initial refactor

apps/baikal/deployment.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: baikal
+  namespace: baikal
+spec:
+  selector:
+    matchLabels:
+      app: baikal
+  template:
+    metadata:
+      labels:
+        app: baikal
+    spec:
+      containers:
+        - name: baikal
+          image: ckulka/baikal:nginx
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+          volumeMounts:
+            - mountPath: /var/www/baikal/config
+              name: config
+            - mountPath: /var/www/baikal/Specific
+              name: data
+      restartPolicy: Always
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: config
+        - name: data
+          persistentVolumeClaim:
+            claimName: data

apps/baikal/dns-endpoint.yaml

@@ -0,0 +1,15 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: baikal.michaelthomson.dev
+  namespace: baikal
+spec:
+  endpoints:
+  - dnsName: baikal.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+      - michaelthomson.ddns.net
+    providerSpecific:
+      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
+        value: "true"

apps/baikal/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: baikal
+  namespace: baikal
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: baikal.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: baikal
+            port: 
+              name: http
+  tls:
+    - hosts:
+        - baikal.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

apps/baikal/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: baikal

apps/baikal/pvc-config.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: config
+  namespace: baikal
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/baikal/pvc-data.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: data
+  namespace: baikal
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/baikal/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: baikal
+  namespace: baikal
+spec:
+  selector:
+    app: baikal
+  ports:
+    - name: http
+      port: 80
+      targetPort: http

apps/calibre-web/config.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: calibre-web-config
+  namespace: calibre-web
+data:
+  PUID: "1000"
+  PGID: "1000"
+  TZ: "America/Toronto"
+  DOCKER_MODS: "linuxserver/mods:universal-calibre"

apps/calibre-web/deployment.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: calibre-web
+  namespace: calibre-web
+spec:
+  selector:
+    matchLabels:
+      app: calibre-web
+  template:
+    metadata:
+      labels:
+        app: calibre-web
+    spec:
+      containers:
+      - name: calibre-web
+        image: lscr.io/linuxserver/calibre-web:latest
+        imagePullPolicy: Always
+        envFrom:
+        - configMapRef:
+            name: calibre-web-config
+            optional: false
+        ports:
+        - containerPort: 8083
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        - mountPath: /books
+          name: data
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: calibre-web-config
+      - name: data
+        persistentVolumeClaim:
+          claimName: calibre-web-data

apps/calibre-web/dns-endpoint.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: calibre.michaelthomson.dev
+  namespace: calibre-web
+spec:
+  endpoints:
+  - dnsName: calibre.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev

apps/calibre-web/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: calibre-web
+  namespace: calibre-web
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: calibre.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: calibre-web
+            port:
+              name: http
+  tls:
+    - hosts:
+        - calibre.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

apps/calibre-web/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: calibre-web

apps/calibre-web/pvc-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: calibre-web-config
+  namespace: calibre-web
+spec:
+  resources:
+    requests:
+      storage: 4Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

apps/calibre-web/pvc-data.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: calibre-web-data
+  namespace: calibre-web
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 8Gi

apps/calibre-web/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: calibre-web
+  namespace: calibre-web
+spec:
+  selector:
+    app: calibre-web
+  ports:
+  - port: 80
+    targetPort: http
+    name: http

apps/gitea/admin-secret.yaml

@@ -0,0 +1,15 @@
+kind: SealedSecret
+apiVersion: bitnami.com/v1alpha1
+metadata:
+  name: gitea-admin-secret
+  namespace: gitea
+  creationTimestamp:
+spec:
+  template:
+    metadata:
+      name: gitea-admin-secret
+      namespace: gitea
+      creationTimestamp:
+  encryptedData:
+    password: AgAajDLwVR0AFIKlQLIQU12BIKOu4qYIBIdhTJCPYrA5fj4yZZQBnAukYevTJYf76B0dYR6VzTg3uRVqHm1ve3iM73izGKR3Vab6EuWsXpS+JtqBzPuTuZCL0E+8Q+5JPacn/mOEhk97C1oUv4ZJJgPOPE88ySti+tN0T2UqUp2c1Umys4ZEuRQfESAmgwe08HV30XvkB5EZW68mjzwEry/tYKNLFnon2njNvm3/jObaWDjHeKl0pjFRoyKcTqZHgk92y+jU78ubDQlcsQiP8PRlcHKLxjEexguLYJzZGnTUVMCOMn64FN2H4mW2bBi0Apx/FsrNZQeHf1/WcLTci4ccObnhFi6kjrdZFBc/YBcXviyLrDw+CzUz1ZFSIdGxOHhJm09yJ2YmssuhxeLQ/Y8g6UUSSf2cwcAC4e7gl7EIAayod7wFQySTur7MCuKduV/e50l0OOLYHuB7DwEEhG0LONQ54FF3yrqUhOwn6C3qYPSB10ibbVFuiTreROosIpDoaZ/2TLkjcmHRiRRD7XxXusEjjvd6MH0dCrMc4NM9Dflrf3uZNuuY+tvpAr6bOnOFAN+k7+ttuskuwHmFiuy1UGkFwAs1zMcCStAYdv6+qtwi6+xIAih0XOLV43cQ3R+bZiT8yQZb3wj7oBW6rR6xJ9MpI1fexbedtJWJywfOzdCuopFV9JZWVlXurmPFoSVzEZ7CRvVvRlgS2p2PFsIzpytDW2lvlc9DwBtrrGw=
+    username: AgBtjjUFVdKLXE6/+MxXhBjRkUwqg1wAvw5Sl8W8FYYBLV56PzvSl8OqWPcpNwiquvYHZTdv2/vLyVEkk3YuhxYK5SGaIb8Ap4q8OJcdK5xFKKjLCx8kzkJ5Rwa11VfqWOTqwjgrSRgfjRI3Sc9xyrAMkQUgXbI3qdj5WfP6o6YDy6fK0Qm4bTD6F/+qj3xRkonWGY54268xdlHhzNR72Cqu4Wfl6BbiLafEU4U1mrxsSzJlno5LYyCC/g8WkkIrX3JrIYUt3wuTUheA/mhqCuLPH66iW6+lSyKoH2ruUn6p8i5uRltQNI8rYLxa3zdH7Ju3AXlUSv1FHv4zanCsG1SBaWrNsiKCAvEODB2IKGNENpkBkD7Uw51TvqZFoSZyyMbQIZLeCwcaRGtAPPGz2rKG7LcWIBpjy+J7dekmT0M1ObwbjyacluLmt/zw1FBL3JHPBv5RRBVGOmNFztmBobErRcBaOam9jg3SBAdOJfDuAcWOE68CKAUcRJ6wR+dqoP5zOwYtmFva7YRb35gO5XmwbNuCKlsR7ZOl3323aJ3Ill1A329XcPgsB2YmlXXHN9xAtsodDRKnT+t2pxVk1DtRWh+M8Ixy+QlYzhQBdb878G/ZKb5PI67S1RcGU7DROld/9bQBYfIxa2+F3JC+IjUJFVRrHn87BbE16OCPKgOaq+P3n0R8jwwcDDEwSssjVrC3VvcelBsj3aOUvg==

