From 857911fa28fa6265e2183ad530d4803bbc1a1e88 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Sat, 25 May 2024 06:24:05 +0800 Subject: [PATCH] feat: add komga --- .../biohazard/flux/kustomization.yaml | 1 + kube/deploy/apps/komga/app/es.yaml | 41 ++++++ kube/deploy/apps/komga/app/hr.yaml | 133 ++++++++++++++++++ kube/deploy/apps/komga/ks.yaml | 44 ++++++ kube/deploy/apps/komga/kustomization.yaml | 6 + kube/deploy/apps/komga/ns.yaml | 10 ++ 6 files changed, 235 insertions(+) create mode 100644 kube/deploy/apps/komga/app/es.yaml create mode 100644 kube/deploy/apps/komga/app/hr.yaml create mode 100644 kube/deploy/apps/komga/ks.yaml create mode 100644 kube/deploy/apps/komga/kustomization.yaml create mode 100644 kube/deploy/apps/komga/ns.yaml diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index c93de7fc..3748fee5 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -124,6 +124,7 @@ resources: - ../../../deploy/apps/davis/ - ../../../deploy/apps/immich/ - ../../../deploy/apps/kromgo/ + - ../../../deploy/apps/komga/ - ../../../deploy/vm/_kubevirt/ #- ../../../deploy/vm/_base/ - ../../../deploy/vm/ad/ diff --git a/kube/deploy/apps/komga/app/es.yaml b/kube/deploy/apps/komga/app/es.yaml new file mode 100644 index 00000000..be9071c2 --- /dev/null +++ b/kube/deploy/apps/komga/app/es.yaml @@ -0,0 +1,41 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name komga-secrets + namespace: komga +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "komga - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: "Opaque" + data: + application.yml: | + spring: + security: + oauth2: + client: + registration: + authentik: + provider: authentik # this must match the provider below + client-name: Login with JJGadgets + client-id: "{{ .SECRET_KOMGA_AUTHENTIK_CLIENT_ID }}" + client-secret: "{{ .SECRET_KOMGA_AUTHENTIK_CLIENT_SECRET }}" + scope: openid,email + authorization-grant-type: authorization_code + # the placeholders in {} will be replaced automatically, you don't need to change this line + redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}" + provider: + authentik: + user-name-attribute: preferred_username + issuer-uri: https://${APP_DNS_AUTHENTIK}/application/o/komga/ diff --git a/kube/deploy/apps/komga/app/hr.yaml b/kube/deploy/apps/komga/app/hr.yaml new file mode 100644 index 00000000..00397b27 --- /dev/null +++ b/kube/deploy/apps/komga/app/hr.yaml @@ -0,0 +1,133 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app komga + namespace: *app +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 3.1.0 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + komga: + type: deployment + replicas: 1 + pod: + labels: + ingress.home.arpa/nginx-internal: allow + authentik.home.arpa/https: allow + egress.home.arpa/internet: allow # metadata + containers: + main: + image: &img + repository: ghcr.io/gotson/komga + tag: 1.11.1@sha256:a21459c33136d2d65336e15683e8dba8330dece8747036edaae02d6ebc0fabbe + env: &env + TZ: "${CONFIG_TZ}" + KOMGA_CONFIGDIR: &pvc /config + SERVER_PORT: "8080" + LOGGING_FILE_NAME: /dev/stdout + KOMGA_OAUTH2_ACCOUNT_CREATION: "true" + KOMGA_OIDC_EMAIL_VERIFICATION: "true" + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "1Gi" + limits: + cpu: "3000m" + memory: "4Gi" + probes: + liveness: + enabled: true + readiness: + enabled: true + service: + komga: + controller: komga + ports: + http: + port: 8080 + protocol: HTTP + appProtocol: http + ingress: + main: + className: nginx-internal + hosts: + - host: &host "${APP_DNS_KOMGA}" + paths: &paths + - path: / + pathType: Prefix + service: + name: main + port: http + tls: + - hosts: [*host] + tailscale: + primary: false + className: tailscale + hosts: + - host: &host "${APP_DNS_TS_KOMGA}" + paths: *paths + tls: + - hosts: [*host] + persistence: + config: + type: secret + name: komga-secrets + defaultMode: 0400 + globalMounts: + - subPath: application.yml + path: /config/application.yml + data: + existingClaim: komga-data + globalMounts: + - subPath: data + path: *pvc + - subPath: media + path: /ceph + nfs: + type: nfs + server: "${IP_TRUENAS}" + path: "${PATH_NAS_MEDIA}" + globalMounts: + - path: /nas + readOnly: true + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + hostAliases: + - ip: "${APP_IP_AUTHENTIK}" + hostnames: ["${APP_DNS_AUTHENTIK}"] + securityContext: + runAsNonRoot: true + runAsUser: &uid ${APP_UID_KOMGA:=1000} + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: Always + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: fuckoff.home.arpa/komga + operator: DoesNotExist diff --git a/kube/deploy/apps/komga/ks.yaml b/kube/deploy/apps/komga/ks.yaml new file mode 100644 index 00000000..ef9c8d0e --- /dev/null +++ b/kube/deploy/apps/komga/ks.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: komga-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "komga" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/apps/komga/app + targetNamespace: "komga" + dependsOn: + - name: komga-pvc +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: komga-pvc + namespace: flux-system + labels: &l + app.kubernetes.io/name: "komga" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/core/storage/volsync/template + targetNamespace: "komga" + dependsOn: + - name: 1-core-storage-volsync-app + - name: 1-core-storage-rook-ceph-cluster + postBuild: + substitute: + PVC: "komga-data" + SIZE: "200Gi" + SC: &sc "file" + SNAP: *sc + ACCESSMODE: "ReadWriteMany" + RUID: !!str &uid | + ${APP_UID_KOMGA} + RGID: !!str | + ${APP_UID_KOMGA} + RFSG: !!str | + ${APP_UID_KOMGA} diff --git a/kube/deploy/apps/komga/kustomization.yaml b/kube/deploy/apps/komga/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/apps/komga/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/deploy/apps/komga/ns.yaml b/kube/deploy/apps/komga/ns.yaml new file mode 100644 index 00000000..8b475c43 --- /dev/null +++ b/kube/deploy/apps/komga/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: komga + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps baseline + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps