From 579c2a386583e24a2e85954882cabd782a9e16f9 Mon Sep 17 00:00:00 2001
From: Willian Paixao <willian@ufpa.br>
Date: Thu, 9 May 2024 15:20:46 +0200
Subject: [PATCH] feat: install qbittorrent

---
 .../apps/media/jellyfin/app/helmrelease.yaml  |  18 ++-
 kubernetes/apps/media/kustomization.yaml      |   1 +
 .../media/qbittorrent/app/helmrelease.yaml    | 125 ++++++++++++++++++
 .../media/qbittorrent/app/kustomization.yaml  |   6 +
 .../app/qbittorrent-secret.sops.yaml          |  29 ++++
 kubernetes/apps/media/qbittorrent/ks.yaml     |  21 +++
 .../apps/media/radarr/app/helmrelease.yaml    |  11 +-
 7 files changed, 200 insertions(+), 11 deletions(-)
 create mode 100644 kubernetes/apps/media/qbittorrent/app/helmrelease.yaml
 create mode 100644 kubernetes/apps/media/qbittorrent/app/kustomization.yaml
 create mode 100644 kubernetes/apps/media/qbittorrent/app/qbittorrent-secret.sops.yaml
 create mode 100644 kubernetes/apps/media/qbittorrent/ks.yaml

diff --git a/kubernetes/apps/media/jellyfin/app/helmrelease.yaml b/kubernetes/apps/media/jellyfin/app/helmrelease.yaml
index ca853f85..0d2c25eb 100644
--- a/kubernetes/apps/media/jellyfin/app/helmrelease.yaml
+++ b/kubernetes/apps/media/jellyfin/app/helmrelease.yaml
@@ -1,21 +1,21 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.1.0/charts/other/app-template/values.schema.json
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
   name: &app jellyfin
   namespace: &namespace media
 spec:
-  interval: 15m
+  interval: 30m
   chart:
     spec:
       chart: app-template
+      interval: 30m
       version: 3.1.0
       sourceRef:
         kind: HelmRepository
         name: bjw-s
         namespace: flux-system
-      interval: 15m
   install:
     remediation:
       retries: 3
@@ -29,13 +29,11 @@ spec:
       jellyfin:
         pod:
           securityContext:
-            runAsUser: 568
-            runAsGroup: 568
-            fsGroup: 568
-            fsGroupChangePolicy: OnRootMismatch
-            supplementalGroups:
-              - 44
-              - 109
+            runAsUser: 2000
+            runAsGroup: 2000
+            runAsNonRoot: true
+            fsGroup: 2000
+            fsGroupChangePolicy: "OnRootMismatch"
         containers:
           main:
             image:
diff --git a/kubernetes/apps/media/kustomization.yaml b/kubernetes/apps/media/kustomization.yaml
index 97e69df8..685e21e6 100644
--- a/kubernetes/apps/media/kustomization.yaml
+++ b/kubernetes/apps/media/kustomization.yaml
@@ -5,4 +5,5 @@ resources:
   - ./namespace.yaml
   - ./jellyfin/ks.yaml
   - ./prowlarr/ks.yaml
+  - ./qbittorrent/ks.yaml
   - ./radarr/ks.yaml
diff --git a/kubernetes/apps/media/qbittorrent/app/helmrelease.yaml b/kubernetes/apps/media/qbittorrent/app/helmrelease.yaml
new file mode 100644
index 00000000..4a7c0005
--- /dev/null
+++ b/kubernetes/apps/media/qbittorrent/app/helmrelease.yaml
@@ -0,0 +1,125 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app qbittorrent
+  namespace: &namespace media
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.1.0
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      qbittorrent:
+        pod:
+          securityContext:
+            fsGroup: 2000
+            fsGroupChangePolicy: "OnRootMismatch"
+        containers:
+          app:
+            nameOverride: qbittorrent
+            image:
+              repository: ghcr.io/onedr0p/qbittorrent
+              tag: 4.6.4@sha256:b9af0f2173572a69d2c02eab8f701ef7b04f61689efe1c5338b96445d528dec4
+            env:
+              QBITTORRENT__PORT: &port 8080
+              QBITTORRENT__BT_PORT: &bittorrentPort 50413
+              TZ: ${TIMEZONE}
+              UMASK: "022"
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+              startup:
+                enabled: true
+                spec:
+                  failureThreshold: 30
+                  periodSeconds: 5
+            resources:
+              requests:
+                memory: 1Gi
+              limits:
+                memory: 4Gi
+            securityContext:
+              runAsUser: 2000
+              runAsGroup: 2000
+              runAsNonRoot: true
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop:
+                  - ALL
+          gluetun:
+            image:
+              repository: ghcr.io/qdm12/gluetun