apps/gitea/dns-endpoint.yaml

@@ -0,0 +1,16 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: gitea.michaelthomson.dev
+  namespace: gitea
+spec:
+  endpoints:
+  - dnsName: gitea.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+      - michaelthomson.ddns.net
+    providerSpecific:
+      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
+        value: "false"
+

apps/gitea/mailer-config-secret.yaml

@@ -0,0 +1,22 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "gitea-mailer-config-secret",
+    "namespace": "gitea",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "gitea-mailer-config-secret",
+        "namespace": "gitea",
+        "creationTimestamp": null
+      },
+      "type": "Opaque"
+    },
+    "encryptedData": {
+      "mailer": "AgDViQgjYRiW3AjnwQZWKauZKoSMmf/LqaOiAZTE1yxULaIE3quXZjm6vkZTtvYqT2eDkKe20O5iTDyBdsO3+29LRnnOm6kF/y4cZ/JOiWfh6nJ0hx6g+MybG3rq4GcWQj7C5OQCi97ctHYemDaWoNKkjwSvNpt+pKcEaBgaqyWQ1knLxP8BaPg51R8CnIe5opn7+AsQwiwi9JX4ucrU46QqLVTg3KT+CobRlEFqtU3jd2CQuj1CN4Y/XgtQFHh3hLB+c05HV6sd0xwo9zMKUSQe2k++5Z5esGj4Hu25UXn36iwmJCfueMor2Y0yOBndPNNviRMMgKjE383retjL1o6n8HkIo5YTrKd18EyuQcq/EdhA8kb3uKX4N1EtOrFLlMGAUKliV42e+3w3IfXtFC9bvTpHivmKIQwZSlPQbF1SVFIbhiBdvNClYJpR61P7ZS6h0D57Tf3vmRpKTSlrHH01sbaKDd9+/kVGUQ0Lk4XRXK0JyTJkNDIiEBuiBB3H/GEZ27k4heBFav6w06gp3zhoOhmhq4XJcFWcselOJeY5cqSUzhLx440zMwwPWvEDH+/nrbhanx6KGFU5Lm6qX7tMn54+P4Ch/vAcnPs/0sXNx0xleGsRVEis+2/EmbdSDwe42+orKxbpQU1bEj7Rqtwiwk4VsTKXgPfzKXcgMMXo+4vvP4t8rCRo1hMkx1EXhKascwntdOb1Nz52QZvij02eNiQhDA2exuG8Room1Ox9Sb4="
+    }
+  }
+}

apps/gitea/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea

apps/gitea/release.yaml

@@ -0,0 +1,95 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: gitea
+  namespace: gitea
+spec:
+  chart:
+    spec:
+      chart: gitea
+      version: 11.x
+      sourceRef:
+        kind: HelmRepository
+        name: gitea
+  interval: 15m
+  timeout: 5m
+  releaseName: gitea
+  values:
+    global:
+      storageClass: longhorn
+
+    replicaCount: 1
+
+    service:
+      ssh:
+        type: LoadBalancer
+        port: 2222
+        clusterIP:
+        annotations:
+          metallb.universe.tf/loadBalancerIPs: 192.168.2.248
+
+    ingress:
+      enabled: true
+      className: traefik
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+      hosts:
+        - host: gitea.michaelthomson.dev
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - gitea.michaelthomson.dev
+          secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+
+    persistence:
+      claimName: gitea-shared-storage
+      size: 10Gi
+      storageClass: longhorn
+
+    gitea:
+      config:
+        server:
+          SSH_PORT: 2222
+        service:
+          DISABLE_REGISTRATION: true
+          REGISTER_EMAIL_CONFIRM: true
+          ENABLE_NOTIFY_MAIL: true
+        webhook:
+          ALLOWED_HOST_LIST: external,loopback,private
+        mailer:
+          ENABLED: true
+          FROM: gitea@michaelthomson.dev
+          PROTOCOL: smtps
+          SMTP_ADDR: mail.michaelthomson.dev
+          SMTP_PORT: 465
+          USER: gitea@michaelthomson.dev
+      admin:
+        existingSecret: gitea-admin-secret
+        email: "gitea@michaelthomson.dev"
+      additionalConfigSources:
+        - secret:
+            secretName: gitea-mailer-config-secret
+
+    redis-cluster:
+      enabled: false
+
+    postgresql-ha:
+      enabled: false
+
+    postgresql:
+      enabled: true
+      global:
+        postgresql:
+          auth:
+            password: gitea
+            database: gitea
+            username: gitea
+          service:
+            ports:
+              postgresql: 5432
+      primary:
+        persistence:
+          size: 10Gi

apps/gitea/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: gitea
+  namespace: gitea
+spec:
+  interval: 15m
+  url: https://dl.gitea.io/charts

apps/hoarder/chrome-deployment.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: chrome
+  namespace: hoarder
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: chrome
+  template:
+    metadata:
+      labels:
+        app: chrome
+    spec:
+      containers:
+        - name: chrome
+          image: gcr.io/zenika-hub/alpine-chrome:123
+          command:
+            - chromium-browser
+            - --headless
+            - --no-sandbox
+            - --disable-gpu
+            - --disable-dev-shm-usage
+            - --remote-debugging-address=0.0.0.0
+            - --remote-debugging-port=9222
+            - --hide-scrollbars

apps/hoarder/chrome-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: chrome
+  namespace: hoarder
+spec:
+  selector:
+    app: chrome
+  ports:
+    - protocol: TCP
+      port: 9222
+      targetPort: 9222
+  type: ClusterIP

apps/hoarder/data-pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: data-pvc
+  namespace: hoarder
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/hoarder/dns-endpoint.yaml

@@ -0,0 +1,15 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: hoarder.michaelthomson.dev
+  namespace: hoarder
+spec:
+  endpoints:
+  - dnsName: hoarder.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+      - michaelthomson.ddns.net
+    providerSpecific:
+      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
+        value: "true"

apps/hoarder/hoarder-secrets.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: hoarder-secrets
+  namespace: hoarder
+spec:
+  encryptedData:
+    MEILI_MASTER_KEY: AgCHcsgG2eNFA8M//KlFEXsD8v+kh9MWiIPr/vWBXqOtoyCoA5vTcrWdQvnmO+ic93kiBy2sTRa2thR2UQd9h3GnC4+MkTGZDLmbiArlE6HltuSWUnqaZESop8NBu8p3mFJ3kX8sLA3RzEZrj4/rmFT3CFym5v6vXjXxGaaT2C0VjsCxeOnGjcEyfm4gaptNP14v43bRRsxZtLo1F/pI1vkMPMbcQPsGXuiIkOxbaMAgGdlybMX1q7ZWWdXEHb/o+RDN2D2c9GJeZDgk/znT1A8IwfAUue1BpF2VamtFxoX2aI2w0xjGeJ7ffUOS3VzuBSAITsw4lb+7gCmC7FByqjxCmoiBI3L20XcFoWMmvNFKqsOPDVduNCJeYAZQHSNfC0SxGIu1tUw1T66NijsItDPH5vjH6BGvWyS3E+YMkxEHMV6ZJWkk3+S0gMRURSEo3Dr/MCby2x6MPbaKFB06u2Vyr0XWRUAXlphzndO0Ibt9P/KVldNX+ZueVxoZkxt+PiJqhWb6ZT8s0VBPmWleufbyjkZoa00KVM4/IGrSBJdLboGGmHU1p1EZGzpMEexCp/G0iEuNqkLJo8cCRxrHH6zsVunIpXnTYg+6Ob032+LDGGG2jKGKsjAlKKod/TIpL15poZZoVIv57IkLYd6bYASDQ9M4NpSJ3gyyIe+jICHBGFQ4t/mBfzlfy4fpjpFRxGNOQhr6TNBIgda9QI17OTkNDyace9Ltqu6CUIDvgOUYUH/gTBfYFtSk0NZWPJdJ+aA=
+    NEXT_PUBLIC_SECRET: AgB3LRSR+Y/VbTXIHpqlMUR1ec3LXdsghJ8vmMGEB+674W+x36ciekTkv8fGPj+XJXnXgPqCMrAr/Wd6ExrkW/nI2ZxDvbYLQ4POW34b5vF8IV0KD2kARUz5UGmVJOsCRSdlqqEsED72U2Cotw8voYOpEk7GfWZPTAyg6iv6pJyIa3gXEtdKV4k8XOQmMvdAui/0iAoTOeMpP6Qe2hGqCvSCtrsw+aj+ptUlQkP9pOQW6Uo/XMebwwZVSkgFOr6pEPhr70qMbi31ERR1at/vNYArQy8PXmUxJGsRF5KgjD+Nq6rrZPXJFjEk6qx+MAcysJ6rCJeYiCmZMZHabZ9CrhFTVdwtSO2su6B19hXS7fACzIrFNr5Z23NAn6+SoDodXo+Bqa+1ldHFzZl9ve0eoHEB8sG1qVvA5wWMtPm4D2mxd0UTlK0/EqY1jP+EvWNC05v/uD4toIEX3HEZCqdPqghmWxwq8qCm3ZpYvmxQwZxWHZdpxIen262vMZ6s5yZVC/n/v2EVmswqllUBvBCHq6WBBZqF5tgYBsuwy4qf976HMGvXXVx/WcE92eA3iT1olUnFJ7I4Isdp28tFl8jv5JLHJJozzWI91iwPUAwT5xFXi/2Jtk9Oe7QNjsEpYqnxxbogbMS6UZL4TJ1QNsyY29iue+E9q2Eck9Btb8xDtpSH2FNKNo/3FNcbe6hNXdwEbqoGIcNPZNNGDMOFVq6EeTmyxxR3CZYahHt65BXO0K/Smv8n4NSwI0e5T7Hn4S5o8JM=
+    NEXTAUTH_SECRET: AgChzv5iFZC4pFksnh7blvLWRn/2VsCqjOqkRnFQFTApAKf6CyfUgkFy5yBgbwqtS4oak6jtadtVZQuiWXrY2bIRvROwL4AEqGvteUhURSL7Hy/3oRd6BoBiT/zoiTkBmZRBG1LsI6KjCWXvjKAQGsoJ6sPQOGVGZ2eb57ne51op7xrhAyWbCuuy5tw237Qb/DnTgqeIQ4SmgTytLd5jO6nZ1yhzpmUW6ynu8TLy3ar3vIecc7IQkS7mmnXJgGilUrNUkdNjFdxkALBPah4a0qgwaRrZVh0MLa4Kvud5iYEC6Y5YFxZ2/6pH/OA0+aEw4gWdENyxDRVmxkwHpN22Ya1svvEI1V3RD7RQFA4psLClly3bJDpE96NIS0gSbpGzo2xszf3iKX5U5WjnGEODg9udQ+/RZvluU1NjwkPP5wFpAZU1YC5w2OUtZH/tQQ0Lumn1YsgXeH/oEtXfMgSTWD0Yoxwv7r+bFPb03OUllTG8AFVrP0Uigz9sl/td1u9zvrPFQMNPITSUOFrMbnVA0riKVGqFkkfxSp93lRpKHx7sA7LWyrZfYdcEGsaxMdBWGUcuv4OCtCHQhuyuxkJc7/Dygg3roxPyaehU/j5fY962qnRtv2Okmpf1Lm9VvuB83+ZhnJJNFgWVh6rPUgA+v0rVKOpzSYHpP878EMf3wz08wghhFmhlBSimAftMa8B9zSBkzlqfm6ByrtUNsKSuPE3k1H4YjusxRKFu4DXgo0eiZWmVQWb+YzhS4/zp5aJU3lA=
+    OPENAI_API_KEY: AgDISqGkHBSMNAmZa5uXoE2DAPy0FbxoZB1ngYRVGbQWN6LxW/3u+O+qtggo1qd+yaPTXJTi5DST22CNLZfk+pdYtMsTb3lQrEM0BkiACDsppOah9pz675xdZrAZG1+BlwGDfyRyKmww6t12D01MEl5g5dgXSA5ZHzPkhR4BySWzbVTN5oF3Yj/7twDkE8ignpdD0lIzPEqoOjdgeQ7g1cUAOTjbj9Q46S75kIaXhzIRnForZi3wbnhFn8pzcuNMERYfxms4u2x5cfUHyRTjblsS7KRIN2ymtsVauCdpmbe6bf3q7WCZ1XE7HcHdDpDK5N0kZRSHVMQUTp3kGripMiBb5aAfYOQBm+6Rjd0OE49dwEfgOV/zecOPZeTp70xwS3RhjioJlVRzHUIYZ9PRjt0gLqEULAQzF8E0FoQcwcjCxtEqTwLHNcVJ3xUBrt/Oq4yTgKspuu+Mb45UUlxyfZUaXrMZp73OE5qFVeUUjGRze6iQ2Hd5znOWH7BUqN+esEzqIyzhhREBSdyKmGdV33eYLcFrnaQkClilf5xeIbKjfA3QLl/3gtdteU3IiYd0PPNXPQr7aYK1buDsLExDo1M9tZM19eypLphStnOtXxtdHFua0jit6Cr7tVFRSF1gJYmtrLpcK5q5bnAt1KCZ2DBQCMgSQhOd1v9t0DQB7dbqgm5+44OJRZDOyhgE03qG57tdsTgr6ufL3Q+wfbo60VVl6JnR+MqgDbTrXvwzWyt5junDDL/FI/MLE9HAH7y5UDCyoHALEAhecE6FF+H34g5NHxQKxHTb6Id5uBdGcSTPDmJO+hwHwTvvSQUQPknGQzFURRw9cLTk+IeTjCfrQE1mIYnk9M5aa0CHWSALB8eXovWUiY1o7A3WYZkIFIz4+bcIws1ihd0M/vGr/cnczDZR5WeIqg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: hoarder-secrets
+      namespace: hoarder

apps/hoarder/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hoarder-web-ingress
+  namespace: hoarder
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: "hoarder.michaelthomson.dev"
+    http:
+      paths:
+      - path: "/"
+        pathType: Prefix
+        backend:
+          service:
+            name: "web"
+            port:
+              number: 3000
+  tls:
+    - hosts:
+        - hoarder.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

apps/hoarder/meilisearch-deployment.yaml

@@ -0,0 +1,31 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: meilisearch
+  namespace: hoarder
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: meilisearch
+  template:
+    metadata:
+      labels:
+        app: meilisearch
+    spec:
+      containers:
+        - name: meilisearch
+          image: getmeili/meilisearch:v1.11.1
+          env:
+            - name: MEILI_NO_ANALYTICS
+              value: "true"
+          volumeMounts:
+            - mountPath: /meili_data
+              name: meilisearch
+          envFrom:
+            - secretRef:
+                name: hoarder-secrets
+      volumes:
+        - name: meilisearch
+          persistentVolumeClaim:
+            claimName: meilisearch-pvc

apps/hoarder/meilisearch-pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: meilisearch-pvc
+  namespace: hoarder
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps/hoarder/meilisearch-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: meilisearch
+  namespace: hoarder
+spec:
+  selector:
+    app: meilisearch
+  ports:
+    - protocol: TCP
+      port: 7700
+      targetPort: 7700

apps/hoarder/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: hoarder

apps/hoarder/web-deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+  namespace: hoarder
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hoarder-web
+  template:
+    metadata:
+      labels:
+        app: hoarder-web
+    spec:
+      containers:
+        - name: web
+          image: ghcr.io/hoarder-app/hoarder:release
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 3000
+          env:
+            - name: MEILI_ADDR
+              value: http://meilisearch:7700
+            - name: BROWSER_WEB_URL
+              value: http://chrome:9222
+            - name: DATA_DIR
+              value: /data
+            - name: DISABLE_SIGNUPS
+              value: "true"
+          volumeMounts:
+            - mountPath: /data
+              name: data
+          envFrom:
+            - secretRef:
+                name: hoarder-secrets
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: data-pvc

apps/hoarder/web-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: web
+  namespace: hoarder
+spec:
+  selector:
+    app: hoarder-web
+  ports:
+    - protocol: TCP
+      port: 3000
+      targetPort: 3000
+  type: ClusterIP

