add soulsync
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
2671abc98c
commit
67a2318a96
13 changed files with 467 additions and 0 deletions
158
apps/soulsync/deployment.yaml
Normal file
158
apps/soulsync/deployment.yaml
Normal file
|
|
@ -0,0 +1,158 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: slskd
|
||||
namespace: slskd
|
||||
labels:
|
||||
app: slskd
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: slskd
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: slskd
|
||||
security.policy/allow-root: "true"
|
||||
spec:
|
||||
securityContext:
|
||||
fsGroup: 1000
|
||||
initContainers:
|
||||
- name: wireguard-config-init
|
||||
image: busybox:1.37.0
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- mkdir -p /config/wg_confs && cp /secrets/wg0.conf /config/wg_confs/wg0.conf
|
||||
volumeMounts:
|
||||
- name: wg-secret
|
||||
mountPath: /secrets
|
||||
readOnly: true
|
||||
- name: wg-config
|
||||
mountPath: /config
|
||||
|
||||
containers:
|
||||
- name: protonvpn-wireguard
|
||||
image: linuxserver/wireguard:1.0.20250521
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
env:
|
||||
- name: ALLOWEDIPS
|
||||
value: "0.0.0.0/0"
|
||||
volumeMounts:
|
||||
- name: wg-config
|
||||
mountPath: /config
|
||||
|
||||
- name: slskd
|
||||
image: slskd/slskd:0.25.1.65534-8e152ed6
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
ports:
|
||||
- containerPort: 5030
|
||||
name: web-ui
|
||||
env:
|
||||
- name: SLSKD_APP_DIR
|
||||
value: /app/config
|
||||
- name: SLSKD_DOWNLOADS_DIR
|
||||
value: /app/downloads
|
||||
volumeMounts:
|
||||
- name: slskd-config
|
||||
mountPath: /app/config
|
||||
- name: slskd-downloads
|
||||
mountPath: /app/downloads
|
||||
- name: slskd-music
|
||||
mountPath: /app/music
|
||||
readOnly: true
|
||||
|
||||
- name: soulsync
|
||||
image: boulderbadgedad/soulsync:2.7.3
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
name: soulsync-ui
|
||||
env:
|
||||
- name: SLSKD_URL
|
||||
value: "http://localhost:5030"
|
||||
volumeMounts:
|
||||
- name: soulsync-config
|
||||
mountPath: /app/config
|
||||
- name: soulsync-data
|
||||
mountPath: /app/data
|
||||
- name: slskd-downloads
|
||||
mountPath: /app/downloads
|
||||
- name: slskd-music
|
||||
mountPath: /app/music
|
||||
- name: soulsync-ephemeral
|
||||
mountPath: /app/logs
|
||||
subPath: logs
|
||||
- name: soulsync-ephemeral
|
||||
mountPath: /app/Transfer
|
||||
subPath: Transfer
|
||||
- name: soulsync-ephemeral
|
||||
mountPath: /app/Staging
|
||||
subPath: Staging
|
||||
- name: soulsync-ephemeral
|
||||
mountPath: /app/Stream
|
||||
subPath: Stream
|
||||
- name: soulsync-ephemeral
|
||||
mountPath: /app/storage
|
||||
subPath: storage
|
||||
- name: soulsync-ephemeral
|
||||
mountPath: /app/MusicVideos
|
||||
subPath: MusicVideos
|
||||
- name: soulsync-ephemeral
|
||||
mountPath: /app/scripts
|
||||
subPath: scripts
|
||||
|
||||
volumes:
|
||||
- name: wg-secret
|
||||
secret:
|
||||
secretName: protonvpn-wg-conf
|
||||
- name: wg-config
|
||||
emptyDir: {}
|
||||
- name: slskd-config
|
||||
persistentVolumeClaim:
|
||||
claimName: slskd-config
|
||||
- name: soulsync-config
|
||||
persistentVolumeClaim:
|
||||
claimName: soulsync-config
|
||||
- name: soulsync-data
|
||||
persistentVolumeClaim:
|
||||
claimName: soulsync-data
|
||||
- name: soulsync-ephemeral
|
||||
emptyDir: {}
|
||||
- name: slskd-downloads
|
||||
persistentVolumeClaim:
|
||||
claimName: slskd-downloads
|
||||
- name: slskd-music
|
||||
persistentVolumeClaim:
|
||||
claimName: slskd-music
|
||||
12
apps/soulsync/kustomization.yaml
Normal file
12
apps/soulsync/kustomization.yaml
