From 036d2716b04668f0338a367a759036e34dd4aa8d Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Wed, 1 Oct 2025 08:21:26 +0800
Subject: [PATCH] feat: add kiwix

---
 .../biohazard/flux/kustomization.yaml         |   1 +
 kube/deploy/apps/kiwix/app/hr.yaml            | 175 ++++++++++++++++++
 kube/deploy/apps/kiwix/app/pvc.yaml           |  18 ++
 kube/deploy/apps/kiwix/ks.yaml                |  18 ++
 kube/deploy/apps/kiwix/kustomization.yaml     |   6 +
 kube/deploy/apps/kiwix/ns.yaml                |  10 +
 6 files changed, 228 insertions(+)
 create mode 100644 kube/deploy/apps/kiwix/app/hr.yaml
 create mode 100644 kube/deploy/apps/kiwix/app/pvc.yaml
 create mode 100644 kube/deploy/apps/kiwix/ks.yaml
 create mode 100644 kube/deploy/apps/kiwix/kustomization.yaml
 create mode 100644 kube/deploy/apps/kiwix/ns.yaml

diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml
index f6d20d23..87f2237a 100644
--- a/kube/clusters/biohazard/flux/kustomization.yaml
+++ b/kube/clusters/biohazard/flux/kustomization.yaml
@@ -158,6 +158,7 @@ resources:
   - ../../../deploy/apps/rclone-retro/
   - ../../../deploy/apps/feishin/
   - ../../../deploy/apps/esphome/
+  - ../../../deploy/apps/kiwix/
   - ../../../deploy/vm/_kubevirt/
   #- ../../../deploy/vm/_base/
   - ../../../deploy/vm/ad/
diff --git a/kube/deploy/apps/kiwix/app/hr.yaml b/kube/deploy/apps/kiwix/app/hr.yaml
new file mode 100644
index 00000000..6b7ca803
--- /dev/null
+++ b/kube/deploy/apps/kiwix/app/hr.yaml
@@ -0,0 +1,175 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-4.2.0/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app kiwix
+  namespace: *app
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 4.2.0
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controllers:
+      app:
+        type: deployment
+        replicas: 2
+        strategy: RollingUpdate
+        pod:
+          labels:
+            ingress.home.arpa/nginx-internal: allow
+        containers:
+          app:
+            image: &img
+              repository: ghcr.io/kiwix/kiwix-tools
+              tag: 3.7.0@sha256:0962ac16ff6e3a4f13107e4cbf099d40b3f28ae91f651058a8b81e9f263f4e05
+            command: ["/usr/bin/dumb-init", "--", "/bin/sh", "-c", "/usr/local/bin/kiwix-serve --address=$(IP) --port=$(PORT) --nodatealiases *.zim"]
+            env: &env
+              TZ: "${CONFIG_TZ}"
+              PORT: &http 8080
+              IP:
+                valueFrom:
+                  fieldRef:
+                    apiVersion: v1
+                    fieldPath: status.podIP
+            securityContext: &sc
+              readOnlyRootFilesystem: true
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+            resources:
+              requests:
+                cpu: "10m"
+              limits:
+                cpu: "1"
+                memory: "512Mi"
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+      dl-ifixit: &dl
+        type: job
+        pod:
+          annotations:
+            reloader.stakater.com/auto: "false"
+          labels:
+            egress.home.arpa/internet: allow
+        containers:
+          app: &dl-ct
+            image:
+              repository: nixery.dev/curl
+              tag: latest
+              pullPolicy: Always
+            # command: ["wget", "-O", "/data/$(ZIM)", "https://download.kiwix.org/zim/$(CAT)/$(ZIM).zim"]
+            command: ["curl", "--no-clobber", "-vLo", "/data/$(ZIM)", "https://download.kiwix.org/zim/$(CAT)/$(ZIM).zim"]
+            env:
+              CAT: ifixit # category
+              ZIM: ifixit_en_all_2025-06
+            securityContext: *sc
+            resources:
+              requests:
+                cpu: "10m"
+              limits:
+                cpu: "1"
+                memory: "128Mi"
+      dl-archlinux:
+        <<: *dl
+        containers:
+          app:
