diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index dd1a3eb7..c8428fd7 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -104,6 +104,7 @@ resources: - ../../../deploy/apps/yagpdb/ - ../../../deploy/apps/redbot/ - ../../../deploy/apps/code-server/ + - ../../../deploy/apps/media-edit/ - ../../../deploy/apps/homebox/ - ../../../deploy/apps/vikunja/ - ../../../deploy/vm/_kubevirt/ diff --git a/kube/deploy/apps/code-server/app/hr.yaml b/kube/deploy/apps/code-server/app/hr.yaml index 8edec444..321778a1 100644 --- a/kube/deploy/apps/code-server/app/hr.yaml +++ b/kube/deploy/apps/code-server/app/hr.yaml @@ -144,7 +144,7 @@ spec: runAsUser: &uid 1000 runAsGroup: *uid fsGroup: *uid - fsGroupChangePolicy: "Always" + fsGroupChangePolicy: "OnRootMismatch" seccompProfile: { type: "RuntimeDefault" } topologySpreadConstraints: - maxSkew: 1 diff --git a/kube/deploy/apps/media-edit/app/es.yaml b/kube/deploy/apps/media-edit/app/es.yaml new file mode 100644 index 00000000..251a18ee --- /dev/null +++ b/kube/deploy/apps/media-edit/app/es.yaml @@ -0,0 +1,18 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name media-edit-gluetun + namespace: media-edit +spec: + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "media-edit Gluetun - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name diff --git a/kube/deploy/apps/media-edit/app/hr.yaml b/kube/deploy/apps/media-edit/app/hr.yaml new file mode 100644 index 00000000..7aac0704 --- /dev/null +++ b/kube/deploy/apps/media-edit/app/hr.yaml @@ -0,0 +1,115 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app media-edit + namespace: *app +spec: + interval: 5m + chart: + spec: + chart: app-template + version: "2.6.0" + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + main: + type: deployment + replicas: 1 + pod: + labels: + egress.home.arpa/internet: "allow" + containers: + main: + image: &img + repository: "public.ecr.aws/debian/debian" + tag: "12.4-slim@sha256:4b025c60eb2f0ab14aa3c40057a022359a5a3a0c4abf46b1220a245207d00a10" + env: + TZ: "${CONFIG_TZ}" + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "2000m" + memory: "8Gi" + gpu.intel.com/i915: "1" + gluetun: + image: + repository: "ghrc.io/qdm12/gluetun" + tag: "v3.37.0@sha256:ba9688ff9abaf73bbc0b257be547b51a097ca74324fedddeeb709732c2692eef" + env: + TZ: "${CONFIG_TZ}" + envFrom: + - secretRef: + name: "media-edit-gluetun" + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + add: ["NET_ADMIN"] + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "1Gi" + persistence: + config: + enabled: true + existingClaim: "media-edit-data" + globalMounts: + - subPath: "home" + path: "/home" + nfs: + enabled: true + type: nfs + server: "${IP_TRUENAS}" + path: "${PATH_NAS_MEDIA}" + globalMounts: + - path: "/media" + tmp: + enabled: true + type: emptyDir + medium: Memory + globalMounts: + - path: "/tmp" + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + securityContext: + runAsNonRoot: true + runAsUser: &uid 6969 # NAS media user + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: "OnRootMismatch" + supplementalGroups: [ + 44, + 104, + 109, # GPU + ] + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "fuckoff.home.arpa/media-edit" + operator: "DoesNotExist" diff --git a/kube/deploy/apps/media-edit/ks.yaml b/kube/deploy/apps/media-edit/ks.yaml new file mode 100644 index 00000000..293b1924 --- /dev/null +++ b/kube/deploy/apps/media-edit/ks.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: media-edit-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "media-edit" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/apps/media-edit/app + targetNamespace: "media-edit" + dependsOn: + - name: media-edit-pvc +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: media-edit-pvc + namespace: flux-system + labels: &l + app.kubernetes.io/name: "media-edit" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/core/storage/volsync/template + targetNamespace: "media-edit" + dependsOn: + - name: 1-core-storage-volsync-app + - name: 1-core-storage-rook-ceph-cluster + postBuild: + substitute: + PVC: "media-edit-data" + SIZE: "100Gi" + SC: &sc "file" + SNAP: *sc + ACCESSMODE: "ReadWriteMany" + RUID: "6969" + RGID: "6969" + RFSG: "6969" \ No newline at end of file diff --git a/kube/deploy/apps/media-edit/kustomization.yaml b/kube/deploy/apps/media-edit/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/apps/media-edit/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/deploy/apps/media-edit/ns.yaml b/kube/deploy/apps/media-edit/ns.yaml new file mode 100644 index 00000000..e4bd56f1 --- /dev/null +++ b/kube/deploy/apps/media-edit/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: media-edit + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps baseline + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps