatrice.wtf/auth/realms/panic-haus/protocol/openid-connect/auth
+          - --validate-url=https://sso.beatrice.wtf/auth/realms/panic-haus/protocol/openid-connect/userinfo
+          - --redeem-url=https://sso.beatrice.wtf/auth/realms/panic-haus/protocol/openid-connect/token
+          - --skip-auth-regex=^(?:https?:\/\/)?longhorn\.panic\.haus\/(favicon\.ico|.*\.(?:js|css)(\.map)?)$|^\/(favicon\.ico|.*\.(?:js|css)(\.map)?)$
+        ports:
+          - name: http
+            containerPort: 4180
+            protocol: TCP

deploy/metrics-server/components.yaml

@@ -0,0 +1,202 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: metrics-server
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: system:aggregated-metrics-reader
+rules:
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: system:metrics-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes/metrics
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: system:metrics-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    k8s-app: metrics-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: metrics-server
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        k8s-app: metrics-server
+    spec:
+      containers:
+      - args:
+        - --cert-dir=/tmp
+        - --secure-port=10250
+        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+        - --kubelet-use-node-status-port
+        - --metric-resolution=15s
+        - --kubelet-insecure-tls
+        image: registry.k8s.io/metrics-server/metrics-server:v0.7.2
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /livez
+            port: https
+            scheme: HTTPS
+          periodSeconds: 10
+        name: metrics-server
+        ports:
+        - containerPort: 10250
+          name: https
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /readyz
+            port: https
+            scheme: HTTPS
+          initialDelaySeconds: 20
+          periodSeconds: 10
+        resources:
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp-dir
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+      serviceAccountName: metrics-server
+      volumes:
+        - emptyDir: {}
+          name: tmp-dir
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: v1beta1.metrics.k8s.io
+spec:
+  group: metrics.k8s.io
+  groupPriorityMinimum: 100
+  insecureSkipTLSVerify: true
+  service:
+    name: metrics-server
+    namespace: kube-system
+  version: v1beta1
+  versionPriority: 100

deploy/metrics-server/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - components.yaml

deploy/plane-ce/kustomization.yaml

@@ -0,0 +1,24 @@
+namespace: plane-ce
+
+helmCharts:
+  - name: plane-ce
+    repo: https://helm.plane.so/
+    version: 1.4.0
+    releaseName: plane-app
+    valuesInline:
+      planeVersion: stable
+      postgres:
+        local_setup: false
+        servicePort: 5432
+      env:
+        pgdb_remote_url: postgresql://plane:w20t4g8h244ivjz0kef1hi10@postgres-base-rw.postgres.svc.cluster.local:5432/plane_db
+      certManager: true
+      ingress:
+        ingressClass: nginx
+        tls: true
+        appHost: plane.panic.haus
+        minioHost: minio.plane.panic.haus
+        rabbitmqHost: plane-app-rabbitmq
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          nginx.ingress.kubernetes.io/ssl-redirect: "true"

deploy/renovate/cronjob.yaml

@@ -0,0 +1,23 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: renovate
+  namespace: renovate
+spec:
+  schedule: '@hourly'
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: renovate
+              # Update the image if needed
+              image: renovate/renovate:39.211
+              env:
+                - name: LOG_LEVEL
+                  value: debug
+              envFrom:
+                - secretRef:
+                    name: renovate-env
+          restartPolicy: Never

deploy/renovate/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cronjob.yaml

renovate.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}

utils/migrate.yaml

@@ -0,0 +1,34 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: jellyfin  # namespace where the PVC's exist
+  name: volume-migration
+spec:
+  completions: 1
+  parallelism: 1
+  backoffLimit: 3
+  template:
+    metadata:
+      name: volume-migration
+      labels:
+        name: volume-migration
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: volume-migration
+          image: ubuntu:xenial
+          tty: true
+          command: [ "/bin/sh" ]
+          args: [ "-c", "cp -r -v /mnt/old /mnt/new" ]
+          volumeMounts:
+            - name: old-vol
+              mountPath: /mnt/old
+            - name: new-vol
+              mountPath: /mnt/new
+      volumes:
+        - name: old-vol
+          persistentVolumeClaim:
+            claimName: media-pvc
+        - name: new-vol
+          persistentVolumeClaim:
+            claimName: media-rwx-pvc # change to data target PVC