add audiobookshelf

Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-05 23:21:02 +00:00 · 2026-05-19 12:25:02 -04:00 · 2026-05-19 12:25:02 -04:00 · d8e2543152
commit d8e2543152
parent bbbb96bd6a
25 changed files with 110 additions and 331 deletions
--- a/apps/audiobookshelf/deployment.yaml
+++ b/apps/audiobookshelf/deployment.yaml
@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: audiobookshelf
+  namespace: audiobookshelf
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: audiobookshelf
+  template:
+    metadata:
+      labels:
+        app: audiobookshelf
+    spec:
+      containers:
+        - name: audiobookshelf
+          image: ghcr.io/advplyr/audiobookshelf:2.35.0
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+          env:
+            - name: TZ
+              value: "America/Toronto"
+          
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              cpu: 1000m
+              memory: 1Gi
+
+          volumeMounts:
+            - name: audiobooks-volume
+              mountPath: /audiobooks
+            - name: podcasts-volume
+              mountPath: /podcasts
+            - name: config-volume
+              mountPath: /config
+            - name: metadata-volume
+              mountPath: /metadata
+      volumes:
+        - name: audiobooks-volume
+          persistentVolumeClaim:
+            claimName: audiobookshelf-audiobooks
+        - name: podcasts-volume
+          persistentVolumeClaim:
+            claimName: audiobookshelf-podcasts
+        - name: config-volume
+          persistentVolumeClaim:
+            claimName: audiobookshelf-config
+        - name: metadata-volume
+          persistentVolumeClaim:
+            claimName: audiobookshelf-metadata
--- a/apps/audiobookshelf/iscsi-secrets-sealed.yaml
+++ b/apps/audiobookshelf/iscsi-secrets-sealed.yaml
@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: audiobookshelf-iscsi-auth
+  namespace: audiobookshelf
+spec:
+  encryptedData:
+    discovery.sendtargets.auth.password: AgBVapcyRSYuizQmF6FZbr3m2wkNj0jIoWIqq1zJJtQdoSVfc9GlTzTF4VI+196k27iHtRVVkRqvIsCNxj7B8iirUMpstXyLmZ0GNcK5hMebeoH9hf2YFL2ZcnVrBxVKoFC+kJVhZZBjCiZ/IAU9wopeKIChKh/X08FuZeQkOKGs7P/2hgpLzi6TlFMpvmJC/ssX/MZzjUWSPwryGCbsJy02k7b7FFrX0K3O+5RTpCeySaAr0M/WHIM8sRgt926sJ5ltpylPS3WOsT75meYknK1TiSe+y6xW7OE517uE3Za6HGZF3wFmy+3DXzJh/Cc4Z2713aQyGJ1sZPSTXmpoaN0ffF3coUQrRj5rCE66FVIHm83b7fBjn2IQi86Ivoyuk7COWsDKn0FqA6VS1zqMhAHpPHxWxaeSofMtxZkwRlFz8uaQRqfnv9+bXz1OYvHpmeWw4EiulC1r63yUXreCLcIV+5IEBft+Y0JXpacIaAsrP+mOxrdXAie+hOsNcg7/IKBCsxatwtNMQIyPWstUI3dZiv4BjpXNOgdx/wjptKkXfcg436GXVzsMVuTP7a4iotN6T1WrazcrexQMEpGcLAlnhQRKx2CehgFDNeAPVn9g257Yz4tXuG+iQ6wTyq3PJBBxS59AVYMSn+3w2oMYlkhDjPzET/FRjNc+kyzmpl3evaoSDyEtirRyOlMyvyTUOvSPN1HPZw61RNeUo4wX8yrV
+    discovery.sendtargets.auth.username: AgAqjHR5K62VZpVb0oXwkgi0UXVLmgEBjxLpNX+eTvU54BGDfvaUhxbDJmb7SDQFZ5PKyQUXqmJTQpSQ0lJbK9Vhrr8rBjmseFuLdhT6AzFtRqLTIG4W9IL4VPEjhepW6tKRukqU19Z9F1Mha1VCc82uH2OuIni0Gux5+H8OrkdduKrtpCIiQK1cK3q6xqlHmpPnwEt23xnbtDqwYz9d5lA6T0xIahNm+N925e7tMm9GwKSWQA1smqPc6eH1DZwg8wUCNXn3h+HvB5l0ElTMSNtwUA/mcYeJRfPrXVQVlKcch5RqunWyWfiJBc042V/yjhIEs2YGlMsRu9YxKc+8W0AioBSvaJZmjSWJvk6/Zh2tUqPbcoc//dH5ackfwul5ZO3CB7yyiT9naiM6sFCKriMs1tu92sF8r4zKl9gXJboTCcrCUt2nKf9Dd+xB2NM3xFjMsTdHVQaQJiL6UbSoKObU2TD6IEQVALvb2wE/kjpSq3rw/tLc72nac6qripOuIKYP2L/4f8WxO63/wWYZ/yUzia2RfDhz4iGGF7dNHxsDfMwdZCP2HNjLlX+k6/oIPjKjSvcZxahrAUY6RNfTJlOvvwr6tLZwHoUq+bqgSOZ3Bcr0hvNBIbnXpWpof3wvr6RT+F7Tb08FWFF8ceRYmUYxRpacVrXJgCHE20LY1IVJdkt9/oxCmN797Atc8eUYxvESc1evUA7nW5TdptGAWQ==