apps/homeassistant/deployment.yaml

@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: homeassistant
+  namespace: homeassistant
+spec:
+  selector:
+    matchLabels:
+      app: homeassistant
+  template:
+    metadata:
+      labels:
+        app: homeassistant
+    spec:
+      nodeName: patrick
+      containers:
+      - name: homeassistant
+        image: lscr.io/linuxserver/homeassistant:latest
+        imagePullPolicy: Always
+        envFrom:
+        - configMapRef:
+            name: homeassistant-config
+            optional: false
+        ports:
+        - containerPort: 8123
+          name: http
+          protocol: TCP
+          # hostPort: 8123
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        - name: dev-serial
+          mountPath: /dev/serial
+        securityContext:
+          privileged: true
+          capabilities:
+            add:
+              - NET_ADMIN
+              - NET_RAW
+        # hostNetwork: true
+      - name: whisper
+        image: lscr.io/linuxserver/faster-whisper:latest
+        imagePullPolicy: Always
+        envFrom:
+        - configMapRef:
+            name: whisper-config
+            optional: false
+        ports:
+        - containerPort: 10300
+      - name: piper
+        image: lscr.io/linuxserver/piper:latest
+        imagePullPolicy: Always
+        envFrom:
+        - configMapRef:
+            name: piper-config
+            optional: false
+        ports:
+        - containerPort: 10200
+      - name: openwakeword
+        image: rhasspy/wyoming-openwakeword
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 10400
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: homeassistant-config
+      - name: dev-serial
+        hostPath:
+          path: /dev/serial

apps/homeassistant/dns-endpoint.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: ha.michaelthomson.dev
+  namespace: homeassistant
+spec:
+  endpoints:
+  - dnsName: ha.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev

apps/homeassistant/homeassistant-config.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: homeassistant-config
+  namespace: homeassistant
+data:
+  TZ: "America/Toronto"
+  PUID: "1000"
+  PGID: "1000"

apps/homeassistant/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: homeassistant
+  namespace: homeassistant
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: ha.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: homeassistant
+            port:
+              name: http
+  tls:
+    - hosts:
+        - ha.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

apps/homeassistant/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: homeassistant

apps/homeassistant/piper-config.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: piper-config
+  namespace: homeassistant
+data:
+  TZ: "America/Toronto"
+  PUID: "1000"
+  PGID: "1000"
+  PIPER_VOICE: "en_US-lessac-medium"

apps/homeassistant/pvc-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: homeassistant-config
+  namespace: homeassistant
+spec:
+  resources:
+    requests:
+      storage: 8Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

apps/homeassistant/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: homeassistant
+  namespace: homeassistant
+spec:
+  selector:
+    app: homeassistant
+  ports:
+  - port: 80
+    targetPort: http
+    name: http

apps/homeassistant/whisper-config.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: whisper-config
+  namespace: homeassistant
+data:
+  TZ: "America/Toronto"
+  PUID: "1000"
+  PGID: "1000"
+  WHISPER_MODEL: "base"
+  WHISPER_LANG: "en"

apps/immich/cluster.yaml

@@ -0,0 +1,32 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich-postgres
+  namespace: immich
+spec:
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.3.0
+  instances: 1
+
+  postgresql:
+    shared_preload_libraries:
+      - "vchord.so"
+
+  managed:
+    roles:
+      - name: immich
+        superuser: true
+        login: true
+
+  bootstrap:
+    initdb:
+      database: immich
+      owner: immich
+      secret:
+        name: immich-postgres-user
+      postInitSQL:
+        - CREATE EXTENSION IF NOT EXISTS "vchord" CASCADE;
+        - CREATE EXTENSION IF NOT EXISTS "earthdistance" CASCADE;
+
+  storage:
+    size: 8Gi
+    storageClass: longhorn

apps/immich/dns-endpoint.yaml

@@ -0,0 +1,15 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: immich.michaelthomson.dev
+  namespace: immich
+spec:
+  endpoints:
+  - dnsName: immich.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+      - michaelthomson.ddns.net
+    providerSpecific:
+      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
+        value: "true"

apps/immich/immich-postgres-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: immich-postgres-user
+  namespace: immich
+type: Opaque
+stringData:
+  username: immich
+  password: immich

apps/immich/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: immich

apps/immich/pvc-data.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: immich-data
+  namespace: immich
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: nfs-client
+  resources:
+    requests:
+      storage: 1Ti

apps/immich/release.yaml

@@ -0,0 +1,52 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: immich
+  namespace: immich
+spec:
+  chart:
+    spec:
+      chart: immich
+      version: 0.x
+      sourceRef:
+        kind: HelmRepository
+        name: immich
+  interval: 15m
+  timeout: 5m
+  releaseName: immich
+  values:
+    env:
+      DB_HOSTNAME: "immich-postgres-rw"
+      DB_USERNAME: "immich"
+      DB_DATABASE_NAME: "immich"
+      DB_PASSWORD: "immich"
+    image:
+      tag: v1.134.0
+
+    immich:
+      persistence:
+        library:
+          existingClaim: immich-data
+
+    redis:
+      enabled: true
+
+    server:
+      enabled: true
+      ingress:
+        main:
+          enabled: true
+          annotations:
+            traefik.ingress.kubernetes.io/router.entrypoints: websecure
+            traefik.ingress.kubernetes.io/router.tls: "true"
+          hosts:
+            - host: immich.michaelthomson.dev
+              paths:
+                - path: "/"
+          tls:
+            - hosts:
+                - immich.michaelthomson.dev
+              secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+
+    machine-learning:
+      enabled: true

apps/immich/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: immich
+  namespace: immich
+spec:
+  interval: 15m
+  url: https://immich-app.github.io/immich-charts

apps/kube-prometheus-stack/dns-endpoint-grafana.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: grafana.michaelthomson.dev
+  namespace: kube-prometheus-stack
+spec:
+  endpoints:
+  - dnsName: grafana.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev

apps/kube-prometheus-stack/dns-endpoint-prometheus.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: prometheus.michaelthomson.dev
+  namespace: kube-prometheus-stack
+spec:
+  endpoints:
+  - dnsName: prometheus.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev

apps/kube-prometheus-stack/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-prometheus-stack

