apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: plex
  namespace: media
spec:
  interval: 5m
  chart:
    spec:
      chart: app-template
      version: 3.5.1
      sourceRef:
        kind: HelmRepository
        name: bjws-charts
        namespace: flux-system

  values:
    controllers:
      plex:
        containers:
          app:
            image:
              repository: ghcr.io/onedr0p/plex
              tag: 1.41.3.9314-a0bfb8370
            
            env:
              TZ: America/New_York
              PLEX_ADVERTISE_URL: https://plex.${SECRET_NEW_DOMAIN}:443,http://192.168.10.70:32400
              PLEX_NO_AUTH_NETWORKS: 192.168.10.0/24,192.168.20.0/24,192.168.1.0/24,10.0.0.0/16,10.43.0.0/16
            
            probes:
              liveness: &probes
                enabled: true
                custom: true
                spec:
                  httpGet:
                    path: /identity
                    port: 32400
                  initialDelaySeconds: 0
                  periodSeconds: 10
                  timeoutSeconds: 1
                  failureThreshold: 3
              readiness: *probes
              startup:
                enabled: true
                spec:
                  failureThreshold: 30
                  periodSeconds: 10

            securityContext:
              allowPrivilegeEscalation: false
              readOnlyRootFilesystem: true
              capabilities: { drop: ["ALL"] }
            
            resources:
#              requests:
#                cpu: 100m
              limits:
                gpu.intel.com/i915: 1
                memory: 16Gi

    defaultPodOptions:
      securityContext:
        runAsNonRoot: true
        runAsUser: 10000
        runAsGroup: 10000
        fsGroup: 10000
        fsGroupChangePolicy: OnRootMismatch
        #supplementalGroups: [44, 10000]
        #seccompProfile: { type: RuntimeDefault }
      nodeSelector:
        intel.feature.node.kubernetes.io/gpu: "true"
    
    service:
      app:
        controller: plex
        type: LoadBalancer
        annotations:
          io.cilium/lb-ipam-ips: 192.168.10.70
        ports:
          http:
            port: 32400
    
    ingress:
      app:
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-production
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        #className: external
        hosts:
          - host: "plex.${SECRET_NEW_DOMAIN}"
            paths:
              - path: /
                service:
                  identifier: app
                  port: http
                  
    persistence:
      config:
        #existingClaim: plex
        type: persistentVolumeClaim
        size: 100Gi
        retain: true
        storageClass: openebs-zfs-mainpool
        accessMode: ReadWriteOnce
        globalMounts:
          - path: /config/Library/Application Support/Plex Media Server
      # Separate PVC for cache to avoid backing up cache files
      cache:
        type: persistentVolumeClaim
        size: 15Gi
        retain: true
        storageClass: openebs-zfs-mainpool
        accessMode: ReadWriteOnce
        globalMounts:
          - path: /config/Library/Application Support/Plex Media Server/Cache
      logs:
        type: emptyDir
        globalMounts:
          - path: /config/Library/Application Support/Plex Media Server/Logs
      # Store video thumbnails somewhere else so they're not backed up
      server-media:
        type: hostPath
        hostPath: /mnt/MainPool/Media/Plex/Media
        globalMounts:
          - path: /config/Library/Application Support/Plex Media Server/Media
      tmp:
        type: emptyDir
      transcode:
        type: emptyDir
        globalMounts:
          - path: /transcode
      media:
        type: hostPath
        hostPath: /mnt/MainPool/Media/Media
        globalMounts:
          - path: /storage/Media
            readOnly: true