re add navidrome

Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-05 23:21:02 +00:00 · 2026-05-17 15:23:30 -04:00 · 2026-05-17 15:23:30 -04:00 · adc6cdb0bc
commit adc6cdb0bc
parent 0b69038d79
14 changed files with 44 additions and 1 deletions
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - forgejo
+  - navidrome
--- a/apps/navidrome/configmap.yaml
+++ b/apps/navidrome/configmap.yaml
@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: navidrome-config
+  namespace: navidrome
+data:
+  ND_SCANSCHEDULE: "1h"
+  ND_LOGLEVEL: "info"
+  ND_SESSIONTIMEOUT: "24h"
+  ND_BASEURL: ""
+  ND_DEVACTIVITYPANEL: "false"
--- a/apps/navidrome/deployment.yaml
+++ b/apps/navidrome/deployment.yaml
@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: navidrome
+  namespace: navidrome
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: navidrome
+  template:
+    metadata:
+      labels:
+        app: navidrome
+    spec:
+      containers:
+        - name: navidrome
+          image: deluan/navidrome:pr-5495
+          ports:
+            - containerPort: 4533
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "128Mi"
+            limits:
+              cpu: "1000m"
+              memory: "512Mi"
+          envFrom:
+            - configMapRef:
+                name: navidrome-config
+            - secretRef:
+                name: navidrome-secrets
+          volumeMounts:
+            - mountPath: /data
+              name: navidrome-data
+            - mountPath: /music
+              name: navidrome-music
+              readOnly: true
+      volumes:
+        - name: navidrome-data
+          persistentVolumeClaim:
+            claimName: navidrome-data
+        - name: navidrome-music
+          persistentVolumeClaim:
+            claimName: navidrome-music
--- a/apps/navidrome/iscsi-secrets-sealed.yaml
+++ b/apps/navidrome/iscsi-secrets-sealed.yaml
@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: navidrome-iscsi-auth
+  namespace: navidrome
+spec:
+  encryptedData:
+    discovery.sendtargets.auth.password: AgBYZfb/V7zmafu5+HmTwRAyKh3CySd/G4y7JEqkKcY2D4clIQCwvygtBPyyYSNfVkd9akUeF3ZM8N7LY9kYIq+aPQ4b23Hg0HOPJikMkjeQbE186cE0MxPi9jvZGxMWUue2L6IgWAZy7OHqNBYQArOaRv0RpAMeNyfOwWYUToPwDO16S82igE09V1lXukxsNx3EwH12ypSHNabqjBJ6SSZdKgnKaPykxpDLrgear4KRiVJYlNFDjmIWP7taOP5m/Dut+f39IARh5xkimAaVW8FyCRjQO4Pk9aXOV/2XPdtjdlEw2lxAq/+EZMcbnY47RNDvKT6307t5RITIBG8Zk0OLRNitczk9nS9sMtakkv2hOOO7cTMuhHH52t7ZI2QQDvTeLuv9o26rY5JGFC3tQqwcdCw6u+1Hy6El1SqTN3JOmnDXEVJiQrZvpNZCoycQONho97qpygm1/s9Xik9FcmM4UK9GGi64AH+vAAinpZXcnKEvRxGkHW+1snoXcbLBU1W4ew1Fyih/rp74Tz6Ic+JnVvESG3YZas+q4hmQwwPnRhg9K7rswqtqhHrzhe77SEULvZBCBM64pFA+/ZwWeUMvuGuESSybL3YtEBMwotW6XmD5OgaDRQac0ngjPVr0vYuKUC0kT351oQlaTc90H2C6KXFfkPcaZgwyGXwnhoJxE6766BwBEhtzxPOeHBFrhwHTkijQ/VuaMx47cCcLAY9r
+    discovery.sendtargets.auth.username: AgAnqVjPTeBOB6jZMP523a3yjD358MLaVfWtncFtkd1NgeoZkg7slaICcFYLCyFbanTv4D9epcXEA4QDYYRgXB+LsgH5znIYbQAHWlBomVspq9ccARvRqgCgEj4/vpnw97QRGkRZ44o/FVa5qYOTzPv4ILthdpQjAeApeGwZsXb5Xaj9dAG7oc79sledE2RIA/ddyd5t/VthV8QE9u7JXwmXmb5QqhsbNT17LXSvIvJVkmZYvkzfikjFIoXN7CSmtx74ei+WSQNKObDJldRP5RQTkROnEBd3rb/ZylQzoLxQ2F3W7PsneXKco0jquzJC2fIC/SfoDQA2+NHa8sb0VObX6OJN0DTqW1tfkZi6FF7t+bK++55j8V5QaAdBHewgU8b/8d+PJ2Gv9n+oFXxcvntnFyOEX9nhwAOhjwssacuqIOmoxl8M9vtM+1RQLmZ6cYdDYVCij87svFZsHKCdaZHx5raz+DlkmvdSecd7Xe74VOzNgekaUC8ZzawfC41pFf3bFjNDZ+V4ZLwRM4l4AMqTsIVscRtIoj0iP+TcPn+XxirlN0wC9X4B77URd3dDzhqdZUaCDu9e664E1rAQZxP3eLF6pyy3n33tMVD5ySMBDLI2JG6Ns7P/n8rwc+ORr82vfF3ZeBFddC7johTwGj7/wiVmJQph/1t+N9J5q4CKtV24lGGGaq1WfBjzqwJqLWJD6/IX7mUR46o=
+    node.session.auth.password: AgCWDzgAOVvCvNmQgPBN9wWrfr1h2xgE75VQ4fFGOrFBTKd34sA1EzpvObNwIPO8woyB09J7PD/9UP9FInPI3CcmvVswJWuL4jfQGAUTNu5L0lpTdnSzSj6mLAGi78DKcxK20Fe/FHgjXNeSxSF4DUFvOOCxsfn8yWc060qBQC5MclRcHqHrU0W4MQiWBRK6KBWEuUIm31F+i0OyhybKUI+mB6ocWqvGKDUHBzZ7qc7OPFk/OWwV7wdzBF6pVeCazDVaakdi5qdyzxaQBe2CVeAOCu2ZwVjY7/9eqdsEsK4curxtRLqE34/XSuA2VBUC6dp/FV/L1C9WZZ7Xm067Ng23nPFJNH7XRs4xZgDGa6QCl8pEpDGX16LddzARscfHI4svZAVdgrFocfGejCCw/Q3DIVUr3eLl+pi38MUCG5qbVtDlDpBR4D6wXkQfwCAgvUCE+9GOReh56vUFX6guXU0Fq7ottYV+/lZ2TIiZrHMN82l16OGNZ6pvjo7j5POPHdPwEpqzGNeU8zte7al2984gu5p57Lx5BHf4A9FZVQNEeyNt60Ro7T65JEqBogVapuc1PuxKJBmAznvDpZNskNzkSNOcuv3QA+j6aLXhwfHqWC3aW7sK0uFjC3QMTz2FOloRR0x9vZ8d5pXNzps6NMPYM5J22tf03fL4YXeASSjwddinHOH7ZicUHXjktcO/lfkIW7E/e1IsXiDbMeTOdujQ
+    node.session.auth.username: AgCJX7DYpD6b9VZT6SyZGbarzuoskz4gFebcipAxnSL8+BRvRmJZzYKLDGWLCpGmO7/ZmpjShERvoRNNHrZ0RoNEmciiMy7IO3FWmYdHA7r2fY5TVc5fIgzPo0xUP7yUWe+RRA3/nYfQg3lIq7Vmd5XTzxjbQb7l1B+URwDvYjicQZgOxOncMvlomnl22Ash5a90yeIWHTCuJqzYF+EQWUMUZHhXWgPjzWOHicoOVwQ0Wiu6kVmOH+gUfx9PC9h9QpwuOKHIxQFO9OBpyJxufDZ7Z0SsGw6bsA78YJsI0Gq7de2V+wk6ZHIvs/H0+E3tyWzWldfaJo4JI2gPYZZQ4yJthqt3XMbm+w+hAALI++nVjROo3GNmzw725hnSRH82FcK2ZGGhgBJTqwFjN8vol0JPRQvaZhPdJXCDE4Hmx61ldUlJq1tu54KcDnfKb7H+GtCw+GwdwDEVtsSy15OhvIb47DGXprhl3I4R3NqTRMVXPyehrhaq8K8QAIJX1Y+QfePbgnXX2Gk92V8vpArrRA9yL9kuzKWoUaAc9B4BWMj7dNOT/p38sdK7CHNZ/41c+uljss+XcSFay2XIDmlt6mly684IPNH0yyPZ2wl/LT88ObtvRvNXXMoqc4wa4tsxnV3GMj/Uzx/8itnXlQ3/+lituXVev1SaxEmoksK5tCZ4v/qyHQRqnzhDkE/6C7lXjK5Q26UkwW+71wY=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: navidrome-iscsi-auth
+      namespace: navidrome
+    type: kubernetes.io/iscsi-chap
--- a/apps/navidrome/kustomization.yaml
+++ b/apps/navidrome/kustomization.yaml
@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - pv.yaml
+  - pvc.yaml
+  - iscsi-secrets-sealed.yaml
+  - navidrome-secrets-sealed.yaml
+  - configmap.yaml
+  - network-policy.yaml
+  - deployment.yaml
+  - service.yaml
+  - route.yaml
--- a/apps/navidrome/namespace.yaml
+++ b/apps/navidrome/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: navidrome
--- a/apps/navidrome/navidrome-secrets-sealed.yaml
+++ b/apps/navidrome/navidrome-secrets-sealed.yaml
@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: navidrome-secrets
+  namespace: navidrome
+spec:
+  encryptedData:
+    ND_LASTFM_APIKEY: AgCjnGsru3lcSOXWXAFnC2sxT6FY1MDOJD5hsTPEXsC4bQ9BNvmFwOhLzovTzTTd0SR9TOHlWibnWB8/tyzVsPcktBbKI1HaWH95EnFlG13gOtzMnl7jXf2qPD2LsRKukAivt4FxWIijyOHqss4Ct3Vea6XELJVC7nemmbl9tj9YVaceDWLX1oWYRLbNTqG4we4yV/06KerTQIyafbGQP/nkLhAYkJBf1mgYpKOe1vAah3m+sP9Q1LO25BNstxUASIlloFEYx3T1e8HnWUemZPLHTJNEhjoE8C9d8ULiCOQL9nQR2mYgv6YQuYRIb6CKXoc43GHemqRwJlGJeslZL3u7k27kFcsArU6XlMTNSZHZKmW0Yd0rQTNVd3DJMs+9YZ0s8DGRiGtZyK2R/LCNNnckp+TDHcWV4ivfhN2aFbgmHc1Coea5Og5f2lOf97VnIIgKgejAFbDzr4PRM1XqDFRPV7B7+iiyDDZuAeys4C/QQD2ZaBJuV3B5TR8ZkHgh+bDpkQ/5MhNY6t26dVTAIZfsBo6vRilH7ppryLXfTuAOdh8ojpqpCUUoSxqGc2IIXNoD/zKJpOJhsR5B4JOF2NbFLCDf7kSBkC8JvoG3CPti7tht3ziM5WrDMbi5+BXgTC+U9EES0yBSfvrS4dO+TntKbk+igchYdhEsDZ2Hi810o9RLnW6IjLjUWy1yYawsKgHmcuQ7+6dR5gNkvM5kZ3l+mA7BmQZttwmmKX9M52C7Yg==
+    ND_LASTFM_SECRET: AgBdSpMRmm/YeUslT4eBa12ZzGwAaBgZuPsGxeCGsAq2MaU1nnvllOa4YKULdSSI6bwavBM/JGE4EE+eUzCRa9kED0+pSocOZLFCdKEvVrLvcp5UbaoFdhpG0AQeuyB2DXEJsmgqXjPoA4WdeAB+k9HRdOZR61Cx9UJXvltF9X3n07E4Zehyxuz0d1FEnfDI1FYst9EYIm8DhE7CZGib9ygH5WN4GItFgB//za2EtKnnlo5DZWl5BPn5dHYa7dIxZx4k7sNQx3sUW85HhCPKCoYufILCsSxCTXV0QSBkhRrkO+uJPIcSlYgK6es/Tq7L64Jh0ow/4cRJ9TankfzdsA/zy8bKx/OZMuEqiffHxgHZOW5gB1pVLENdUkY7xOIitEPQEbuE4pgxdmMkpFvT/o2mdw/MDJxbl3WrbLxZyvoaqxOotVp4RvGI5EpwwHAKnQfdnoLM7iB75l0I52wLYKLqyLXIz3+F9h3Zvou9xiHO+s2OlMKcgSt1c4bHta12o5ZTrFpBfsYTpVQ8V3AdSzNe81q5Id+sNMO81XtluMvDlAtRTqlqGWBden4FlBWMBGUjssJba1JJThzyqCXd44vVqtajv2a0BExI5MKLnRY1ZigHEm38qNSYo2GllfDUaPWzJUcZSKiKCDVO/D8c5dBwf6nerkM4kbXGvLIbDWfVx80BzI6kKl6vTNWym7CokeZwDSJ3Mu1dFNnu/fFg5qQ/XzOGxH8L1A9nsv6IqXxFkA==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: navidrome-secrets
+      namespace: navidrome
+    type: Opaque
--- a/apps/navidrome/network-policy.yaml
+++ b/apps/navidrome/network-policy.yaml
@ -0,0 +1,149 @@
+# ----------------------------------------------------
+# Default deny (namespace baseline)
+# ----------------------------------------------------
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: default-deny
+  namespace: navidrome
+spec:
+  endpointSelector: {}
+  ingress: []
+  egress: []
+
+---
+# ----------------------------------------------------
+# Ingress only from Gateway API
+# ----------------------------------------------------
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ingress
+  namespace: navidrome
+spec:
+  endpointSelector:
+    matchLabels:
+      app: navidrome
+
+  ingress:
+    - fromEntities:
+        - ingress
+      toPorts:
+        - ports:
+            - port: "4533"
+              protocol: TCP
+
+---
+# ----------------------------------------------------
+# DNS (required)
+# ----------------------------------------------------
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-dns
+  namespace: navidrome
+spec:
+  endpointSelector:
+    matchLabels:
+      app: navidrome
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            k8s:io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: ANY
+          rules:
+            dns:
+              - matchPattern: "*"
+
+---
+# ----------------------------------------------------
+# Spotify API access (album art, metadata)
+# ----------------------------------------------------
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-spotify
+  namespace: navidrome
+spec:
+  endpointSelector:
+    matchLabels:
+      app: navidrome
+
+  egress:
+    - toFQDNs:
+        - matchName: api.spotify.com
+        - matchName: i.scdn.co
+        - matchName: accounts.spotify.com
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+---
+
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-navidrome
+  namespace: navidrome
+spec:
+  endpointSelector:
+    matchLabels:
+      app: navidrome
+
+  egress:
+    - toFQDNs:
+        - matchPattern: "*.navidrome.org"
+        - matchName: navidrome.org
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+
+---
+# ----------------------------------------------------
+# Last.fm API access (metadata, scrobbling, images)
+# ----------------------------------------------------
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-lastfm
+  namespace: navidrome
+spec:
+  endpointSelector:
+    matchLabels:
+      app: navidrome
+
+  egress:
+    - toFQDNs:
+        - matchName: ws.audioscrobbler.com
+        - matchName: lastfm.freetls.fastly.net
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+
+---
+# ----------------------------------------------------
+# OPTIONAL: unrestricted HTTPS egress (disabled)
+# ----------------------------------------------------
+# apiVersion: cilium.io/v2
+# kind: CiliumNetworkPolicy
+# metadata:
+#   name: allow-all-egress
+#   namespace: navidrome
+# spec:
+#   endpointSelector:
+#     matchLabels:
+#       app: navidrome
+#
+#   egress:
+#     - toEntities:
+#         - world
+#       toPorts:
+#         - ports:
+#             - port: "443"
+#               protocol: TCP
--- a/apps/navidrome/pv.yaml
+++ b/apps/navidrome/pv.yaml
@ -0,0 +1,42 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: navidrome-data-pv
+  namespace: navidrome
+spec:
+  capacity:
+    storage: 20Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  iscsi:
+    targetPortal: truenas.local.gwg313.xyz:3260
+    iqn: iqn.2005-10.org.freenas.ctl:navidrome
+    lun: 0
+    fsType: ext4
+    readOnly: false
+    chapAuthDiscovery: true
+    chapAuthSession: true
+    secretRef:
+      name: navidrome-iscsi-auth
+  claimRef:
+    namespace: navidrome
+    name: navidrome-data
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: navidrome-music-pv
+  namespace: navidrome
+spec:
+  capacity:
+    storage: 10Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadOnlyMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  nfs:
+    path: /mnt/tank/media/music
+    server: truenas.local.gwg313.xyz
--- a/apps/navidrome/pvc.yaml
+++ b/apps/navidrome/pvc.yaml
@ -0,0 +1,29 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: navidrome-data
+  namespace: navidrome
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: manual
+  volumeMode: Block
+  volumeName: navidrome-data-pv
+  resources:
+    requests:
+      storage: 20Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: navidrome-music
+  namespace: navidrome
+spec:
+  accessModes:
+    - ReadOnlyMany
+  storageClassName: manual
+  volumeMode: Filesystem
+  volumeName: navidrome-music-pv
+  resources:
+    requests:
+      storage: 10Gi
--- a/apps/navidrome/route.yaml
+++ b/apps/navidrome/route.yaml
@ -0,0 +1,37 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: navidrome
+  namespace: navidrome
+spec:
+  parentRefs:
+    - name: shared-edge-gateway
+      namespace: cilium-ingress
+
+  hostnames:
+    - "music.local.gwg313.xyz"
+    - "music.gwg313.xyz"
+    - "music.zerotier.gwg313.xyz"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: navidrome
+          port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: allow-gateway-to-navidrome
+  namespace: navidrome
+spec:
+  from:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      namespace: cilium-ingress
+  to:
+    - group: ""
+      kind: Service
+      name: navidrome
--- a/apps/navidrome/service.yaml
+++ b/apps/navidrome/service.yaml
@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: navidrome
+spec:
+  selector:
+    app: navidrome
+  ports:
+    - name: http
+      port: 80
+      targetPort: 4533
+  type: ClusterIP