+    node.session.auth.password: AgBsc+wtPsGHkMfe6UQC92K9cEtUbsKw92lxbp2Ix0cGNJ5Ufhysq4VUOsXwItY/NfOXN1JAps1J4ZjCcW64dMpP2Tq9rLNMjvlsvFMHfPZ7zkDstFo55c5cAjvBLou9zc8PRMOoVftg3FUXYP+h4ZFZ4R3002TXeN7uV5KG1cfcuI2HuwHHTwtXvevHOBdp3JAN4MMIvA69wo0kr7Ef+LIBCbIXKer/gjDOQsdaffpagGNf5blvyTeky7ySnYhyQwUi7W6AG56HtV5KureTsBalD4+aGa6SChQt4D2LMAwLQg2pvwrpnUvanAZg7PWvkBdSb6Q18Jxf0OPtG5Q3CkRwdT/MXMvPlZEua7j5wh13aU9lCPeyvPl+96Uhbq8eaSLMjTjIEVs8gLE6Jfv5o0WEexu87AmtVhza+IDK/F/fHQys9y1eDD4SRhoeMV6YRWostquJalt5dUP3olaOGh2gZ5eocXKI7ekVC0O/wWKPNpxPNqN6Hh4+2SCvAySOdizMvD7MRjzKX4wqNZUfAFlaamGFcyKg7otQSMeNwNDFWheJinWTNleUAKUZVsHhYIYKppLwitjvIrqO2cDD2Q6o0ZSplYVVyF8Fb9dIbDNhHNGTu5XqJLILKiRUipEN0EiNmcYiBKfpuYtZQltvCsXra/qR2yi0SVAh3M0joovBSCxC3haLJk+X9Gtl5rf3kESjvIEmF3wM1cPmEM5s6faM
+    node.session.auth.username: AgAXJAFwKHInT4nTJY4xSjDTLb2p6OuLhJx3ZABgb8lO1HZx5ny138ChrwkjpYVW3wqimaT50VNQX7pNz0Vt6XvA7HcjKA5OQC8qpsbbkxA16bw6LqXkIHKL3Herkt3izq92R72NgrF8XMfoP6bGIUpLOqeh2bk/S3TzafrduvWyPuxa83dW8VzZ/mosXd+QdZ4gFzWpJ29iwIghzuz8dF0GxXk8Z73c+fWhjMpsyiGXSUbr8CUS2PPbmxGQTTV/m0ewDLlbhtkXo1KBzM5m1nTIPEb7zI6zImXmo6OE7n1PsVXq0d1xnuMqZ55436xG6dFqwxd0m+SGHRLBDJDHMplaxms099Lot4TCZ3I5ZnFZ5+eTqbAU7dmBmSxqkBL0VEy+9XCV+lyBHKDvch/mQEe51sJIh1pkQ8G7j/Ni79j/t6+oMLv+8lee6cSrtqKtHVUwbIAzNc9TF8XrEZ+/5MFOkDgD93JyFhjY4zsqYWpPWvYo9Kjl+Y5ge+7pQxOIHPN5oIUeH23Zb5LDJt3tsz8FSH2a0Y/LcQkg1XdKI4r5aZbNyufqmDfKn5jPpZy+sQQ1KqitvV5wgqzqtaGF2H7trqoZ2YyTwVyIOPp3nCa17cwB8A7NWlGMdIXK19fqUHYYLbrT3IWDwn/k3tKgFhGQCBYk2SaVXslqAxGpsMbKXuwkdCpUd6BPCZ4290kBkreT6CUl7zZbvFrdYy25Aw==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: audiobookshelf-iscsi-auth
+      namespace: audiobookshelf
+    type: kubernetes.io/iscsi-chap
--- a/apps/audiobookshelf/network-policies.yaml
+++ b/apps/audiobookshelf/network-policies.yaml
@ -0,0 +1,62 @@
+# ----------------------------------------------------
+# Ingress only from Gateway API
+# ----------------------------------------------------
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ingress
+  namespace: audiobookshelf
+spec:
+  endpointSelector:
+    matchLabels:
+      app: audiobookshelf
+
+  ingress:
+    - fromEntities:
+        - ingress
+      toPorts:
+        - ports:
+            - port: "80"
+              protocol: TCP
+
+---
+# ----------------------------------------------------
+# audible access (cover art, metadata)
+# ----------------------------------------------------
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-audible
+  namespace: audiobookshelf
+spec:
+  endpointSelector:
+    matchLabels:
+      app: audiobookshelf
+
+  egress:
+    - toFQDNs:
+        - matchName: audible.com
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+# ----------------------------------------------------
+# OPTIONAL: unrestricted HTTPS egress (disabled)
+# ----------------------------------------------------
+# apiVersion: cilium.io/v2
+# kind: CiliumNetworkPolicy
+# metadata:
+#   name: allow-all-egress
+#   namespace: audiobookshelf
+# spec:
+#   endpointSelector:
+#     matchLabels:
+#       app: audiobookshelf
+#
+#   egress:
+#     - toEntities:
+#         - world
+#       toPorts:
+#         - ports:
+#             - port: "443"
+#               protocol: TCP
--- a/apps/audiobookshelf/pvcs.yaml
+++ b/apps/audiobookshelf/pvcs.yaml
@ -0,0 +1,55 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: audiobookshelf-config
+  namespace: audiobookshelf
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeName: audiobookshelf-config-pv
+  storageClassName: audiobookshelf-iscsi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: audiobookshelf-metadata
+  namespace: audiobookshelf
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeName: audiobookshelf-metadata-pv
