diff --git a/clusters/ipv6/media/invidious/invidious-companion.yml b/clusters/ipv6/media/invidious/invidious-companion.yml new file mode 100644 index 0000000..ebd0a4b --- /dev/null +++ b/clusters/ipv6/media/invidious/invidious-companion.yml @@ -0,0 +1,28 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: invidious-companion + namespace: media +spec: + selector: + matchLabels: + app: invidious-companion + template: + metadata: + labels: + app: invidious-companion + spec: + containers: + - name: inv-companion + image: quay.io/invidious/invidious-companion@sha256:dbeaaab6a1c718f5874cc588aaab2d2b169dea4c742add6deac955c2879fc9c4 + env: + - name: SERVER_SECRET_KEY + valueFrom: + secretKeyRef: + name: invidious-secrets + key: INVIDIOUS_COMPANION_KEY + securityContext: + capabilities: + drop: + - ALL diff --git a/clusters/ipv6/media/invidious/invidious-config.yml b/clusters/ipv6/media/invidious/invidious-config.yml new file mode 100644 index 0000000..5bdcfab --- /dev/null +++ b/clusters/ipv6/media/invidious/invidious-config.yml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: invidious-config + namespace: media +data: + invidious.yml: | + db: + dbname: invidious + user: kemal + password: ${INVIDIOUS_DB_PASSWORD} + host: invidious-db.media.svc.cluster.local + port: 5432 + check_tables: true + invidious_companion: + - private_url: "http://invidious-companion-service.media.svc.cluster.local:8282/companion" + invidious_companion_key: ${INVIDIOUS_COMPANION_KEY} + hmac_key: ${INVIDIOUS_HMAC_KEY} diff --git a/clusters/ipv6/media/invidious/invidious-db-secrets-sealed.yml b/clusters/ipv6/media/invidious/invidious-db-secrets-sealed.yml new file mode 100644 index 0000000..3e670d9 --- /dev/null +++ b/clusters/ipv6/media/invidious/invidious-db-secrets-sealed.yml @@ -0,0 +1,16 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: invidious-db-secrets + namespace: media +spec: + encryptedData: + postgres-db: AgDCRTGZMrx88eyNM/JENijAUak+FHV1llYWvG9CXqe+p3FqFxL1BBh2vICymkDGX1p7UeASvcNDWQQh+jeuzzPjfEo1t+tyBpZdA8KibIzR8LnQdcIWd76KKUpkDx9QLlu1d+j+zXOxlloTDe1kD/LNlGsb/5EWKfTsxD9xwtv9HDbHctqMLkQPK+fwVZNpaO60LII6dKc2igFjEbcV4203jiWG3Dx3oUMqb3xfNYrb0m2bndU9TfFCHV0TGkLgNX6impmIaHoQvozfniRRvrzjlFdClQW8FrwhnpLZ/gLk+W+zYbvZlHvfU2MeV+VKMDAuTOm36h2iEc6VrS6hy7xhAUY1vLTi+F9fA91qLeH5ZlU9/DTN4U3S47HsTumz3Fu9dvxsg/qtl+7mqBXTJpL7DusHJXE0pia1+RjM8ZwIXd4VLh1rrTt1ohUgOtytYdIzP42UWpIqKXfnzio74jk+CUULMaqB97R92gh2FdLzsSxY7znB+YT7Jie7cOCtSWds+OSNLiX/tm99CIKY+g6mYhCfgBWy/ZIZ4VSHIS2UZDKeqqbDa81IX+f5ASSCLD5daMVIl4qz37tboa0ah7YIvGS5Le9u0XiBWiy/+QOvp1nLYB2/N41kwDMsSqqAtpyqKzBJxu3eTb8QH1h0wllylFpO7yQNKHaZkcwOWqHyfpJQiDvcGr11inJDvkjU1U+ml5Nuq4IHNCg= + postgres-password: AgB0s+vZL++A9kEIBaknYFzwRNGQhsj3LQo7gfR0PebuaM96gFJxsBlrDgDrsIjfOWuwU8abg2Fjif4iU/N43Jz/mTmSVQe0WBhWYV0eBS/KMg8hEzQYA6Hm+WM1W0xS36QGgObP73eguHCictD6NcN0ff3IUZzg1z2Jyr+vDCGy98V2ANbPhiPPamIYaE8NG2B0cxFhi0XCcqkNIy6JTjFbVq/ivFNDmlZY6lZhATWjHine9BKgoTRAwqYHLFx/R0DR1fYiG/fHAzbNGBtDDnLcvL/uCj0LFLLHJ4DxvSmi4re61iBiG/ZFck/ET0bGnusUl7rjz/o9prUcINHtrFmhs6Oh2FwzzCvA1op1xbhOeKWceMAFNkd8BpY31DVjoVrQ1/JQRvqoS4J9TZ10YMtMdpOWxgmOb66W+kwhZOgT9bYrkSkOirGNLeFpC5uOt+rAm5rfiFrKsaLD4OTj1YDuSfewNpnM5rPawK36t9y5VFtSsJamtbS09vXLnKnO9D1M+Z/fxyCoBkeTE8UmSEfFZ52BODIasy1YVrXGLW6jXJOTLrj9ZaMajzS1LnlxeGPrJ/l7Q4qCo88/iEgrENHgx+x2j8kJm7jRsvyfa/U7vTpfIfuUIhSBxl8pHL1i7N/ZFL6Ses5lNEJ+53rXLSpkHEYh7gWId9eKUNTWikLkoAyNzcSS62jAWc2jUSO3V8rdoTPapE2OVifJ5g== + postgres-user: AgAMdnMR0vcu5ox07A1eZW55ihOs+qqA4sdoCZZa6VIgz0RoVO1R5XghBVk3l6XXn24bUFbufzZlWwAW+202ONLAsPHPOKjMB9ODOxk5iFP+D9iPiRlzpvuOf4cGdoyxlIuyr/p5OwTyAq9GQOZOzUZ0sB1bNyfQSpYISD+vTvkNIWe+O2LMQOXVegPkb0eWDCv5fHrjYrri0qurOQ9ah/wZMvSTRRRZcq+mpAU71VCycdC527JNb5/nxdhth7wXEVTuyh97il/Pu9fUdVyLMh8bnVPxB5cdxa1Bmo9txH7NKFyrscmlYfv9IinaxZhZSGKJxwX4zeaq4+wu8+JDPqD3OJr0jBepg88ZRWIkeFcDLFEjPcXeGjsF1B+fwb5iYI4KVI2QZGXNTrpFkFZQvTMjXh6WtH6BbluSBGsUAg4EW/gA6higfDQ7YM3ZN4KHXYy9Z8rK1TvC8TCNeWNRrG6hYN2wwkUmHh4Q9Y6Y3RSn8UNvdCvQCM7gF1SoUcyF4T97cJC0ER8YihwDKrsZHDDGNXXMtOV8gCi4MMNwdjuB2+lePrcidKMVYCtLhbevogyll6xgGPYU1PvZhyV0WSpY8z+ypcBlh9Z9kVd/PkbUcXRHdSm6znmzwKgWRi+zHfNfg9OxTBuy6oX/Kg48d1UIR59P2tGMteTTKf2e7SY3wQzRRdMrzY93sqa/rGilLu7RszYcCQ== + template: + metadata: + name: invidious-db-secrets + namespace: media + type: Opaque diff --git a/clusters/ipv6/media/invidious/invidious-db.yml b/clusters/ipv6/media/invidious/invidious-db.yml new file mode 100644 index 0000000..460efce --- /dev/null +++ b/clusters/ipv6/media/invidious/invidious-db.yml @@ -0,0 +1,59 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: invidious-db + namespace: media +spec: + selector: + matchLabels: + app: invidious-db + serviceName: invidious-db + replicas: 1 + template: + metadata: + labels: + app: invidious-db + spec: + initContainers: + - name: clean-db-dir + image: busybox + command: + - sh + - -c + - | + rm -rf /var/lib/postgresql/lost+found + volumeMounts: + - name: postgres-data + mountPath: /var/lib/postgresql + containers: + - name: postgres + image: postgres:18 + env: + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + name: invidious-db-secrets + key: postgres-db + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: invidious-db-secrets + key: postgres-user + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: invidious-db-secrets + key: postgres-password + volumeMounts: + - name: postgres-data + mountPath: /var/lib/postgresql + volumeClaimTemplates: + - metadata: + name: postgres-data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 1Gi + storageClassName: longhorn diff --git a/clusters/ipv6/media/invidious/invidious-ingress.yml b/clusters/ipv6/media/invidious/invidious-ingress.yml new file mode 100644 index 0000000..ebd22e1 --- /dev/null +++ b/clusters/ipv6/media/invidious/invidious-ingress.yml @@ -0,0 +1,27 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: invidious-ingress + namespace: media + annotations: + cert-manager.io/cluster-issuer: letsencrypt-cloudflare + traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd + traefik.ingress.kubernetes.io/router.entrypoints: websecure +spec: + ingressClassName: traefik + tls: + - hosts: + - invidious.akshun-lab.cc + secretName: invidious-tls + rules: + - host: invidious.akshun-lab.cc + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: invidious-service + port: + number: 3000 diff --git a/clusters/ipv6/media/invidious/invidious-secrets-sealed.yml b/clusters/ipv6/media/invidious/invidious-secrets-sealed.yml new file mode 100644 index 0000000..7eb4270 --- /dev/null +++ b/clusters/ipv6/media/invidious/invidious-secrets-sealed.yml @@ -0,0 +1,16 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: invidious-secrets + namespace: media +spec: + encryptedData: + INVIDIOUS_COMPANION_KEY: AgDRcKWTyaK2LAPkjlHXJyhVkxkVg1AG6eLAh1JQjgz+w5f5op8/G7RJ+9rVEJd1liHNu8dZKxSJ09PHLbrgRW4WDwlOBoMA5YkP3UfmlsZC1oExxsIjSzjssvUU3ewDJY5ny/LVYeGD5I0KkKPGyVEDbaD1UL986t+GY56cVVF7xZJwyPyXokqRd23PahecmMgkOSk6Ikct0hyNBlKuAeB5obGB9kNdpNZwOHV33EyIjeZOsVlCd7mtf4kE2qIWKtZSR3MtGq2hGjelFXwD0s6++cLAZv3zC9nB6F9VY+JjZxmH2FZtB8QMcPSnjk0ea7qMDMIalYXqOn1AVPZ8v5l+V+iQeIRMOvoYnM5okY5ffP2Ug81V6h6lnSt2cqPg4+5U7Tu7GSct78sgudYCZwYvpUEZgoyJ5B8z9sqOhKtVSuyOwqnpWdzDufL4yLhIQVGsJ1T8U34IrietxEJ7YwwLsv5S/wkErgaUF54ZUED+C31gYXDebdJDdZcIrjWdSAp3gYXURoiv13sqmxLOZMgwsy9HZoozf1rzxKj67O45dRZWXE6JWuhFUDH8+boe9t8O/nHvpHwE7C4Gm79WC4AXJOO4cwzJySqiu8VZUywGojOHS6bGqRmcKootXSG+OM7o9ay0/6ctkYXbflKwza0JzzDorQ5vkt7A7vFhJss2y9sJa093WFvY2Wd0RsYwe8V48ZRx5ChXU6PB53/xt8KD + INVIDIOUS_DB_PASSWORD: AgCYcytQkrWQMQXlp1zRHgA2R/RO32tFXJTZufzjLh+uK6Na6lH9iRReWv/qLE3xR4qXDSy5Ph6+SbuQHi2GnqFKpmiU0CvjPvvl+dFmVhJvB7ho7AR06UYTmMqK9jLw9TWfLu21pUHQPBovZuofcNSllsEjZ9Zd6oN99gh51DiVFEwlJvLu2+bdIhM0wALqEphjihBJEdWzvr0WUOZoyqX8Dtb/d/bHeeEmmDRoIu8btmsyNwvMP+rDqfzXhQ+/HEhf40ZfnUWzxYGYfFz0m8CVVlk4WNxAJ8obb2jHfLDRIB1Fzwgyn+gQU6lhWo7vnAWLTZ2NAKKwN3Rs7Tu7B6SHkuNkAI89jwtlG1cSX3NnQe0gbvnNLtGG6yWBnh1ZJufseRgsOx2VU3CAYT16S6EM5Cpk41YKA0/tMu9Z8CG3MevnmTSQmke94AR+Yl2hFsEFDMqlOeCzS38urKM7oE1MkfMpdB8th19fPj00jdBixmEY5FlMBltQwX4T+xMdZEpZQnlFWfvLrIRwg1l8/JQAI+KRP6Ym8RwShWwc+DW58VSgaAjg/rqWl1nHPmZVdYGghyCM77HXQ1N7H+nMesFL0ebxg+bm0OTllNAL8m2S1l2lukH7d8OUoQT5yTrwuD/DvMv5S9RAVGBE/41ZQ3MSx1s/5DrIvUaFk8gdIpbIMhoKP5KaB4PdFnzy9yd3nQIgTfzMixrMlhW1ww== + INVIDIOUS_HMAC_KEY: AgCY3C9mojZsBnGVbs8HuJrm0H2A4qOMDWnuh7Ifru0cc6TGjMbkYUki63uETk/mNl/WH5t+kQkyZhXACjPbFCoW+CI4uLMR7YnNoVRUsftRDDG3mAZ4g2skGo3QSkI7HYC/UOTpBT+TYldwEznS5cZjKit4R0EvqJBRSE4BfE1cqn9pVnJX4SOeQNCKDWi5biGfMuZt3htZYYXCQrihLDCtgOMHJgYk3AgO9vCJZl3j5IwyQT77iA38xpio93AKkhyYL+XzdX38K4eQDkDJf/jyl4ZzRCeFNAKUX5WhBPkTfkn5Mp0rPvxk3/aDXqdNgTmcGYn1iM3uev4k38u9EaJ1ESbbh97CzDAK1nHVXbXtMJzUWsjN+E9xojsknkaucuMcVFrq5ZuE8EVzmoows+kVsXyYaahg4at0RgxtNovLbJ8Ct1SB1oNwwd/VaNNxl0Uy+5hO+9n2jjnP6j83U52SlkBPoqXp8hLCQxiglMiGhN3QapkghHoaN3DFjYtmTC6q/BCzFvF10Daa/iRALt/fBO7VbR9+hvknmYvv1Z6L/s2Rm4xYKkunjB4qWZdHIfwt4lSVHF94wg6NsRm3dkF4RA/AJlx9wfXaSvVJLj7Gfri/nZQ236RojFtPpvLrDAYV2qfNv2nmpCnpFH1XgWQmwn6xjcaT/VEf4pUdn4yu2T1mnjJkWua1oJ53hUyCK5lZDeJQurZj5f7y8HHv3pBo + template: + metadata: + name: invidious-secrets + namespace: media + type: Opaque diff --git a/clusters/ipv6/media/invidious/invidious-svc.yml b/clusters/ipv6/media/invidious/invidious-svc.yml new file mode 100644 index 0000000..dcf876f --- /dev/null +++ b/clusters/ipv6/media/invidious/invidious-svc.yml @@ -0,0 +1,40 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: invidious-service + namespace: media +spec: + selector: + app: invidious + ports: + - port: 3000 + targetPort: 3000 + protocol: TCP + +--- +apiVersion: v1 +kind: Service +metadata: + name: invidious-companion-service + namespace: media +spec: + selector: + app: invidious-companion + ports: + - port: 8282 + targetPort: 8282 + +--- +apiVersion: v1 +kind: Service +metadata: + name: invidious-db + namespace: media +spec: + selector: + app: invidious-db + ports: + - port: 5432 + targetPort: 5432 + clusterIP: None diff --git a/clusters/ipv6/media/invidious/invidious.yml b/clusters/ipv6/media/invidious/invidious.yml new file mode 100644 index 0000000..eeaa879 --- /dev/null +++ b/clusters/ipv6/media/invidious/invidious.yml @@ -0,0 +1,70 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: invidious + namespace: media +spec: + strategy: + type: Recreate + replicas: 1 + selector: + matchLabels: + app: invidious + template: + metadata: + labels: + app: invidious + spec: + initContainers: + - name: substitute-config + image: alpine + envFrom: + - secretRef: + name: invidious-secrets + command: + - sh + - -c + - apk add gettext && envsubst < /mnt/init/invidious.yml > /mnt/invidious.yml + volumeMounts: + - name: invidious-config + mountPath: /mnt/init/invidious.yml + subPath: invidious.yml + - name: tmp + mountPath: /mnt + subPath: invidious.yml + containers: + - name: invidious + image: quay.io/invidious/invidious@sha256:2836b5b8226a53a9cc2afdbd5f5fe6bccdd200f2e17cd92a828b4dc8d8b5cc06 + command: + - sh + - -c + - | + export INVIDIOUS_CONFIG="$(cat /mnt/invidious.yml)" && + exec /invidious/invidious + readinessProbe: + exec: + command: + - sh + - -c + - | + nc -z invidious-db.media.svc.cluster.local 5432 && nc -z invidious-companion-service.media.svc.cluster.local 8282 + env: + - name: INVIDIOUS_PORT + value: "3000" + ports: + - containerPort: 3000 + volumeMounts: + - name: logging + mountPath: /var/log/invidious + - name: tmp + mountPath: /mnt + subPath: invidious.yml + volumes: + - name: logging + emptyDir: {} + - name: tmp + emptyDir: {} + - name: invidious-config + configMap: + name: invidious-config