diff --git a/kubernetes/main/apps/bitwarden/bitwarden/app/helmrelease.yaml b/kubernetes/main/apps/bitwarden/bitwarden/app/helmrelease.yaml new file mode 100644 index 0000000..03e4be7 --- /dev/null +++ b/kubernetes/main/apps/bitwarden/bitwarden/app/helmrelease.yaml @@ -0,0 +1,205 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: bitwarden +spec: + interval: 30m + chart: + spec: + chart: self-host + version: 2024.11.0 + sourceRef: + kind: HelmRepository + name: bitwarden + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + sharedStorageClassName: "cluster-nvme" + general: + admins: "${SECRET_ADMIN_EMAIL}" + disableUserRegistration: "false" + cloudRegion: US + enableCloudCommunication: true + sharedStorageClassName: "cluster-nvme" + volumeAccessMode: "ReadWriteOnce" + domain: "bitwarden.${SECRET_EXTERNAL_DOMAIN}" + ingress: + enabled: true + className: traefik + annotations: + gethomepage.dev/enabled: "true" + gethomepage.dev/group: Home + gethomepage.dev/name: Bitwarden + gethomepage.dev/description: Password management + gethomepage.dev/icon: bitwarden + tls: + name: bitwarden-tls + clusterIssuer: letsencrypt-production + paths: + web: + path: / + pathType: ImplementationSpecific + attachments: + path: /attachments/ + pathType: ImplementationSpecific + api: + path: /api/ + pathType: ImplementationSpecific + icons: + path: /icons/ + pathType: ImplementationSpecific + notifications: + path: /notifications/ + pathType: ImplementationSpecific + events: + path: /events/ + pathType: ImplementationSpecific + scim: + path: /scim/ + pathType: ImplementationSpecific + sso: + path: /sso/ + pathType: ImplementationSpecific + identity: + path: /identity/ + pathType: ImplementationSpecific + admin: + path: /admin/ + pathType: ImplementationSpecific + email: + smtpSsl: "false" + smtpPort: "465" + smtpHost: "${SECRET_SMTP_HOST}" + replyToEmail: "${SECRET_SMTP_FROM}" + secrets: + secretName: bitwarden-secret + database: + enabled: false + #volume: + # backups: + # storageClass: "cluster-nvme" + # data: + # storageClass: "cluster-nvme" + # log: + # storageClass: "cluster-nvme" + volume: + dataprotection: + storageClass: "cluster-nvme" + attachments: + storageClass: "cluster-nvme" + licenses: + storageClass: "cluster-nvme" + logs: + enabled: true + storageClass: "cluster-nvme" + # rawManifests: + # preInstall: [] + # postInstall: + # - apiVersion: traefik.io/v1alpha1 + # kind: Middleware + # metadata: + # name: "bitwarden-self-host-middleware-stripprefix" + # spec: + # stripPrefix: + # prefixes: + # - /api + # - /attachements + # - /icons + # - /notifications + # - /events + # - /scim + # ##### NOTE: Admin, Identity, and SSO will not function correctly with path strip middleware + # - apiVersion: traefik.io/v1alpha1 + # kind: IngressRoute + # metadata: + # name: "bitwarden-self-host-ingress" + # spec: + # entryPoints: + # - websecure + # routes: + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/`) + # services: + # - kind: Service + # name: bitwarden-self-host-web + # passHostHeader: true + # port: 5000 + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/api/`) + # services: + # - kind: Service + # name: bitwarden-self-host-api + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/attachments/`) + # services: + # - kind: Service + # name: bitwarden-self-host-api + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/icons/`) + # services: + # - kind: Service + # name: bitwarden-self-host-icons + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/notifications/`) + # services: + # - kind: Service + # name: bitwarden-self-host-notifications + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/events/`) + # services: + # - kind: Service + # name: bitwarden-self-host-events + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/scim/`) + # services: + # - kind: Service + # name: bitwarden-self-host-scim + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # ##### NOTE: SSO will not function correctly with path strip middleware + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/sso/`) + # services: + # - kind: Service + # name: bitwarden-self-host-sso + # port: 5000 + # ##### NOTE: Identity will not function correctly with path strip middleware + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/identity/`) + # services: + # - kind: Service + # name: bitwarden-self-host-identity + # port: 5000 + # ##### NOTE: Admin will not function correctly with path strip middleware + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/admin`) + # services: + # - kind: Service + # name: bitwarden-self-host-admin + # port: 5000 + # tls: + # certResolver: letsencrypt-production diff --git a/kubernetes/main/apps/bitwarden/bitwarden/app/kustomization.yaml b/kubernetes/main/apps/bitwarden/bitwarden/app/kustomization.yaml new file mode 100644 index 0000000..95bf474 --- /dev/null +++ b/kubernetes/main/apps/bitwarden/bitwarden/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/bitwarden/bitwarden/app/secret.sops.yaml b/kubernetes/main/apps/bitwarden/bitwarden/app/secret.sops.yaml new file mode 100644 index 0000000..ce98397 --- /dev/null +++ b/kubernetes/main/apps/bitwarden/bitwarden/app/secret.sops.yaml @@ -0,0 +1,34 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: bitwarden-secret +stringData: + replyToEmail: ENC[AES256_GCM,data:7NR/XlAqsO4PtCNKQ890Njv6Qh2Jp6W/t0Lc8px7,iv:VznXZaMbwLda8LkrJDTc2UKurHRWqGTJ1T0/1C3VMus=,tag:Z+Wkfb7DqcaPam7AFrvWUw==,type:str] + globalSettings__installation__id: ENC[AES256_GCM,data:U091rHP2N4UjYgSdGrkDvSBZHQu9w8s75xWPCp6gfZ0773gW,iv:PZ2hBlqta/sclVQUtO6LYD/ZhL6e+Q+yDESxrt6CYjQ=,tag:1A/9gKzuflMqOktyoZ5adQ==,type:str] + globalSettings__installation__key: ENC[AES256_GCM,data:/pWJt9ElR+mgiv5m8I0Gdb5Z6H8=,iv:31bd6uhc45WMi41iACel8/YOjDjVTDxoR3Ok19+U43A=,tag:xtI3eCRActaFajUqVdxemw==,type:str] + globalSettings__mail__smtp__username: ENC[AES256_GCM,data:wGph7iTpKhvYXjsFKnPIFevGsJvgovvfNnIJPjFf,iv:o7l19Onw6PHMmk19e++zTArLmZrwSIAXgDpuwaDhjuo=,tag:ojY3lQFiP3G3oYeVQXri7A==,type:str] + globalSettings__mail__smtp__password: ENC[AES256_GCM,data:OQ3mROVpRAZ2MNFZtvRV0N74EPOaSdSvmaOJas1JCgEbHHNq0laLg5r2ufTYz9vA0aM=,iv:vB9ElILgqKyvY6wgQ8Nesg2pygGK9mcjIhEYGsHVWEQ=,tag:l84bsTR3twb3Al19FKezqA==,type:str] + globalSettings__sqlServer__connectionString: ENC[AES256_GCM,data:mJxp4MXvqV4T+/J7O0XX6+Z4kmo4IVFYvUPEBU0uaJ3w0YNcqPps+LH9pgFNOjwBWCAQ8QxvCH9ul2uSiYGhy41YjLsQD4X/UF1Hhimezc3IrexCDFkXXl4WIACAZjpQf6morvx9+/v0EvdxofP7auWQ2BGcid4lHYxO78gEAvPaueS+L0TerqEpEnxS26r2uMLOe2w5L0hxBKGQyWmWPx8mTAJXTgTaXAvKLT2G97JNa9a5EQSAPuBoi95F+CkQBEwbo6uwrcJS6DTWQmNefEdZ1D7Abp50zlpJfC7Tuf54tjnHyGya9EWEwc32mTadqCto047ySvDNNB2jgrG97HXvnqOo4LGpZn9jYGJsJZjVFibiy2+WHzgxDmU=,iv:Nq4LIbSDzk9WurGEPojUfRe8WqEOGO4t7WnfyYoupVo=,tag:yV7w9j9gRKuAsgsnxncUtA==,type:str] + #ENC[AES256_GCM,data:r7/63ugBvNNcFQGkau56LkG5lNH0NwvuA0OiRj0FOjAWlbf6sR7v5JOgIy97uMC+mBWy8A+OGZFO8p4bosrdrmzuomArHNnM4oWN498=,iv:2TaG5UkIEjLwPQpEZjOJdEviNNnSVi/e1lUUckJ+KqM=,tag:BPd/IOSUJvS1/mgPqqSlyQ==,type:comment] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFRGFTc01qRmdlMzZ0WE53 + OWtoUzBaMUp4T3FoYnJuVGhGODVna1RHYkRZCk0xWEVjOWp2YW9NZmE0MnNFYnJX + OEdHbkdsOWM4Tk44aTRVZ0VoNWorWDAKLS0tIHp2SE9Wd1lmTmV2eUFYRmRYNDZn + NFR5QkpIaFQ5Tk1FdGV3aUtzNTZsRXcKyNl9cFicgjcTiGkoQK/StLd7FEHGUVWD + hs8+h4ak+r++3+KpUay4aNqY09RtAzvUd4Vl3VQ2tYt/TOlDrgErHQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-29T17:22:46Z" + mac: ENC[AES256_GCM,data:+KthNzUdXl/XgnupjWiEdk8EHvHldUvUwfWT7FNpR+Pysl/fdI1fAK02rXOlY0ABCKpejSIobHipy3RkxTXiF6PPGTC4R0aoqxRvZjyXDCUaHc3F4KdYBH4vkGoBchosHJnOX0qymSEGbzJERRSjxEZ3JDg0JRIEB8jQtObGivs=,iv:w7XSWHs1RaDAuxsImvxDHo96T6qwaaYlXGZUP2nfqLg=,tag:QNSjFrABn8tf8nQlu5MXkw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/main/apps/bitwarden/bitwarden/ks.yaml b/kubernetes/main/apps/bitwarden/bitwarden/ks.yaml new file mode 100644 index 0000000..2792893 --- /dev/null +++ b/kubernetes/main/apps/bitwarden/bitwarden/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app bitwarden + namespace: flux-system +spec: + targetNamespace: bitwarden + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/bitwarden/bitwarden/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/main/apps/bitwarden/kustomization.yaml b/kubernetes/main/apps/bitwarden/kustomization.yaml new file mode 100644 index 0000000..85537a8 --- /dev/null +++ b/kubernetes/main/apps/bitwarden/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + #- ./bitwarden/ks.yaml diff --git a/kubernetes/main/apps/bitwarden/namespace.yaml b/kubernetes/main/apps/bitwarden/namespace.yaml new file mode 100644 index 0000000..8fdd863 --- /dev/null +++ b/kubernetes/main/apps/bitwarden/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: bitwarden + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml index 7d24abe..42d1e92 100644 --- a/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml @@ -30,7 +30,7 @@ spec: fsGroup: 2000 fsGroupChangePolicy: "OnRootMismatch" supplementalGroups: - - 65542 # gladius:external-services + - 3005 containers: app: diff --git a/kubernetes/main/apps/downloads/kustomization.yaml b/kubernetes/main/apps/downloads/kustomization.yaml index 17462ef..ea54d60 100644 --- a/kubernetes/main/apps/downloads/kustomization.yaml +++ b/kubernetes/main/apps/downloads/kustomization.yaml @@ -4,11 +4,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml - - ./archivebox/ks.yaml + #- ./archivebox/ks.yaml - ./bazarr/ks.yaml - ./flaresolverr/ks.yaml - ./prowlarr/ks.yaml - ./radarr/ks.yaml - ./recyclarr/ks.yaml - ./sonarr/ks.yaml - - ./qbittorrent/ks.yaml + #- ./qbittorrent/ks.yaml diff --git a/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml index 46e72af..8986cc0 100644 --- a/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml @@ -22,10 +22,10 @@ spec: reloader.stakater.com/auto: "true" pod: securityContext: - runAsUser: 2000 - runAsGroup: 2000 + runAsUser: 600 + runAsGroup: 3005 runAsNonRoot: true - fsGroup: 2000 + fsGroup: 3005 fsGroupChangePolicy: OnRootMismatch containers: app: diff --git a/kubernetes/main/apps/downloads/prowlarr/app/secret.sops.yaml b/kubernetes/main/apps/downloads/prowlarr/app/secret.sops.yaml index 46f159c..c888418 100644 --- a/kubernetes/main/apps/downloads/prowlarr/app/secret.sops.yaml +++ b/kubernetes/main/apps/downloads/prowlarr/app/secret.sops.yaml @@ -5,7 +5,7 @@ type: Opaque metadata: name: prowlarr-secret stringData: - API_KEY: ENC[AES256_GCM,data:5wzcM0WIHaUAWdo2oD2o0VA1xmW254yGIPbBs4IOvUdeLqMgvrQeELs7oFS9OSLP,iv:BdGNl7zWRm06Fi6oadjCcxwjWBr8egl6GerLx7JWq4g=,tag:leaytQdTWoRb7OJ8oMHM+w==,type:str] + API_KEY: ENC[AES256_GCM,data:3uj8j4U/UE3sF24NhaogvUOz1gFkjVZeX0d4IQQihEs=,iv:qklcOdRll6clgcVccLE7L4el31aOl1qToZPRkeWMpgU=,tag:LIrB555zX/EY7KXsDOJyow==,type:str] sops: kms: [] gcp_kms: [] @@ -15,14 +15,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UGpkMUN3ZzNtVjJlcUJV - QU0wd05Xci9ydEZGbW1zMHBsNHV1ZUloZUdFCjVDMHdnMVF1bTZMYUc2Y0ZSUDFm - T2pqT0k4QUJIY3ZsZVVtcy9DNmYzSmMKLS0tIHIyanNSZmtkVkNrejhTaERaakJr - c1VKTWZJVUNPOFZUNjJ0eFpIMEYvNDQKtOOLotFwvPsq+dDgkIYzwNblHSoEYEi/ - SSAzf32ufxFQRAEzIkIIwc7GKpcKkhF+8CoG+c/JE9VUeJ0+tty1Pg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2QlVhWXJnVEUyN0hTbFVO + eVJCWk9aYzIrcC9LcUNNOHVyRDZWTjdVVmdZCnBqWlJoZUZLdGZTdXg1emlTeWFM + UHdVWE50S3VPTklxOHRHZjlXUTlORTQKLS0tIHlMeW9VWnBFeTIyM3I4QnlsbFdQ + M3hXVklGUWhVSEdkbWdWOUJiS1RpQ0UKI/HPah2WCDhQZbD4bhGTLbWHfDdtdTPC + qfRVxSNBF/g7zPGWIRI0ujA/lh87OGjb4vM6dn5kFltR/plLz2g/jw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-09T21:41:45Z" - mac: ENC[AES256_GCM,data:otC8H0PW9z1xNQfovLiQkzckWK5Pe26wDwSKk+B95NEvv9CjzZrYkHg7L03dP9EHBHB2uiEGexCi4Tq5Zrs+1r39II71NC3YinI14K4318yAMxWTzzbWy8jeUrvXXVbxEem7JIh3+foIqcbmMtb+VmO2fyzoB0ztByiSUTrfPnU=,iv:dDkPerAall8Ltub1RG4ubhg1cqPiPzA4MHSGIlRHCwA=,tag:fG+JRMuE6RlfImG3G8H6Nw==,type:str] + lastmodified: "2024-12-10T05:47:36Z" + mac: ENC[AES256_GCM,data:bb2QRSkFZxuiPve8RkfhJn4cfdA8t4v2wi5n8I6GOt+MNxHoG9UeRWyPhs2CszPyZh0qrFBGxhAOrFEIaJt24Jq57hhBurllFck3WUHHC9aE/I0ArQMtwELxg88BDhFreeWuxCCyx5vLYfyKbjwUtoDuDQ5nJTfaLfwdBqk+JKE=,iv:JPBp8GMJMNqlc4matmMaNwukktmB5kvh8NvMh1oh9YE=,tag:gH4P1Dt1fxIGqJBI+alx1w==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/main/apps/downloads/qbittorrent/app/helmrelease.yaml b/kubernetes/main/apps/downloads/qbittorrent/app/helmrelease.yaml index 33fd9df..af64861 100644 --- a/kubernetes/main/apps/downloads/qbittorrent/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/qbittorrent/app/helmrelease.yaml @@ -62,11 +62,11 @@ spec: fsGroup: 2000 fsGroupChangePolicy: "OnRootMismatch" supplementalGroups: - - 501 + - 3005 terminationGracePeriodSeconds: 120 containers: - qbittorrent: - #nameOverride: qbittorrent + app: + nameOverride: qbittorrent image: repository: ghcr.io/liana64/qbittorrent-beta tag: 5.0.2@sha256:84961a7f137dc4d80460ca0bf4746477f751767579278ae0d4164dcb5cc735d5 @@ -138,13 +138,13 @@ spec: drop: - ALL service: - qbittorrent: + app: controller: qbittorrent ports: http: port: *port ingress: - qbittorrent: + app: className: traefik annotations: cert-manager.io/cluster-issuer: "letsencrypt-production" @@ -159,7 +159,7 @@ spec: paths: - path: / service: - identifier: qbittorrent + identifier: app port: http tls: - secretName: qbittorrent-tls @@ -184,7 +184,7 @@ spec: path: ${NFS_MEDIA} advancedMounts: qbittorrent: - qbittorrent: + app: - path: /data/r720xd-media readOnly: false dnsdist: diff --git a/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml index 75df650..b22f20d 100644 --- a/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml @@ -22,13 +22,11 @@ spec: reloader.stakater.com/auto: "true" pod: securityContext: - runAsUser: 2000 - runAsGroup: 2000 + runAsUser: 600 + runAsGroup: 3005 runAsNonRoot: true - fsGroup: 2000 + fsGroup: 3005 fsGroupChangePolicy: "OnRootMismatch" - supplementalGroups: - - 501 containers: app: image: @@ -112,4 +110,4 @@ spec: radarr: app: - path: /data/r720xd-media - readOnly: true + readOnly: false diff --git a/kubernetes/main/apps/downloads/radarr/app/secret.sops.yaml b/kubernetes/main/apps/downloads/radarr/app/secret.sops.yaml index 88a642a..da71371 100644 --- a/kubernetes/main/apps/downloads/radarr/app/secret.sops.yaml +++ b/kubernetes/main/apps/downloads/radarr/app/secret.sops.yaml @@ -5,7 +5,7 @@ type: Opaque metadata: name: radarr-secret stringData: - api_key: ENC[AES256_GCM,data:XkW/YA9BNLykhXbjUgMh6y0T/LeEZv9aswXpLPfm3hDDZuIOi02xrMKFQ8s=,iv:tChWTpvFhe9QKfryTkdLBxrDeUZV+nMi5GqTRTfLiPs=,tag:NHZi8WRndIriZDwX066FKA==,type:str] + api_key: ENC[AES256_GCM,data:ljSxSCIrysdpD6XqyoGfarPqppjwicVHkdSxsJoPov4=,iv:L4lac0lhK3qO+XOMz4j8HYAIMvkXUKLVXyS+VEBeYpA=,tag:0jHhKVg7exrp6o7K39L/xQ==,type:str] sops: kms: [] gcp_kms: [] @@ -15,14 +15,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTFpmM05xZ3F0R0VqTDBU - OGJoRzJPTHVrNUw1c2JqZWlzeDhYNE5Ja2dnCjUwZlpuQ1dkcGhnY0p3ZkNZV000 - RVc2ODhYcFZFSTNHMzBBNUo3M0g2RHcKLS0tIHhEdlFEbWN3eHhRVFRpNU1hOEYr - djY2TkZPZVY0Q3BSQzhvVE1BVDBsQlUK/5XRuVofHjLBAoXff2PKiuK/mQKZXf05 - xXbElNkxDL+BZETZUCEZ+smQuSfyiEwtP12V+JCzpQM3loUu53DyqA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bmZmcjVrc1g3SnJnSEZw + cXZtM0xWTk1DVTZ1ejlXWmMwNzRacTZ1c1Z3CmdNa0pXMWhFd0pqdmJjaGIzVnNV + R04zbHhpNERtdzdwM1Jwa0cyQi9hMjgKLS0tIHNSajJSQjlSekxHc01aaU1wZGlT + bjEwUnZtYnJ4ZDI2RXdsMk5kR3hvaXMKmtlKZCSDWvON0QnSrCX9n1ZHFoeO0eue + fefuj3z5VEJvCOPo/ee+/rJHxE4YZHgVhBF3jmrq/Bq4KJesuARJcA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-10T05:11:25Z" - mac: ENC[AES256_GCM,data:M7+WgAGETcqwG5PHV4fKzDRF4MIFB6YwicclVgrcK5+Z0s6W4GxsC1iaoYYGFbjCge8a+7zdkcfwfZTMne460FZPOFYrwzZQD45dtrihMbMjBBXM3Yv6gkJiQjcOnmnSTQJDOMfGxoc01eXyg9DXPBtv13EcfbTlYVeV85MwOFM=,iv:oNmUIPbkSkIUbkjHvQ4/jrY0F01Yo6j6/32yStNthXg=,tag:Y2KqkLeEV090ibJsDAxjLg==,type:str] + lastmodified: "2024-12-10T05:47:36Z" + mac: ENC[AES256_GCM,data:8OshZYgK3fGwBEA8ZKFs+whhmfTpTBCNO6lJQ491iRRCc09whurAHqimO92f+DfyZ3ZthvKgq8JdXFs5Rfi4UqPZg7ImhlSWfR7w1KShLUK41mdsZy+kDTPrdYzgDKl1ubH+Esd+ORa0p0oUs0CKN/4qkxg5zl3igmLfx5+r5Sg=,iv:njwFCWnXSRi0aeb/6pX17+L0bNMLVdB7o4AignvEKk4=,tag:afm4n8O5g/84/oOgx3i4XQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/main/apps/downloads/recyclarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/recyclarr/app/helmrelease.yaml index 4862b57..e14020d 100644 --- a/kubernetes/main/apps/downloads/recyclarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/recyclarr/app/helmrelease.yaml @@ -66,15 +66,16 @@ spec: persistence: config: - existingClaim: recyclarr-config - advancedMounts: - recyclarr: - app: - - path: /config + storageClass: cluster-nvme + accessMode: ReadWriteOnce + size: 1Gi + retain: true + globalMounts: + - path: /config config-file: type: configMap name: recyclarr-configmap globalMounts: - - path: /config/recyclarr.yml - subPath: recyclarr.yml + - path: /config/recyclarr.yaml + subPath: recyclarr.yaml readOnly: true diff --git a/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml index 5858cbd..64066dc 100644 --- a/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml @@ -24,13 +24,11 @@ spec: pod: securityContext: - runAsUser: 2000 - runAsGroup: 2000 + runAsUser: 600 + runAsGroup: 3005 runAsNonRoot: true - fsGroup: 2000 + fsGroup: 3005 fsGroupChangePolicy: "OnRootMismatch" - supplementalGroups: - - 65542 # gladius:external-services containers: app: @@ -118,8 +116,4 @@ spec: sonarr: app: - path: /data/r720xd-media - readOnly: true - add-ons: - type: emptyDir - tmp: - type: emptyDir + readOnly: false diff --git a/kubernetes/main/apps/downloads/sonarr/app/secret.sops.yaml b/kubernetes/main/apps/downloads/sonarr/app/secret.sops.yaml index d57ae44..76d6063 100644 --- a/kubernetes/main/apps/downloads/sonarr/app/secret.sops.yaml +++ b/kubernetes/main/apps/downloads/sonarr/app/secret.sops.yaml @@ -5,7 +5,7 @@ type: Opaque metadata: name: sonarr-secret stringData: - api_key: ENC[AES256_GCM,data:rpE1OKVYtwRyczuvlLhbBGzc9xGPXczfAuATKPeBjd95GKvzVAk/pKLZDzU=,iv:HG93BmB4xllu906DkyYJoKRw/thnVl//tXMFQ4Dv9bI=,tag:BpvPoCtf4qm4qWvtgG3O0A==,type:str] + api_key: ENC[AES256_GCM,data:MmfBzm5K7Bt6wiZaT8k+mUFRpCJQ1wHYyHUBnNSY2dnH3X8jkbHzyLaRSZQ=,iv:qEaUSRwH2MBBrt+0Q3mcMR5cow0Dl3Qs5XZErJ5CXWI=,tag:cEr/H6jSZ4zwzfNxwSeQHg==,type:str] sops: kms: [] gcp_kms: [] @@ -15,14 +15,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTlhjcy9WVS95YU1ra2Z4 - N0g1R05jWU9tb0JlLzRTSGdTYVhTSzhzVHpRCmNRSk44NExRTGMxMlV5VENIeEty - YmdYRVZNRi9NQVVIcWZKR3Z4Y1RYSFEKLS0tIE5kSlpoR2tGdGZVcnpCZmhRUnBT - MFRmM3NTa0llZUZwQ2ZFVlJTanpwZkkKe29CTcpltrnF84d64/N3n6PJJiml8eRA - XxD6R8LarIScjxYEklXtA1SM3rPomU9XYG8sH/2FQM509H972r8G8Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDKzg3alRmYlNPaFFBemJF + b1FBRG9rQjBiU2R6ZDM0MkUvcitSd2ZwVG5zCjh2ZjZlcmxPUHpuc0VVbUlveFd6 + YXVML05DeGs4Y0NKTGxDN3l2QlBQeGcKLS0tIEYvblE2WUVHUmZXNW9OTDFVOWJ2 + b2VrWVB6blB3Ri9zemlVUWxuNGxvZTAKuHjOxWkVj3lqaQ+YwTcfEsLxv3/iiiEE + ITCX9zctdcskQCa02J3X5pgp7fsL0u1nJ9USJVdppYJdF8TBXsGWoQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-10T05:11:25Z" - mac: ENC[AES256_GCM,data:1WhyEH4wYHcV2GAl7Y3s3Y/LP++OSyyeN3pN/+UnVo6byjPLTTf/ZDcuJ36EmHNfOssJjwqqqkWwoKiJ4ir6TpyR1jn4j7nK3u6xKEB9Kc9k0ON/TB+3C1zQzIVlZvak/xyHEXRKDcyHZhc5jcR25UXBzV5CEXXlgU2ZkF8g/MY=,iv:nB/Q/0dtqtWZ8lfEc1sVNphXvDBwrrATflUqJ1/Ce6Y=,tag:ez+zAfTEkMo8OM8KP3DKOA==,type:str] + lastmodified: "2024-12-10T05:47:36Z" + mac: ENC[AES256_GCM,data:woD0t/lQ6uXMqJvJ6zqz57H0Hdy1FWrbCABlWv+fNmky/jEk4GnIIinhcrSbtd8MwMHltZMHYds2Yz/1jw5+o4+cMXk1Ocnh4AM1gb/SDsSyw8WXvtc5FZdQSY4CqbGnO4vfhAsDMOag/OuXZ0x5sB3N24Umfw1PR1cKh5/rVAU=,iv:JnLYDVtOxGnumjNQAjGwm2z96B6NnGMG/dzSMxaW5Bg=,tag:aBfL2LDzHWqdd8xVR9M4Eg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/main/apps/media/jellyfin/app/helmrelease.yaml b/kubernetes/main/apps/media/jellyfin/app/helmrelease.yaml index 7d4489b..71fa51e 100644 --- a/kubernetes/main/apps/media/jellyfin/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/jellyfin/app/helmrelease.yaml @@ -30,7 +30,7 @@ spec: fsGroup: 2000 fsGroupChangePolicy: "OnRootMismatch" supplementalGroups: - - 501 + - 3005 containers: app: image: diff --git a/kubernetes/main/apps/observability/kube-state-metrics/app/helmrelease.yaml b/kubernetes/main/apps/observability/kube-state-metrics/app/helmrelease.yaml index 92eba3d..bcf4d8b 100644 --- a/kubernetes/main/apps/observability/kube-state-metrics/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/kube-state-metrics/app/helmrelease.yaml @@ -16,7 +16,6 @@ spec: name: prometheus-community namespace: flux-system values: - fullnameOverride: kube-state-metrics prometheus: monitor: enabled: true diff --git a/kubernetes/main/apps/observability/kustomization.yaml b/kubernetes/main/apps/observability/kustomization.yaml index 227b850..cce7c31 100644 --- a/kubernetes/main/apps/observability/kustomization.yaml +++ b/kubernetes/main/apps/observability/kustomization.yaml @@ -5,7 +5,7 @@ resources: - ./namespace.yaml - ./prometheus-operator-crds/ks.yaml - ./kube-prometheus-stack/ks.yaml - - ./kube-state-metrics/ks.yaml + #- ./kube-state-metrics/ks.yaml - ./loki/ks.yaml - ./speedtest-exporter/ks.yaml - ./changedetection/ks.yaml