apps/kube-prometheus-stack/release.yaml

@@ -0,0 +1,43 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: kube-prometheus-stack
+  namespace: kube-prometheus-stack
+spec:
+  chart:
+    spec:
+      chart: kube-prometheus-stack
+      version: 63.x
+      sourceRef:
+        kind: HelmRepository
+        name: prometheus-community
+  interval: 15m
+  timeout: 5m
+  releaseName: kube-prometheus-stack
+  values:
+    grafana:
+      ingress:
+        enabled: true
+        annotations:
+          traefik.ingress.kubernetes.io/router.tls: "true"
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+        - grafana.michaelthomson.dev
+        path: /
+        tls:
+          - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+            hosts:
+              - grafana.michaelthomson.dev
+    prometheus:
+      ingress:
+        enabled: true
+        annotations:
+          traefik.ingress.kubernetes.io/router.tls: "true"
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+        - prometheus.michaelthomson.dev
+        path: /
+        tls:
+          - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+            hosts:
+              - prometheus.michaelthomson.dev

apps/kube-prometheus-stack/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: prometheus-community
+  namespace: kube-prometheus-stack
+spec:
+  interval: 15m
+  url: https://prometheus-community.github.io/helm-charts

apps/media/bazarr/config.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bazarr-config
+  namespace: media
+data:
+  PUID: "1000"
+  PGID: "1000"

apps/media/bazarr/deployment.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bazarr
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: bazarr
+  template:
+    metadata:
+      labels:
+        app: bazarr
+    spec:
+      containers:
+      - name: bazarr
+        image: lscr.io/linuxserver/bazarr:latest
+        imagePullPolicy: Always
+        envFrom:
+        - configMapRef:
+            name: bazarr-config
+            optional: false
+        ports:
+        - containerPort: 6767
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        - mountPath: /data
+          name: data
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: bazarr-config
+      - name: data
+        persistentVolumeClaim:
+          claimName: media-data

apps/media/bazarr/dns-endpoint.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: bazarr.michaelthomson.dev
+  namespace: media
+spec:
+  endpoints:
+  - dnsName: bazarr.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev

apps/media/bazarr/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bazarr
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    # traefik.ingress.kubernetes.io/router.middlewares: authentik-bazarr@kubernetescrd
+spec:
+  rules:
+  - host: bazarr.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: bazarr
+            port:
+              name: http
+  tls:
+    - hosts:
+        - bazarr.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

apps/media/bazarr/pvc-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bazarr-config
+  namespace: media
+spec:
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

apps/media/bazarr/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bazarr
+  namespace: media
+spec:
+  selector:
+    app: bazarr
+  ports:
+  - port: 80
+    targetPort: http
+    name: http

apps/media/jellyfin/config.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: jellyfin-config
+  namespace: media
+data:
+  NVIDIA_VISIBLE_DEVICES: all
+  NVIDIA_DRIVER_CAPABILITIES: all

apps/media/jellyfin/deployment.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jellyfin
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: jellyfin
+  template:
+    metadata:
+      labels:
+        app: jellyfin
+    spec:
+      runtimeClassName: nvidia
+      containers:
+      - name: jellyfin
+        image: lscr.io/linuxserver/jellyfin:latest
+        imagePullPolicy: Always
+        securityContext:
+          privileged: true
+        ports:
+        - containerPort: 8096
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        - mountPath: /data/media
+          name: data
+          subPath: media
+        # - name: dev-dri
+        #   mountPath: /dev/dri
+        env:
+        - name: NVIDIA_VISIBLE_DEVICES
+          value: all
+        - name: NVIDIA_DRIVER_CAPABILITIES
+          value: all
+        resources:
+          limits:
+            nvidia.com/gpu: 1
+      volumes:
+      - name: config
+        persistentVolumeClaim: 
+          claimName: jellyfin-config
+      - name: data
+        persistentVolumeClaim: 
+          claimName: media-data
+      # - name: dev-dri
+      #   hostPath:
+      #     path: /dev/dri

apps/media/jellyfin/dns-endpoint-public.yaml

@@ -0,0 +1,15 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: jellyfin.michaelthomson.dev
+  namespace: media
+spec:
+  endpoints:
+  - dnsName: jellyfin.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+      - michaelthomson.ddns.net
+    providerSpecific:
+      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
+        value: "true"

apps/media/jellyfin/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jellyfin
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: jellyfin.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: jellyfin
+            port: 
+              name: http
+  tls:
+    - hosts:
+        - jellyfin.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

apps/media/jellyfin/pvc-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-config
+  namespace: media
+spec:
+  resources:
+    requests:
+      storage: 60Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

apps/media/jellyfin/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellyfin
+  namespace: media
+spec:
+  selector:
+    app: jellyfin
+  ports:
+  - port: 80
+    targetPort: http
+    name: http

apps/media/jellyseerr/config.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: jellyseerr-config
+  namespace: media
+data:
+  PUID: "1000"
+  PGID: "1000"
+  LOG_LEVEL: "debug"

apps/media/jellyseerr/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jellyseerr
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: jellyseerr
+  template:
+    metadata:
+      labels:
+        app: jellyseerr
+    spec:
+      containers:
+      - name: jellyseerr
+        image: fallenbagel/jellyseerr:latest
+        imagePullPolicy: Always
+        envFrom:
+        - configMapRef:
+            name: jellyseerr-config
+            optional: false
+        ports:
+        - containerPort: 5055
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - name: config
+          mountPath: /app/config
+      volumes:
+      - name: config
+        persistentVolumeClaim: 
+          claimName: jellyseerr-config

apps/media/jellyseerr/dns-endpoint.yaml

@@ -0,0 +1,15 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: jellyseerr.michaelthomson.dev
+  namespace: media
+spec:
+  endpoints:
+  - dnsName: jellyseerr.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+      - michaelthomson.ddns.net
+    providerSpecific:
+      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
+        value: "true"

apps/media/jellyseerr/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jellyseerr
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: jellyseerr.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: jellyseerr
+            port: 
+              name: http
+  tls:
+    - hosts:
+        - jellyseerr.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

