fix: move Kavita & Komga to media ns for shared PVC

kube/clusters/biohazard/flux/kustomization.yaml

@@ -68,6 +68,7 @@ resources:
   # - ../../../deploy/apps/renovate/
   # - ../../../deploy/apps/kubevirt/
   - ../../../deploy/apps/default/
+  - ../../../deploy/apps/authentik/
   - ../../../deploy/apps/whoogle/
   - ../../../deploy/apps/searxng/
   - ../../../deploy/apps/cyberchef/
@@ -76,8 +77,9 @@ resources:
   - ../../../deploy/apps/minecraft2/
   - ../../../deploy/apps/sandstorm/
   - ../../../deploy/apps/jellyfin/
-  - ../../../deploy/apps/kavita/
-  - ../../../deploy/apps/authentik/
+  - ../../../deploy/apps/media/
+  - ../../../deploy/apps/media/kavita/
+  - ../../../deploy/apps/media/komga/
   - ../../../deploy/apps/kanidm/
   #- ../../../deploy/apps/syncthing/ # TODO: re-add once fixed up
   - ../../../deploy/apps/excalidraw/
@@ -129,7 +131,6 @@ resources:
   - ../../../deploy/apps/radicale/
   - ../../../deploy/apps/immich/
   - ../../../deploy/apps/kromgo/
-  - ../../../deploy/apps/komga/
   - ../../../deploy/apps/blocky/
   - ../../../deploy/apps/cryptpad/
   - ../../../deploy/vm/_kubevirt/

kube/deploy/apps/media/_deps/app/pvc.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "media-bulk"
+  namespace: &app "media"
+  annotations:
+    description: "PVC for bulk media storage."
+  labels:
+    app.kubernetes.io/part-of: *app
+    snapshot.home.arpa/enabled: "true"
+    kustomize.toolkit.fluxcd.io/prune: "Disabled"
+spec:
+  storageClassName: "file-ec-2-1"
+  accessModes: ["ReadWriteMany"]
+  resources:
+    requests:
+      storage: "200Gi"

kube/deploy/apps/media/_deps/ks.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: media-1-deps
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/part-of: "media"
+spec:
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/apps/media/_deps/app
+  targetNamespace: "media"
+  dependsOn:
+    - name: media-data-pvc
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: media-data-pvc
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/part-of: "media"
+spec:
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/core/storage/volsync/template
+  targetNamespace: "media"
+  dependsOn:
+    - name: 1-core-storage-volsync-app
+    - name: 1-core-storage-rook-ceph-cluster
+  postBuild:
+    substitute:
+      PVC: "media-data"
+      SIZE: "200Gi"
+      SC: &sc "file"
+      SNAP: *sc
+      ACCESSMODE: "ReadWriteMany"
+      RUID: &uid "6969"
+      RGID: *uid
+      RFSG: *uid

kube/deploy/apps/kavita/ns.yaml → kube/deploy/apps/media/_deps/ns.yaml

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: kavita
+  name: media
   labels:
     kustomize.toolkit.fluxcd.io/prune: disabled
     pod-security.kubernetes.io/enforce: &ps baseline # NFS pod-level volumeMount

kube/deploy/apps/kavita/app/hr.yaml → kube/deploy/apps/media/kavita/app/hr.yaml

@@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
   name: &app kavita
-  namespace: *app
+  namespace: media
 spec:
   interval: 5m
   chart:
@@ -23,7 +23,6 @@ spec:
           labels:
             ingress.home.arpa/nginx-internal: "allow"
             egress.home.arpa/internet: "allow" # metadata fetching
-            tailscale.com/expose: "true"
         containers:
           main:
             image: &img
@@ -54,7 +53,7 @@ spec:
         primary: true
         className: "nginx-internal"
         hosts:
-          - host: &host "${APP_DNS_KAVITA}"
+          - host: &host "${APP_DNS_KAVITA:=kavita}"
             paths: &paths
               - path: /
                 pathType: Prefix
@@ -63,29 +62,32 @@ spec:
                   port: http
         tls:
           - hosts: [*host]
-      tailscale:
-        enabled: true
-        primary: true
-        className: "tailscale"
-        hosts:
-          - host: &host "${APP_DNS_TS_KAVITA}"
-            paths: *paths
-        tls:
-          - hosts: [*host]
     persistence:
       config:
         enabled: true
         existingClaim: "kavita-config"
         globalMounts:
           - path: "/kavita/config"
-      media:
+      nas:
         enabled: true
         type: nfs
         server: "${IP_TRUENAS}"
         path: "${PATH_NAS_MEDIA}"
+        globalMounts:
+          - path: "/nas"
+            readOnly: true
+      media:
+        enabled: true
+        existingClaim: "media-data" # VolSync
         globalMounts:
           - path: "/media"
             readOnly: true
+      bulk:
+        enabled: true
+        existingClaim: "media-bulk" # no backups
+        globalMounts:
+          - path: "/bulk"
+            readOnly: true
       backups:
         enabled: true
         type: nfs
@@ -107,11 +109,11 @@ spec:
       enableServiceLinks: false
       securityContext:
         runAsNonRoot: true
-        runAsUser: &uid ${APP_UID_KAVITA}
+        runAsUser: &uid ${APP_UID_KAVITA:=1000}
         runAsGroup: *uid
         fsGroup: *uid
         fsGroupChangePolicy: "Always"
-        supplementalGroups: [6969]
+        supplementalGroups: [6969] # NAS
         seccompProfile: { type: "RuntimeDefault" }
       topologySpreadConstraints:
         - maxSkew: 1

kube/deploy/apps/kavita/ks.yaml → kube/deploy/apps/media/kavita/ks.yaml

@@ -9,8 +9,8 @@ metadata:
 spec:
   commonMetadata:
     labels: *l
-  path: ./kube/deploy/apps/kavita/app
-  targetNamespace: "kavita"
+  path: ./kube/deploy/apps/media/kavita/app
+  targetNamespace: "media"
   dependsOn:
     - name: kavita-pvc
 ---
@@ -25,7 +25,7 @@ spec:
   commonMetadata:
     labels: *l
   path: ./kube/deploy/core/storage/volsync/template
-  targetNamespace: "kavita"
+  targetNamespace: "media"
   dependsOn:
     - name: 1-core-storage-volsync-app
     - name: 1-core-storage-rook-ceph-cluster

kube/deploy/apps/komga/kustomization.yaml → kube/deploy/apps/media/kavita/kustomization.yaml

@@ -2,5 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ns.yaml
   - ks.yaml

kube/deploy/apps/komga/app/es.yaml → kube/deploy/apps/media/komga/app/es.yaml

@@ -4,7 +4,7 @@ apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: &name komga-secrets
-  namespace: komga
+  namespace: media
 spec:
   refreshInterval: 1m
   secretStoreRef:

kube/deploy/apps/komga/app/hr.yaml → kube/deploy/apps/media/komga/app/hr.yaml

@@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
   name: &app komga
-  namespace: *app
+  namespace: media
 spec:
   interval: 5m
   chart:
@@ -65,7 +65,7 @@ spec:
       main:
         className: nginx-internal
         hosts:
-          - host: &host "${APP_DNS_KOMGA}"
+          - host: &host "${APP_DNS_KOMGA:=komga}"
             paths: &paths
               - path: /
                 pathType: Prefix
@@ -74,13 +74,6 @@ spec:
                   port: http
         tls:
           - hosts: [*host]
-      tailscale:
-        className: tailscale
-        hosts:
-          - host: &host "${APP_DNS_TS_KOMGA}"
-            paths: *paths
-        tls:
-          - hosts: [*host]
     persistence:
       config:
         type: secret
@@ -103,6 +96,16 @@ spec:
         globalMounts:
           - path: /nas
             readOnly: true
+      media:
+        existingClaim: "media-data" # VolSync
+        globalMounts:
+          - path: "/media"
+            readOnly: true
+      bulk:
+        existingClaim: "media-bulk" # no backups
+        globalMounts:
+          - path: "/bulk"
+            readOnly: true
     defaultPodOptions:
       automountServiceAccountToken: false
       enableServiceLinks: false
@@ -111,10 +114,11 @@ spec:
           hostnames: ["${APP_DNS_AUTHENTIK}"]
       securityContext:
         runAsNonRoot: true
-        runAsUser: &uid ${APP_UID_KOMGA:=1000}
+        runAsUser: &uid ${APP_DNS_KOMGA:=1000}
         runAsGroup: *uid
         fsGroup: *uid
         fsGroupChangePolicy: Always
+        supplementalGroups: [6969] # NAS
         seccompProfile: { type: "RuntimeDefault" }
       topologySpreadConstraints:
         - maxSkew: 1

kube/deploy/apps/komga/ks.yaml → kube/deploy/apps/media/komga/ks.yaml

@@ -9,8 +9,8 @@ metadata:
 spec:
   commonMetadata:
     labels: *l
-  path: ./kube/deploy/apps/komga/app
-  targetNamespace: "komga"
+  path: ./kube/deploy/apps/media/komga/app
+  targetNamespace: "media"
   dependsOn:
     - name: komga-pvc
 ---
@@ -25,14 +25,14 @@ spec:
   commonMetadata:
     labels: *l
   path: ./kube/deploy/core/storage/volsync/template
-  targetNamespace: "komga"
+  targetNamespace: "media"
   dependsOn:
     - name: 1-core-storage-volsync-app
     - name: 1-core-storage-rook-ceph-cluster
   postBuild:
     substitute:
       PVC: "komga-data"
-      SIZE: "200Gi"
+      SIZE: "10Gi"
       SC: &sc "file"
       SNAP: *sc
       ACCESSMODE: "ReadWriteMany"

kube/deploy/apps/media/komga/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ks.yaml