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- storage.yaml
|
||||
- pvcs.yaml
|
||||
- protonvpn-wg-sealed.yaml
|
||||
- network-policy.yaml
|
||||
- deployment.yaml
|
||||
- service.yaml
|
||||
- route.yaml
|
||||
8
apps/soulsync/namespace.yaml
Normal file
8
apps/soulsync/namespace.yaml
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: slskd
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/audit: privileged
|
||||
pod-security.kubernetes.io/warn: privileged
|
||||
45
apps/soulsync/network-policy.yaml
Normal file
45
apps/soulsync/network-policy.yaml
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
# ----------------------------------------------------
|
||||
# Ingress only from Gateway API
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress
|
||||
namespace: slskd
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: slskd
|
||||
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- ingress
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "5030"
|
||||
protocol: TCP
|
||||
- port: "8080"
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
# ----------------------------------------------------
|
||||
# VPN killswitch — only allow egress to ProtonVPN endpoint
|
||||
# All other internet traffic is blocked, forcing it through the tunnel
|
||||
# ----------------------------------------------------
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: vpn-killswitch
|
||||
namespace: slskd
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app: slskd
|
||||
|
||||
egress:
|
||||
- toCIDR:
|
||||
- "149.50.216.205/32"
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "51820"
|
||||
protocol: UDP
|
||||
16
apps/soulsync/protonvpn-wg-sealed.yaml
Normal file
16
apps/soulsync/protonvpn-wg-sealed.yaml
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: protonvpn-wg-conf
|
||||
namespace: slskd
|
||||
spec:
|
||||
encryptedData:
|
||||
wg0.conf: AgAzuAuXeEglkKYphbv3iAyXMTL+TG999w60f7ZYmLhuFLDDisgMTSWYH00sM0wMLIpxfxgDdFh19LYbIurLFp2ejij+zs3G2e+7cnltwWEjULbh1IntLTKYTBovq4zKb1sIaby6TPtnjUyfAME101xznQpkSDnFjqhOoNMcvX76o5Lg+NelyUC0+w40IG2G2wzJ/J1h7gVdEkqiQJ/eZd8VYRswP7KXu9p3QePhlVEo/+jSmyXt7gAfbqUrA6nbPmILtOZ80398Ybxq4E23pufC0ycNIBpvRvAV/Mfl1K6reGDMmfxPQW52axWlJzYBcYiPsHfTgJplLIqHSHnm+SL01e8Mk8K5Xq/O2DKjujwx7aUbGicSR80MkKe+uSzu2f6jiTpGznx0a5LuHLLhGBI0zPaYBKuL2oXPwW7E2iBWBbro2F6+sDIuVTXnZjMLisyNZMZhtuXvkzKb9yEBHmP3sdz3SHL/i8giskTcReU/+MrevakWNVbT2iXxVOqp8G1F/y+xeAYq5BZDWwwcKF4U4ALZQoJKfxBDFJSBNrgKKqwWmBt0Q88NUv/6uEy9boyjRmRfBf46XuajcphHQaHhhpp10+19Kp18dDISEGU0lf4XMj69NaRDv/WRpQYl1JuHSUxVrMnXH70s/n+HLUpcvcVOX5xwG8pCBi5nVZiYFlRqfn3p924sNbgg2XKbnNkiKI47+U0Y8U0QMVm7LEkwjFvEetG/hd1YPghcFprGtfHYU5xIeHT8Pk3cNmtL9s0OWYj4Sak7Im5RizsCt/L4SwcuC+tnVH08B5GpDlSOa4gRQ0PBH5y/WbU8TNjJRbms1Mi+Ct1VLvim1IdAUMXpUvN4bkfyQOSDQWZwR1WdY86pVKANm+toG/MoJHp/oX92NheJu9Fyk3gur9HCPrmcCtDRzsCBW2O42Wh6edhHxCL1040wqyG2HIefgydPyM9chchKYMddiYof2YrgLbgNXufG+hV/2oOqsBS5e/kyEYoTRxx0klyhgY83SO2QF1ZE9Rsq55MI1dMFW89DrCWrm0Q4Xq13at0wS2UtRFh37FfDNPDVZyd/E9K0xo6iadW8Qd2WpL/eefZtTsKdG7lXM78ViQL7vAzhhXDRxFeF+zQlzoNA+eMGcd4ICj53VARkzzupx9iUXd/1gXZJcJOc+PMzhbV01YtHteUUVt9+jSNqo3SkDOsWzMCBlEJ4q8rdYK3P1NDof4OWez9QTeo2afnfB3l7a3JRLSlm62ZPhu7SKkwtx1RkBEDJphuz/7R25oADZ9KuJiDnju/Dr1QywIicyL5O899D47j0C7d+1ZVv9i+Y8bzYpIs1La3J1GMxhd8SlVeEHfSaybV30RwX6lXC0fjOkXvvsw==
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: protonvpn-wg-conf
|
||||
namespace: slskd
|
||||
type: Opaque
|
||||
35
apps/soulsync/pvcs.yaml
Normal file
35
apps/soulsync/pvcs.yaml
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: slskd-downloads
|
||||
namespace: slskd
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 100Gi
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: slskd-config
|
||||
namespace: slskd
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 2Gi
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: soulsync-data
|
||||
namespace: slskd
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 2Gi
|
||||
83
apps/soulsync/route.yaml
Normal file
83
apps/soulsync/route.yaml
Normal file
|
|
@ -0,0 +1,83 @@
|
|||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: slskd
|
||||
namespace: slskd
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: shared-edge-gateway
|
||||
namespace: cilium-ingress
|
||||
hostnames:
|
||||
- slskd.local.gwg313.xyz
|
||||
- slskd.gwg313.xyz
|
||||
- slskd.zerotier.gwg313.xyz
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
backendRefs:
|
||||
- group: ""
|
||||
kind: Service
|
||||
name: slskd
|
||||
port: 80
|
||||
weight: 1
|
||||
---
|
||||
apiVersion: gateway.networking.k8s.io/v1beta1
|
||||
kind: ReferenceGrant
|
||||
metadata:
|
||||
name: allow-gateway-to-slskd
|
||||
namespace: slskd
|
||||
spec:
|
||||
from:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
namespace: cilium-ingress
|
||||
to:
|
||||
- group: ""
|
||||
kind: Service
|
||||
name: slskd
|
||||
---
|
||||
apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: soulsync
|
||||
namespace: slskd
|
||||
spec:
|
||||
parentRefs:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
name: shared-edge-gateway
|
||||
namespace: cilium-ingress
|
||||
hostnames:
|
||||
- soulsync.local.gwg313.xyz
|
||||
- soulsync.gwg313.xyz
|
||||
- soulsync.zerotier.gwg313.xyz
|
||||
rules:
|
||||
- matches:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
backendRefs:
|
||||
- group: ""
|
||||
kind: Service
|
||||
name: soulsync
|
||||
port: 80
|
||||
weight: 1
|
||||
---
|
||||
apiVersion: gateway.networking.k8s.io/v1beta1
|
||||
kind: ReferenceGrant
|
||||
metadata:
|
||||
name: allow-gateway-to-soulsync
|
||||
namespace: slskd
|
||||
spec:
|
||||
from:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
namespace: cilium-ingress
|
||||
to:
|
||||
- group: ""
|
||||
kind: Service
|
||||
name: soulsync
|
||||
27
apps/soulsync/service.yaml
Normal file
27
apps/soulsync/service.yaml
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: slskd
|
||||
namespace: slskd
|
||||
spec:
|
||||
selector:
|
||||
app: slskd
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
targetPort: 5030
|
||||
type: ClusterIP
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: soulsync
|
||||
namespace: slskd
|
||||
spec:
|
||||
selector:
|
||||
app: slskd
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
type: ClusterIP
|
||||
45
apps/soulsync/storage.yaml
Normal file
45
apps/soulsync/storage.yaml
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
metadata:
|
||||
name: slskd-music-pv
|
||||
spec:
|
||||
capacity:
|
||||
storage: 10Gi
|
||||
volumeMode: Filesystem
|
||||
accessModes:
|
||||
- ReadWriteMany # Elevated for SoulSync
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
storageClassName: manual
|
||||
nfs:
|
||||
path: /mnt/tank/media/music
|
||||
server: truenas.local.gwg313.xyz
|
||||
claimRef:
|
||||
namespace: slskd
|
||||
name: slskd-music
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: slskd-music
|
||||
namespace: slskd
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
storageClassName: manual
|
||||
volumeName: slskd-music-pv
|
||||
resources:
|
||||
requests:
|
||||
storage: 10Gi
|
||||
---
|
||||
# New PVC for SoulSync's internal database/state
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: soulsync-config
|
||||
namespace: slskd
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 2Gi
|
||||
Loading…
Add table
Add a link
Reference in a new issue