apps/media/jellyseerr/pvc-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyseerr-config
+  namespace: media
+spec:
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

apps/media/jellyseerr/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellyseerr
+  namespace: media
+spec:
+  selector:
+    app: jellyseerr
+  ports:
+  - port: 80
+    targetPort: http
+    name: http

apps/media/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: media

apps/media/prowlarr/deployment.yaml

@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: prowlarr
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: prowlarr
+  template:
+    metadata:
+      labels:
+        app: prowlarr
+    spec:
+      containers:
+      - name: prowlarr
+        image: lscr.io/linuxserver/prowlarr:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 9696
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: prowlarr-config

apps/media/prowlarr/dns-endpoint.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: prowlarr.michaelthomson.dev
+  namespace: media
+spec:
+  endpoints:
+  - dnsName: prowlarr.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev

apps/media/prowlarr/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: prowlarr
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    # traefik.ingress.kubernetes.io/router.middlewares: authentik-prowlarr@kubernetescrd
+spec:
+  rules:
+  - host: prowlarr.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: prowlarr
+            port: 
+              name: http
+  tls:
+    - hosts:
+        - prowlarr.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

apps/media/prowlarr/pvc-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: prowlarr-config
+  namespace: media
+spec:
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

apps/media/prowlarr/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: prowlarr
+  namespace: media
+spec:
+  selector:
+    app: prowlarr
+  ports:
+  - port: 80
+    targetPort: http
+    name: http

apps/media/pvc-data.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: media-data
+  namespace: media
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: nfs-client
+  resources:
+    requests:
+      storage: 5Ti

apps/media/qbittorrent/deployment.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qbittorrent
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: qbittorrent
+  template:
+    metadata:
+      labels:
+        app: qbittorrent
+    spec:
+      securityContext:
+        sysctls:
+        - name: net.ipv4.conf.all.src_valid_mark
+          value: "1"
+      containers:
+      - name: qbittorrent
+        image: lscr.io/linuxserver/qbittorrent:libtorrentv1
+        envFrom:
+        - configMapRef:
+            name: qbittorrent-config
+            optional: false
+        ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - name: qbittorrent-config
+          mountPath: /config
+        - name: data
+          mountPath: /data/downloads
+          subPath: downloads
+      - name: wireguard
+        image: lscr.io/linuxserver/wireguard:latest
+        envFrom:
+        - configMapRef:
+            name: wireguard-config
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        volumeMounts:
+        - name: wireguard-config-secret
+          mountPath: /config/wg_confs
+        - name: wireguard-config
+          mountPath: /config
+        - name: natpmp-script
+          mountPath: /custom-services.d/natpmp.sh
+          subPath: natpmp.sh
+          readOnly: true
+      volumes:
+      - name: qbittorrent-config
+        persistentVolumeClaim:
+          claimName: qbittorrent-config
+      - name: data
+        persistentVolumeClaim:
+          claimName: media-data
+      - name: wireguard-config
+        persistentVolumeClaim:
+          claimName: wireguard-config
+      - name: wireguard-config-secret
+        secret:
+          secretName: wireguard-config-secret
+      - name: natpmp-script
+        configMap:
+          name: natpmp-script

apps/media/qbittorrent/dns-endpoint.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: qbittorrent.michaelthomson.dev
+  namespace: media
+spec:
+  endpoints:
+  - dnsName: qbittorrent.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev

apps/media/qbittorrent/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: qbittorrent
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: qbittorrent.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: qbittorrent
+            port: 
+              name: http
+  tls:
+    - hosts:
+        - qbittorrent.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

apps/media/qbittorrent/natpmp-script.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+data:
+  natpmp.sh: |
+    #!/bin/sh
+
+    while true; do
+        date
+
+        natpmpc -a 1 0 udp 60 -g 10.2.0.1 && natpmpc -a 1 0 tcp 60 -g 10.2.0.1 > /tmp/natpmpc_output || {
+            echo -e "ERROR with natpmpc command \a"
+            break
+        }
+
+        port=$(grep 'TCP' /tmp/natpmpc_output | grep -o 'Mapped public port [0-9]*' | awk '{print $4}')
+        currentPort=$(curl -XGET 'http://127.0.0.1:8080/api/v2/app/preferences' | jq '.listen_port')
+
+        echo "Opened port: $port"
+        echo "Current port: $currentPort"
+        if [ "$currentPort" != "$port" ]; then
+            echo "Current port is different. Changing from $currentPort to $port"
+            code=$(curl --write-out '%{http_code}' --silent --output /dev/null -XPOST -d "json={\"listen_port\":$port}" "http://127.0.0.1:8080/api/v2/app/setPreferences")
+
+            if [ "$code" != "200" ]; then
+                echo "ERROR: port change failed with status code $code"
+            else
+                echo "Port changed to $port successfully"
+            fi
+        fi
+        sleep 45
+    done
+kind: ConfigMap
+metadata:
+  creationTimestamp: null
+  name: natpmp-script
+  namespace: media

apps/media/qbittorrent/pvc-qbittorrent-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: qbittorrent-config
+  namespace: media
+spec:
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

apps/media/qbittorrent/pvc-wireguard-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: wireguard-config
+  namespace: media
+spec:
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

apps/media/qbittorrent/qbittorrent-config.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: qbittorrent-config
+  namespace: media
+data:
+  PUID: "1000"
+  PGID: "1000"

apps/media/qbittorrent/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: qbittorrent
+  namespace: media
+spec:
+  selector:
+    app: qbittorrent
+  ports:
+  - port: 80
+    targetPort: http
+    name: http