+  storageClassName: audiobookshelf-iscsi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: audiobookshelf-audiobooks
+  namespace: audiobookshelf
+spec:
+  accessModes:
+    - ReadOnlyMany
+  resources:
+    requests:
+      storage: 100Gi
+  volumeName: audiobookshelf-audiobooks-pv
+  storageClassName: audiobookshelf-nfs
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: audiobookshelf-podcasts
+  namespace: audiobookshelf
+spec:
+  accessModes:
+    - ReadOnlyMany
+  resources:
+    requests:
+      storage: 100Gi
+  volumeName: audiobookshelf-podcasts-pv
+  storageClassName: audiobookshelf-nfs
--- a/apps/audiobookshelf/pvs.yaml
+++ b/apps/audiobookshelf/pvs.yaml
@ -0,0 +1,85 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: audiobookshelf-config-pv
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: audiobookshelf-iscsi
+  claimRef:
+    namespace: audiobookshelf
+    name: audiobookshelf-config
+  iscsi:
+    targetPortal: truenas.local.gwg313.xyz:3260
+    iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-config
+    lun: 0
+    fsType: ext4
+    readOnly: false
+    chapAuthDiscovery: true
+    chapAuthSession: true
+    secretRef:
+      name: audiobookshelf-iscsi-auth
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: audiobookshelf-metadata-pv
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: audiobookshelf-iscsi
+  claimRef:
+    namespace: audiobookshelf
+    name: audiobookshelf-metadata
+  iscsi:
+    targetPortal: truenas.local.gwg313.xyz:3260
+    iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-metadata
+    lun: 1
+    fsType: ext4
+    readOnly: false
+    chapAuthDiscovery: true
+    chapAuthSession: true
+    secretRef:
+      name: audiobookshelf-iscsi-auth
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: audiobookshelf-audiobooks-pv
+spec:
+  capacity:
+    storage: 100Gi
+  accessModes:
+    - ReadOnlyMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: audiobookshelf-nfs
+  claimRef:
+    namespace: audiobookshelf
+    name: audiobookshelf-audiobooks
+  nfs:
+    server: truenas.local.gwg313.xyz
+    path: /mnt/tank/media/audiobooks
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: audiobookshelf-podcasts-pv
+spec:
+  capacity:
+    storage: 100Gi
+  accessModes:
+    - ReadOnlyMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: audiobookshelf-nfs
+  claimRef:
+    namespace: audiobookshelf
+    name: audiobookshelf-podcasts
+  nfs:
+    server: truenas.local.gwg313.xyz
+    path: /mnt/tank/media/podcasts
--- a/apps/audiobookshelf/route.yaml
+++ b/apps/audiobookshelf/route.yaml
@ -0,0 +1,37 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: audiobookshelf
+  namespace: audiobookshelf
+spec:
+  parentRefs:
+    - name: shared-edge-gateway
+      namespace: cilium-ingress
+
+  hostnames:
+    - "audiobooks.local.gwg313.xyz"
+    - "audiobooks.gwg313.xyz"
+    - "audiobooks.zerotier.gwg313.xyz"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: audiobookshelf
+          port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: allow-gateway-to-audiobookshelf
+  namespace: audiobookshelf
+spec:
+  from:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      namespace: cilium-ingress
+  to:
+    - group: ""
+      kind: Service
+      name: audiobookshelf
--- a/apps/audiobookshelf/service.yaml
+++ b/apps/audiobookshelf/service.yaml
@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: audiobookshelf
+  namespace: audiobookshelf
+spec:
+  selector:
+    app: audiobookshelf
+  ports:
+    - port: 80
+      targetPort: 80