+              tag: v3.38.0
+            env:
+              DOT: "off"
+              DNS_ADDRESS: 4.4.4.4
+              FIREWALL_INPUT_PORTS: 8080
+              FIREWALL_OUTBOUND_SUBNETS: 10.96.0.0/16 # Allow access to k8s subnets
+              SERVER_CATEGORIES: P2P
+              SERVER_COUNTRIES: Sweden
+              VPN_SERVICE_PROVIDER: nordvpn
+              VPN_TYPE: openvpn
+            envFrom:
+              - secretRef:
+                  name: qbittorrent-secret
+            securityContext:
+              capabilities:
+                add:
+                  - NET_ADMIN
+                  - SYS_MODULE
+    service:
+      app:
+        controller: qbittorrent
+        ports:
+          http:
+            port: *port
+    ingress:
+      app:
+        className: internal
+        hosts:
+          - host: &host qbittorrent.${SECRET_DOMAIN}
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts:
+              - *host
+    persistence:
+      config:
+        enabled: true
+        type: emptyDir
+        advancedMounts:
+          qbittorrent:
+            app:
+              - path: /config
+      movies:
+        enabled: true
+        type: nfs
+        server: ${NFS_SERVER}
+        path: /movies
+        advancedMounts:
+          qbittorrent:
+            app:
+              - path: /media/movies
diff --git a/kubernetes/apps/media/qbittorrent/app/kustomization.yaml b/kubernetes/apps/media/qbittorrent/app/kustomization.yaml
new file mode 100644
index 00000000..17cbc72b
--- /dev/null
+++ b/kubernetes/apps/media/qbittorrent/app/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
diff --git a/kubernetes/apps/media/qbittorrent/app/qbittorrent-secret.sops.yaml b/kubernetes/apps/media/qbittorrent/app/qbittorrent-secret.sops.yaml
new file mode 100644
index 00000000..c2c25e0f
--- /dev/null
+++ b/kubernetes/apps/media/qbittorrent/app/qbittorrent-secret.sops.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: qbittorrent-secret
+    namespace: media
+type: Opaque
+data:
+    OPENVPN_USER: ENC[AES256_GCM,data:HNGNkhQZ3M6QBhYobO4xkVgr50qDPoIvdPXVWjDKNwI=,iv:7x2bQkzpe4DMVhrCICU3k2oIwnzT+HApMgVcvPJLzgo=,tag:wC1I+KyPUg4FF4nJ0MajhA==,type:str]
+    OPENVPN_PASSWORD: ENC[AES256_GCM,data:7f979TM15JeLnAE5ULu5/QH+SNF4+wWXLf2hWQNSizc=,iv:27CQ1ul2xtHOaQIuwbkycdq7fLPeXphm6k9XtDcX8FE=,tag:l0mk8DQpT7XZnq0cUXGaeg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17ary36xtm566uptguuhsj7xmuqzyz06ce54tcf6p3mge2thphqfs3gln40
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTDFibUdsTm1wcGo0K28v
+            TmY2WW1VT2lRTmRzSjVNc0JGS01IdElQYmh3CjJOMm9OaWhSdWdpS0g2QzVUenFW
+            TGdaN0d6WHFlREMzTXN3WklzT3FKNWsKLS0tIFpYRG1aYkJLZ0JuVnZvVHZXVm9N
+            VVpvRURjRy9vRnNlM2FpeFRhcnNLQ0kKQS07UEDVbd/O3xFudxAqY8Ie49WT3tH+
+            7/1kbNFdJza+KsyS67KM6ihITMCDNrytkcCf2KuXMnbvMX2Kfp6lDg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-09T13:54:30Z"
+    mac: ENC[AES256_GCM,data:JnxMnK9VL0B0ZExSIqA27gWt8eUP4Zrwj4PHNZ6aPnYNIgwIr5HmJIGLlFntjAphyh5Nnp24Lrk4MzFQWW4zAcFkwBceWJmuWWuM43NpP0DXEWSeEqfPlsJiBLSAdKcOIsI0RmIT7yFsYuJK0Ap8bCZTRWRo0RN+LTeM8L7T4Yk=,iv:0DH6toYp1rzVjvXxZXyovN7NEwi/exxPj9e5v997I1w=,tag:fCAmvtHnrfM6s2WSgS2mkw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
diff --git a/kubernetes/apps/media/qbittorrent/ks.yaml b/kubernetes/apps/media/qbittorrent/ks.yaml
new file mode 100644
index 00000000..9222a63e
--- /dev/null
+++ b/kubernetes/apps/media/qbittorrent/ks.yaml
@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app qbittorrent
+  namespace: flux-system
+spec:
+  targetNamespace: media
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/media/qbittorrent/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 15m
diff --git a/kubernetes/apps/media/radarr/app/helmrelease.yaml b/kubernetes/apps/media/radarr/app/helmrelease.yaml
index e6949493..e67b1ef6 100644
--- a/kubernetes/apps/media/radarr/app/helmrelease.yaml
+++ b/kubernetes/apps/media/radarr/app/helmrelease.yaml
@@ -3,7 +3,8 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
-  name: radarr
+  name: &app radarr
+  namespace: &namespace media
 spec:
   interval: 30m
   chart:
@@ -15,6 +16,14 @@ spec:
         kind: HelmRepository
         name: bjw-s
         namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
   values:
     controllers:
       radarr: