Add jellyfin, add authentik ldap outpost

cluster/apps/authentik/kustomization.yaml

@@ -6,4 +6,5 @@ resources:
 - ./helm-repository.yaml
 - ./helm-release.yaml
 - ./network_policy.yaml
-- ./traefik-middleware.yaml
+- ./traefik-middleware.yaml
+- ./ldap-outpost

cluster/apps/authentik/ldap-outpost/helm-release.yaml

@@ -0,0 +1,68 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authentik-ldap
+  namespace: authentik
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    image:
+      repository: ghcr.io/goauthentik/ldap
+      tag: latest
+
+    env:
+      AUTHENTIK_HOST: "http://authentik-server.authentik:9000"
+      AUTHENTIK_INSECURE: "true"
+      AUTHENTIK_HOST_BROWSER: "https://k3sauth.***REMOVED***"
+
+    envFrom:
+      # Sets AUTHENTIK_TOKEN
+      - secretRef:
+          name: ldap-authentik-secret
+
+    service:
+      main:
+        enabled: true
+        ports:
+          # Disable http port
+          http:
+            enabled: false
+
+          ldap:
+            enabled: true
+            primary: true
+            port: 3389
+            targetPort: 389
+            protocol: TCP
+
+          ldaps:
+            enabled: true
+            primary: false
+            port: 6636
+            targetPort: 636
+            protocol: TCP
+
+    probes:
+      liveness:
+        enabled: false
+
+    ingress:
+      main:
+        enabled: false
+
+    resources:
+      requests:
+        cpu: 2m
+        memory: 80Mi
+        
+      limits:
+        memory: 500Mi

cluster/apps/authentik/ldap-outpost/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./ldap-secret.sops.yaml
+- ./helm-release.yaml

