apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
  name: qbittorrent
  namespace: download
spec:
  interval: 5m
  chart:
    spec:
      chart: app-template
      version: 3.1.0
      sourceRef:
        kind: HelmRepository
        name: bjws-charts
        namespace: flux-system

  values:
    controllers:
      main:

        pod:
          securityContext:
            fsGroup: 10000
            fsGroupChangePolicy: "OnRootMismatch"

        containers:
          main:
            image:
              repository: ghcr.io/onedr0p/qbittorrent
              tag: 4.6.2

            env:
              QBITTORRENT__PORT: 8080

            securityContext:
              runAsGroup: 10000
              runAsUser: 10000
              fsGroup: 10000
              fsGroupChangePolicy: "OnRootMismatch"

          gluetun:
            image:
              repository: qmcgaw/gluetun
              tag: v3.38
            
            env:
              FIREWALL_INPUT_PORTS: "8080,17871" # 17871 is the prometheus exporter
            
            envFrom:
            - secretRef:
                name: qbittorrent-secrets

            securityContext:
              capabilities:
                add:
                - NET_ADMIN

          port-manager:
            image:
              repository: git.seanomik.net/seanomik/gluetun-qbit-port-updater
              tag: v0.1.2
              pullPolicy: Always

            env:
              PORT_UPD_QBITTORRENT_HOST: localhost
              PORT_UPD_QBITTORRENT_PORT: "8080"
              # safe to have in plain text since qbittorrent is exposed through authentik.
              PORT_UPD_QBITTORRENT_LOGIN: &qbitLogin admin
              PORT_UPD_QBITTORRENT_PASSWORD: &qbitPass adminadmin
              PORT_UPD_PORT_FILE: /tmp/gluetun/forwarded_port

          metrics:
            image:
              repository: caseyscarborough/qbittorrent-exporter
              tag: v1.3.5

            env:
              QBITTORRENT_BASE_URL: "http://localhost:8080"
              # safe to have in plain text since qbittorrent is exposed through authentik.
              QBITTORRENT_LOGIN: *qbitLogin
              QBITTORRENT_PASSWORD: *qbitPass

    service:
      app:
        controller: main

        ports:
          http:
            port: 8080

          metrics:
            port: 17871
            protocol: HTTP

    ingress:
      main:
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-production
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
          traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd

        hosts:
        - host: &host "qbit.${SECRET_NEW_DOMAIN}"
          paths:
          - path: /
            service:
              identifier: app
              port: http
        
        tls:
        - hosts:
          - *host

    persistence:
      storage:
        type: hostPath
        hostPath: /mnt/MainPool/Media/Torrents
        globalMounts:
        - path: /storage/Torrents

      config:
        type: hostPath
        hostPath: /mnt/MainPool/Kubernetes/qbittorrent
        advancedMounts:
          main: # controller name
            main: # container name
            - path: /config

      cookies:
        type: secret
        name: cookie-secret
        globalMounts:
        - path: /etc/tokens

      gluetun-tmp:
        type: emptyDir
        advancedMounts:
          main: # controller name
            gluetun: # container name
              - path: /tmp/gluetun/
            port-manager:
              - path: /tmp/gluetun/
                readOnly: true