+            <<: *dl-ct
+            env:
+              CAT: other
+              ZIM: archlinux_en_all_maxi_2025-09
+      dl-alpinelinux:
+        <<: *dl
+        containers:
+          app:
+            <<: *dl-ct
+            env:
+              CAT: other
+              ZIM: alpinelinux_en_all_maxi_2025-09
+      dl-wikipedia-mini:
+        <<: *dl
+        containers:
+          app:
+            <<: *dl-ct
+            env:
+              CAT: wikipedia
+              ZIM: wikipedia_en_all_mini_2025-06
+      dl-wikipedia-computers:
+        <<: *dl
+        containers:
+          app:
+            <<: *dl-ct
+            env:
+              CAT: wikipedia
+              ZIM: wikipedia_en_computer_nopic_2025-09
+      # dl-gobyexample:
+      #   gobyexample.com_en_all_2025-08
+    service:
+      app:
+        controller: app
+        ports:
+          http:
+            port: 80
+            targetPort: *http
+            protocol: HTTP
+            appProtocol: http
+    ingress:
+      app:
+        className: nginx-internal
+        hosts:
+          - host: &host "${APP_DNS_KIWIX:=kiwix}"
+            paths: &paths
+              - path: /
+                pathType: Prefix
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts: [*host]
+    persistence:
+      data:
+        existingClaim: kiwix-library
+        globalMounts:
+          - subPath: data
+            path: /data
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      hostAliases:
+        - ip: "${APP_IP_AUTHENTIK:=127.0.0.1}"
+          hostnames: ["${APP_DNS_AUTHENTIK:=authentik}"]
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "1"
+      hostUsers: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: &uid 65534
+        runAsGroup: *uid
+        fsGroup: *uid
+        fsGroupChangePolicy: Always
+        seccompProfile: { type: "RuntimeDefault" }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: "{{ .Release.Name }}"
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: "fuckoff.home.arpa/{{ .Release.Name }}"
+                    operator: DoesNotExist
diff --git a/kube/deploy/apps/kiwix/app/pvc.yaml b/kube/deploy/apps/kiwix/app/pvc.yaml
new file mode 100644
index 00000000..e182ba77
--- /dev/null
+++ b/kube/deploy/apps/kiwix/app/pvc.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "kiwix-library"
+  namespace: &app "kiwix"
+  annotations:
+    description: "For Kiwix ZIM library"
+  labels:
+    app.kubernetes.io/name: *app
+    snapshot.home.arpa/enabled: "true"
+    kustomize.toolkit.fluxcd.io/prune: "Disabled"
+spec:
+  storageClassName: "file-ec-2-1"
+  accessModes: ["ReadWriteMany"]
+  resources:
+    requests:
+      storage: "30Gi"
diff --git a/kube/deploy/apps/kiwix/ks.yaml b/kube/deploy/apps/kiwix/ks.yaml
new file mode 100644
index 00000000..ada6f0b6
--- /dev/null
+++ b/kube/deploy/apps/kiwix/ks.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: kiwix-app
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/name: "kiwix"
+spec:
+  targetNamespace: "kiwix"
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/apps/kiwix/app
+  components:
+    - ../../../core/flux-system/alerts/template/
+  dependsOn:
+    - name: crds
+      namespace: flux-system
diff --git a/kube/deploy/apps/kiwix/kustomization.yaml b/kube/deploy/apps/kiwix/kustomization.yaml
new file mode 100644
index 00000000..5eeb2657
--- /dev/null
+++ b/kube/deploy/apps/kiwix/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ns.yaml
+  - ks.yaml
diff --git a/kube/deploy/apps/kiwix/ns.yaml b/kube/deploy/apps/kiwix/ns.yaml
new file mode 100644
index 00000000..638d646e
--- /dev/null
+++ b/kube/deploy/apps/kiwix/ns.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kiwix
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: &ps restricted
+    pod-security.kubernetes.io/audit: *ps
+    pod-security.kubernetes.io/warn: *ps