cluster/apps/authentik/ldap-outpost/ldap-secret.sops.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: ldap-authentik-secret
+    namespace: authentik
+stringData:
+    AUTHENTIK_TOKEN: ENC[AES256_GCM,data:0AcoH7UyuW9yZPhKffG8SgjpbyEIWGaS4rx9fin3Etpf4YFg7L/ZeP4fxnc1zRFmZVfRQiL1JV559dfv,iv:DYDAATRbToHIElaCMOfU/c4dAUQOZgwEOzs5FZicvNA=,tag:h4vgEr57ufb8k2IGsS4drg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-09T05:33:24Z"
+    mac: ENC[AES256_GCM,data:6Kcv9viNwf+xyhkkXIi/GaKu26dSeAvP1s+IaUR4bEMP3L8vrpZLLZnntl6eUeSiE6M8uW2zEXyydLNbHlLhvp2/160wL/nUML/HsKBLHGeaIthvWahIZIDfX1G8HtnU6vaeVG/b8GsQZjJ1yMAWRI4vgJi5JbTpQG6QTJR6+Sg=,iv:RjXM54Sgbw/uVEjNP+5JZyjmgKGcw/XZ1/ei7TNgVV8=,tag:Oh9D7DfiiQ2Qm1FDIYtlQQ==,type:str]
+    pgp:
+        - created_at: "2023-04-09T05:33:23Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixAQ/+OJxLqkHHWfoeLQChCMRq0owB8EJ8dcZZrJMS2hydFsIh
+            C/C0QT9RCY9QskAhCHC4MV4W0Nc7VzK3bngbKitd3p5yTeHoKkG8RZv3OwAvzNt0
+            5aN2l9dHU6R9o3xkPemCDvW0+iuP7eIoKShkjRlAVYHnwCBpfUGHl0WqWBdCUZQy
+            dtLblg4SQMMw29yo9h7Wh6o5d9IWJmPlu7p4jOm1oUiS3AMBG1QlBnYTJRwPQRxe
+            mMaMhm0tJtiiUrEXgDl58ski9uy+3VMjMPocCfE03L4n5gOmXH58WBqvkRWOqVp1
+            v7arWedvOyQN0VqsCFZQfE8UN0Da1CtvtOFiBtPHLbOzqzvdht1RALppJt2bxXID
+            8fE2vB8CotGvAJf91xO+Sn7Ztwy8+JtmiQIWdGH60dzOQh3tsnKtjbP6ELCbbum3
+            yUO+uidKKu1RShQrosCi3ApToEXVdKL1GMYciLZ8ljovnr0oW3D1Vp4QyxHrR78o
+            4XLIwkvkvxk50tGexh1e2H7twe6JPNMC/fZ8zi40lxgDPo7931XXLHGgP6OsrU9u
+            fDYtRH5NzZRHFm9stgRnAaZEzGFMV22K8GedIhVjcdpmAXHDgG05IjAzF9IQ7toI
+            01OXVHSqlNXB2ayzyj2j6UiOmkAGKYLvu6iafHz+xxtxuE6v/z4lwV5npXoxYKPU
+            ZgEJAhCc2+F6zND9pZePOy+A59RexDElbOelQzgbzynppRrNPAU9fGOgXXQ2AuXD
+            WuB+OthmQp68v7SvCQ0yW0FsPO44Yd6U4Rlf2TwSiMNZhc/a3dJYJiMTjKEtMbtH
+            jICOBFncJg==
+            =LmeK
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-04-09T05:33:23Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4WLYkVpP8xtARAApGMLK7YyBJ9aq+hwPOs7xFcMAoeTiJ/RF2zt/EFSiT4X
+            SgV3dXSIg0TFHPsvmthmvqS5cqFT9qUIkk2soFO7paAVYjav8oMJRNZxd5PyUrbr
+            Z1JODOFl7Ps7i/Gl0qpK9lokpKDo8L628cWus3HICykSOGIxq9QiSs0qrxjwq5PT
+            aJgiVdt0f5hCP8eMvSN9364WcP83dS+DA/1O/P1lx7DK32vJT1qwQVVkXiGlrkro
+            8v6naFQygG+2DGYh7vBBKcw+x1HJYs/694g+ziB5rrYTHWGyPBfkcTUIigzoDH7m
+            lYiB0hE1X1G3xGf0Pgd8N13dQy/A0cPUbRWoIbThG0dcMoyn1voqt2f5jHXlEiOH
+            q1mjafZikAZwKcU7TGtm9xCi9v+B4/fR8iIWZeFeDxwuUqTOKCvDPP3Scy4YStHO
+            dEX4SSmGj8AO5x93KNV41Ke+GSNYSzXpuOMhVEbhyrB+wtNzoIIYAsIdB8jXEqNp
+            ACMzynbLzZQChrkhPL/dOeH7oju/hJI9n8sAaQQq1wMjy1AOegO/szQ70/xtVCZ/
+            mb0bT2AHp92QntsQ5JYKaUyjvi9pEEoir782x+5nfxrf64misqHGdM8Siys+Zg4K
+            qmLEhrX5tjtrPaCRlIEMFgQxsolY/xim5PW97f822KmBWhMpnOCX/xhoYpHM/TnU
+            ZgEJAhBVV+JdHHzC3SgQ++/htkelvUQFU1Yni4/aLZC6SF+Xwvm9SVgKi743wGZu
+            u0t/8WVJGDCiHdIkdroFUKLvOAVIMBiTiPrCCi0BfQSfHGD5+VsQqFge3mMTZHg5
+            w57HlWC+IA==
+            =WLyV
+            -----END PGP MESSAGE-----
+          fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

cluster/apps/media/jellyfin/helm-release.yaml

@@ -0,0 +1,77 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: jellyfin
+  namespace: media
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    image:
+      repository: jellyfin/jellyfin
+      tag: latest
+
+    service:
+      main:
+        ports:
+          http:
+            port: 8096
+
+    probes:
+      liveness:
+        enabled: false
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: "letsencrypt-production"
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+          - host: "k3sjlyfn.***REMOVED***"
+            paths:
+              - path: /
+                pathType: Prefix
+
+    persistence:
+      config:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/jellyfin
+        mountPath: /config
+
+      storage:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Media/Media
+        mountPath: /storage/Media
+
+      cache:
+        enabled: true
+        type: pvc
+        accessMode: ReadWriteOnce
+        size: 8Gi
+        mountPath: /cache
+
+      transcodes:
+        enabled: true
+        type: pvc
+        accessMode: ReadWriteOnce
+        size: 24Gi
+        mountPath: /config/transcodes
+
+    resources:
+      requests:
+        cpu: 1m
+        memory: 275Mi
+        
+      limits:
+        memory: 500Mi

cluster/apps/media/jellyfin/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./helm-release.yaml

cluster/apps/media/kustomization.yaml

@@ -4,4 +4,5 @@ resources:
 - ./namespace.yaml
 - ./network_policy.yaml
 - ./komga
-- ./kavita
+- ./kavita
+- ./jellyfin