fix(helm): install radarr and qbittorrent

kubernetes/raspberry/media/kustomization.yaml

@@ -4,4 +4,6 @@ kind: Kustomization
 resources:
   - ./namespace.yaml
   - ./prowlarr/ks.yaml
+  - ./qbittorrent/ks.yaml
+  - ./radarr/ks.yaml
   - ./sonarr/ks.yaml

kubernetes/raspberry/media/qbittorrent/app/helmrelease.yaml

@@ -0,0 +1,161 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/refs/heads/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app qbittorrent
+  namespace: &namespace media
+spec:
+  interval: 1h
+  timeout: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    defaultPodOptions:
+      dnsPolicy: "None"
+      dnsConfig:
+        nameservers:
+          - 192.168.0.8
+        options:
+          - name: ndots
+            value: "2"
+    controllers:
+      qbittorrent:
+        pod:
+          nodeSelector:
+            disktype: ssd
+          securityContext:
+            fsGroup: 2000
+            fsGroupChangePolicy: "OnRootMismatch"
+        containers:
+          app:
+            nameOverride: qbittorrent
+            image:
+              repository: ghcr.io/onedr0p/qbittorrent
+              tag: 5.0.0@sha256:1cc1878d06fafe6a1a1294f1547203634e729e3386324b7a63c8fde68554d705
+            env:
+              QBITTORRENT__PORT: &port 8080
+              QBITTORRENT__BT_PORT: &bittorrentPort 0
+              TZ: ${TIMEZONE}
+              UMASK: "022"
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+              startup:
+                enabled: true
+                spec:
+                  failureThreshold: 30
+                  periodSeconds: 5
+            resources:
+              requests:
+                memory: 1Gi
+              limits:
+                memory: 4Gi
+            securityContext:
+              runAsUser: 2000
+              runAsGroup: 2000
+              runAsNonRoot: true
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop:
+                  - ALL
+          gluetun:
+            image:
+              repository: ghcr.io/qdm12/gluetun
+              tag: v3.39.1
+            env:
+              DOT: "off"
+              DNS_ADDRESS: 1.1.1.1
+              FIREWALL_INPUT_PORTS: 8080
+              FIREWALL_OUTBOUND_SUBNETS: 10.69.0.0/16
+              SERVER_CATEGORIES: P2P
+              SERVER_COUNTRIES: Sweden
+              VPN_SERVICE_PROVIDER: nordvpn
+              VPN_TYPE: openvpn
+            envFrom:
+              - secretRef:
+                  name: qbittorrent-secret
+            securityContext:
+              capabilities:
+                add:
+                  - NET_ADMIN
+    service:
+      app:
+        controller: qbittorrent
+        ports:
+          http:
+            port: *port
+    ingress:
+      app:
+        className: internal
+        annotations:
+          gethomepage.dev/enabled: "true"
+          gethomepage.dev/group: Media
+          gethomepage.dev/icon: qbittorrent.png
+          gethomepage.dev/name: qBittorrent
+        hosts:
+          - host: &host qbittorrent.${SECRET_DOMAIN}
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts:
+              - *host
+    persistence:
+      config:
+        enabled: true
+        type: persistentVolumeClaim
+        accessMode: ReadWriteOnce
+        size: 1Gi
+        labels:
+          recurring-job-group.longhorn.io/backup: enabled
+        advancedMounts:
+          qbittorrent:
+            app:
+              - path: /config
+      downloads:
+        enabled: true
+        type: nfs
+        server: ${NFS_SERVER}
+        path: /downloads
+        advancedMounts:
+          qbittorrent:
+            app:
+              - path: /media/downloads
+      movies:
+        enabled: true
+        type: nfs
+        server: ${NFS_SERVER}
+        path: /movies
+        advancedMounts:
+          qbittorrent:
+            app:
+              - path: /media/movies
+      series:
+        enabled: true
+        type: nfs
+        server: ${NFS_SERVER}
+        path: /series
+        advancedMounts:
+          qbittorrent:
+            app:
+              - path: /media/series

kubernetes/raspberry/media/qbittorrent/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrelease.yaml
+  - secret.sops.yaml

kubernetes/raspberry/media/qbittorrent/app/secret.sops.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: qbittorrent-secret
+    namespace: media
+data:
+    OPENVPN_USER: ENC[AES256_GCM,data:eO8So7n4iIOZkJuznLq1f2wz7o5gOpfb1/uEkxoAShY=,iv:jgUY98j8eC7sBy57H4zAFKd1WrokyTQ/UZUZ4LKnSqQ=,tag:wjMm7n3gBiEIKjPUM5uQ6Q==,type:str]
+    OPENVPN_PASSWORD: ENC[AES256_GCM,data:VWBW59712Xz9bV9y/us62nNVyCA/SF/bX6HYuKZWONA=,iv:7dot/4vyqXBzxD3WXZVbXnf+6l+oZVg+0mQQACDVrMo=,tag:AAjLuGb6Is7zyzztmG4/Ow==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YkM0VnNCNmRmTy92VjFj
+            RDYwOEs2SFpQUHRVS2N5LzZVOFZxMFRRbVRnCmRXVmh6NE5taE5kY0dqV1lMd3ZM
+            NXBLaUpINyt5SnZpTWZPSkc0aDV0R2cKLS0tIG5HY1gwZThYM0pYRlQwTlZqeG5R
+            YlVMUFVmWHVHS3pCZ2M1ZXVNcmRlZ00KbJ29VuZ0JkBLiF+ZmH3qo+mMG3c0fEk8
+            Dkrz83GsCqL3+PmqWB86GULQk1QtAPta7GMazZECBqAyVrzxLJDvWg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRkc2N0tFRVFYekFCWG4x
+            c2hLMmxrUXdUbHFHV2xJNGdkRFRGTkNub3lvCnBQTzIvRHd3K2wzaExzQjdySkxR
+            cnhVL0FBNkVDdDBndVBFRzFLYkhtejgKLS0tIDdMSzJUaHkwa2hLM2F3cUtjUlkx
+            V3JTd2ZHbVVKb0lZNG9iR3orRHpjcFkKMXGWr0KPQJnxsjh+PYPgmwbNFnURmfEX
+            d/E/Ka8lih5mvOuMYmSSt+OPLRFQsZ4z0hMrZ621gTcNl2F+va3w3A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-24T21:56:56Z"
+    mac: ENC[AES256_GCM,data:rYGEdu30gnPQXlCNccvTEiwTQygmBR6QA5F0e8U9Srghx/h33Zs3XFgA72bYEEhfHYj8jL30cQKvDaCfA8PLaYxOWomFz2tNtyHbjwi94FGCINH9yKmc4LhX/WcIMi8ABNKV85RRIFwt8Ahvh/JLLLer63gBH5f8Sc8KdRm4/T8=,iv:CXtv6+ATBAkRh97RUBWn+cXKY+U4DDNa0uniNx6dm7M=,tag:My2moFcrnR5bzWQNi/RBWg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

kubernetes/raspberry/media/qbittorrent/ks.yaml

@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app qbittorrent
+  namespace: flux-system
+spec:
+  targetNamespace: media
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/raspberry/media/qbittorrent/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: false
+  interval: 1h
+  retryInterval: 1m
+  timeout: 15m

kubernetes/raspberry/media/radarr/app/helmrelease.yaml

@@ -0,0 +1,131 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/refs/heads/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app radarr
+  namespace: &namespace media
+spec:
+  interval: 1h
+  timeout: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      radarr:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        pod:
+          nodeSelector:
+            disktype: ssd
+          securityContext:
+            runAsUser: 2000
+            runAsGroup: 2000
+            runAsNonRoot: true
+            fsGroup: 2000
+            fsGroupChangePolicy: "OnRootMismatch"
+        containers:
+          app:
+            image:
+              repository: ghcr.io/onedr0p/radarr-develop
+              tag: 5.12.2.9335@sha256:6c4dc76eddeb06cb362ce46ac4a4beed64c49126caed70bf4d21eb8c86f70249
+            env:
+              COMPlus_EnableDiagnostics: "0"
+              RADARR__APPLICATION_URL: "https://radarr.${SECRET_DOMAIN}"
+              RADARR__AUTH__APIKEY:
+                valueFrom:
+                  secretKeyRef:
+                    name: radarr-secret
+                    key: api_key
+              RADARR__INSTANCE_NAME: Radarr
+              RADARR__LOG_LEVEL: info
+              RADARR__PORT: &port 7878
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+              startup:
+                enabled: true
+                spec:
+                  failureThreshold: 30
+                  periodSeconds: 5
+            resources:
+              requests:
+                cpu: 200m
+                memory: 200Mi
+              limits:
+                cpu: 200m
+                memory: 200Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop:
+                  - ALL
+    service:
+      app:
+        controller: radarr
+        ports:
+          http:
+            port: *port
+    ingress:
+      app:
+        enabled: true
+        className: internal
+        annotations:
+          gethomepage.dev/enabled: "true"
+          gethomepage.dev/group: Media
+          gethomepage.dev/icon: radarr.png
+          gethomepage.dev/name: Radarr
+        hosts:
+          - host: &host radarr.${SECRET_DOMAIN}
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts:
+              - *host
+    persistence:
+      config:
+        enabled: true
+        type: persistentVolumeClaim
+        accessMode: ReadWriteOnce
+        size: 1Gi
+        labels:
+          recurring-job-group.longhorn.io/backup: enabled
+      downloads:
+        enabled: true
+        type: nfs
+        server: ${NFS_SERVER}
+        path: /downloads
+        globalMounts:
+          - path: /media/downloads
+      movies:
+        enabled: true
+        type: nfs
+        server: ${NFS_SERVER}
+        path: /movies
+        globalMounts:
+          - path: /media/movies
+    defaultPodOptions:
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "1"

kubernetes/raspberry/media/radarr/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrelease.yaml
+  - secret.sops.yaml