add lidarr (#253)

Co-authored-by: Ronald Philipsen <[email protected]>

kubernetes/apps/default/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
   - ./jellyfin/ks.yaml
   - ./sabnzbd/ks.yaml
   - ./jellyseerr/ks.yaml
+  - ./lidarr/ks.yaml
   - ./sonarr/ks.yaml
   - ./radarr/ks.yaml
   - ./recyclarr/ks.yaml

kubernetes/apps/default/lidarr/app/externalsecret.yaml

@@ -0,0 +1,32 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: radarr
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: lidarr-secret
+    template:
+      engineVersion: v2
+      data:
+        LIDARR__AUTH__APIKEY: "{{ .LIDARR_API_KEY }}"
+        LIDARR__POSTGRES__HOST: &dbHost postgres-rw.database.svc.cluster.local
+        LIDARR__POSTGRES__PORT: "5432"
+        LIDARR__POSTGRES__USER: &dbUser "{{ .LIDARR_POSTGRES_USER }}"
+        LIDARR__POSTGRES__PASSWORD: &dbPass "{{ .LIDARR_POSTGRES_PASSWORD }}"
+        LIDARR__POSTGRES__MAINDB: lidarr_main
+        LIDARR__POSTGRES__LOGDB: lidarr_log
+        INIT_POSTGRES_DBNAME: lidarr_main lidarr_log
+        INIT_POSTGRES_HOST: *dbHost
+        INIT_POSTGRES_USER: *dbUser
+        INIT_POSTGRES_PASS: *dbPass
+        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
+  dataFrom:
+    - extract:
+        key: cloudnative-pg
+    - extract:
+        key: ;odarr

kubernetes/apps/default/lidarr/app/helmrelease.yaml

@@ -0,0 +1,113 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: lidarr
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      # renovate: registryUrl=https://bjw-s.github.io/helm-charts
+      chart: app-template
+      version: 3.6.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  maxHistory: 3
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+        runAsGroup: 2000
+        fsGroup: 2000
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile: { type: RuntimeDefault }
+    controllers:
+      lidarr:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          init-db:
+            image:
+              repository: ghcr.io/onedr0p/postgres-init
+              tag: 16@sha256:a37bbb04a0ea3f15b505c6f97637e7ae89bc66541ae23b8d3848024087980e76
+            envFrom: &envFrom
+              - secretRef:
+                  name: lidarr-secret
+        containers:
+          app:
+            image:
+              repository: ghcr.io/szinn/lidarr-develop
+              tag: 2.9.4.4539@sha256:595aceaf0120cd8577f9e4cea0a71f721f3e14ac70005d64c10b8ee90aec2c27
+            env:
+              TZ: America/Toronto
+              LIDARR__APP__INSTANCENAME: Lidarr
+              LIDARR__APP__THEME: dark
+              LIDARR__AUTH__METHOD: External
+              LIDARR__AUTH__REQUIRED: DisabledForLocalAddresses
+              LIDARR__LOG__DBENABLED: "False"
+              LIDARR__LOG_LEVEL: info
+              LIDARR__SERVER__PORT: &port 80
+            envFrom: *envFrom
+
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /ping
+                    port: *port
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+    service:
+      app:
+        controller: lidarr
+        ports:
+          http:
+            port: *port
+    ingress:
+      app:
+        className: internal
+        annotations:
+          external-dns.alpha.kubernetes.io/target: "internal.${SECRET_DOMAIN}"
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: *port
+        tls:
+          - hosts:
+              - *host
+    persistence:
+      config:
+        existingClaim: lidarr
+
+      data:
+        existingClaim: media-nfs
+
+    PodAnnotations:
+      secret.reloader.stakater.com/reload: lidarr-secret

kubernetes/apps/default/lidarr/app/kustomization.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+  - ./externalsecret.yaml
+  - ./pvc.yaml
+  - ../../media-nfs.yaml

kubernetes/apps/default/lidarr/app/pvc.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: lidarr
+  namespace: default
+spec:
+  storageClassName: nfs-provision
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 15Gi

kubernetes/apps/default/lidarr/ks.yaml

@@ -0,0 +1,17 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: lidarr
+  namespace: flux-system
+spec:
+  path: ./kubernetes/apps/default/lidarr/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/apps/default/radarr/app/helmrelease.yaml

@@ -5,7 +5,6 @@ kind: HelmRelease
 metadata:
   name: &app radarr
   namespace: default
-
 spec:
   interval: 30m
   chart:
@@ -17,23 +16,27 @@ spec:
         kind: HelmRepository
         name: bjw-s
         namespace: flux-system
-
   maxHistory: 3
-
   install:
     createNamespace: true
     remediation:
       retries: 3
-
   upgrade:
     cleanupOnFail: true
     remediation:
       retries: 3
-
   uninstall:
     keepHistory: false
-
   values:
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 568
+        runAsGroup: 568
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        supplementalGroups: [1000]
+        seccompProfile: { type: RuntimeDefault }
     controllers:
       radarr:
         strategy: Recreate
@@ -50,7 +53,6 @@ spec:
             image:
               repository: ghcr.io/onedr0p/radarr-develop
               tag: 5.18.1.9612@sha256:f19b5e8f22e1b807a563d50ebef0b47aca1a2d61cea63599c2c4ca85425a2320
-
             env:
               TZ: ${TIMEZONE}
               RADARR__APP__INSTANCENAME: Radarr
@@ -61,23 +63,13 @@ spec:
               RADARR__LOG__LEVEL: info
               RADARR__SERVER__PORT: &port 80
               RADARR__UPDATE__BRANCH: develop
-
             envFrom: *envFrom
             securityContext:
               privileged: true
               capabilities:
                 add:
                   - NET_ADMIN
                   - NET_RAW
-    defaultPodOptions:
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 568
-        runAsGroup: 568
-        fsGroup: 568
-        fsGroupChangePolicy: OnRootMismatch
-        supplementalGroups: [1000]
-        seccompProfile: { type: RuntimeDefault }
     service:
       app:
         controller: radarr