apps/media/qbittorrent/wireguard-config-secret.yaml

@@ -0,0 +1,21 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "wireguard-config-secret",
+    "namespace": "media",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "wireguard-config-secret",
+        "namespace": "media",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "wg0.conf": "AgClUxLYCyjV/nHiKlwxkOiGXNIRFe8hRi/6uRJZsyXf5PcUe2bh8ubCPEg+7wmF5r/ZDMbfQnJHwzHFu4fSdSXNbJELMVO4kjyFPsH3f5N2iSBzxBaEeARGHd4ijOsOJvevpw5UW+R+aWnGpY+L09Rcbla5Ak/xRgTfCLaHn+AFC7G5FigvxLLXuJZRYPWvrUSK2P3ZQLc4xGjRHD3xDCrb5gjrzdt3ZqyaMqpufdQRaMnsqY1BqHzqHR11l5MhwK7jb/Ge+aNgRckheKqwlCL2aebSciFzdzr0Ve4oJN0neNiK7P8r0BjRSnHfeyhzmed8DwcTej1xJFt/mX+h8XrUS0i7ioPaUc/t159bPdjZuXdGFPtTGg66nUzKeLm1DOyB+sn80d5M9X4rDe5Poyyff56XxtLd1XCDuuPL9YZDTuETupaLm+57hsnHYIoCe7rmTg0pH5iZzO3p+pwplZMIB/VCDKM1HW6b91Yn1CqGOHfNM3qrrxgppz97G1568cDII+W5F5MZXPCb8ENZGzjm6FVDrHrLiYqAP+j6lTNN0WqNclnsLlcyckzXNpickdMeDRU/rnzNrpT1VDRgaCuU2vnZ91bh9ZcUBfm0aWcNl9wves8FHH+yt4YzKLVXG8Sm4sYRkeqEmrMUwrXbcG0l+b0tunT2QOZHNf5lUgHPjoyfp8ynpFrEsrZF9FH7/tB2Z6whbjYo1LDGunQ0aBCqfx2n4xNAb9urfh/fTxjT28PCGzYp9snCtmfGPcvCtkBy9cJeDiX4AE9PZsFTUzRjZUqRqKg+6QK4fZHkxYzpuzgH3cAsgG97RIcllNLA4fhN66SIAXjSrfVg8XYwXgHeyoRpcwhJ7WhiOaFSCccbXxEUVgzJ7O8KpCpbQlaYWbXbtpptAkBbNzPJ9kF+baOgD6SxbgFdc9V+oSM8sX/FubfK8Spm9fqu0slQaygvZX1ote67WWNK2uy8W82hymYS96g2FWghFnSbYEgrDUO8ASF4zhtPWyTWr45+Ba4WfQ3hZApTW5jJczjAn7w95ySt4gHFRxVmvbV8topVz8jO2V8t//OuRaQMpBLYjQVSGo60vuWIxFcgKqb2UxXiEqRWxhDWkjHx9RX9pCR9St0p6u/WL8Iwemq5a7RIedHQkuKmorOP100zCp4njsuRfN+kodtk0PjtZNJaVdbAVn9TYyY="
+    }
+  }
+}

apps/media/qbittorrent/wireguard-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: wireguard-config
+  namespace: media
+data:
+  PUID: "1000"
+  GUID: "1000"
+  TZ: America/Toronto
+  DOCKER_MODS: linuxserver/mods:universal-package-install
+  INSTALL_PACKAGES: libnatpmp|jq
+  # DOCKER_MODS: ghcr.io/fusetim/external_natpmp_qbittorrent:ecf567b21e5f079762e36c9cee9afaf86fcb22be

apps/media/radarr/config.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: radarr-config
+  namespace: media
+data:
+  PUID: "1000"
+  PGID: "1000"

apps/media/radarr/deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: radarr
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: radarr
+  template:
+    metadata:
+      labels:
+        app: radarr
+    spec:
+      containers:
+      - name: radarr
+        image: lscr.io/linuxserver/radarr:latest
+        imagePullPolicy: Always
+        envFrom:
+        - configMapRef:
+            name: radarr-config
+            optional: false
+        ports:
+        - containerPort: 7878
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        - mountPath: /data
+          name: data
+      volumes:
+      - name: config
+        persistentVolumeClaim: 
+          claimName: radarr-config
+      - name: data
+        persistentVolumeClaim: 
+          claimName: media-data
+            
+          

apps/media/radarr/dns-endpoint.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: radarr.michaelthomson.dev
+  namespace: media
+spec:
+  endpoints:
+  - dnsName: radarr.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev

apps/media/radarr/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: radarr
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    # traefik.ingress.kubernetes.io/router.middlewares: authentik-radarr@kubernetescrd
+spec:
+  rules:
+  - host: radarr.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: radarr
+            port: 
+              name: http
+  tls:
+    - hosts:
+        - radarr.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

apps/media/radarr/pvc-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: radarr-config
+  namespace: media
+spec:
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

apps/media/radarr/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: radarr
+  namespace: media
+spec:
+  selector:
+    app: radarr
+  ports:
+  - port: 80
+    targetPort: http
+    name: http

apps/media/readarr/config.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: readarr-config
+  namespace: media
+data:
+  PUID: "1000"
+  PGID: "1000"

apps/media/readarr/deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: readarr
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: readarr
+  template:
+    metadata:
+      labels:
+        app: readarr
+    spec:
+      containers:
+      - name: readarr
+        image: lscr.io/linuxserver/readarr:nightly
+        imagePullPolicy: Always
+        envFrom:
+        - configMapRef:
+            name: readarr-config
+            optional: false
+        ports:
+        - containerPort: 8787
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        - mountPath: /data
+          name: data
+      volumes:
+      - name: config
+        persistentVolumeClaim: 
+          claimName: readarr-config
+      - name: data
+        persistentVolumeClaim: 
+          claimName: media-data
+            
+          

apps/media/readarr/dns-endpoint.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: readarr.michaelthomson.dev
+  namespace: media
+spec:
+  endpoints:
+  - dnsName: readarr.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev

apps/media/readarr/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: readarr
+  namespace: media
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: readarr.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: readarr
+            port: 
+              name: http
+  tls:
+    - hosts:
+        - readarr.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

apps/media/readarr/pvc-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: readarr-config
+  namespace: media
+spec:
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce