ipv6 cluster initial commit

clusters/ipv6/media/ersatztv/ersatztv-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ersatztv-ingress
+  namespace: media
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - ersatztv.akshun-lab.cc
+    secretName: ersatztv-tls
+  rules:
+  - host: ersatztv.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: ersatztv-service
+            port:
+              number: 8409

clusters/ipv6/media/ersatztv/ersatztv-pvc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ersatztv-longhorn
+  namespace: media
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 3Gi
+  storageClassName: longhorn

clusters/ipv6/media/ersatztv/ersatztv-svc.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ersatztv-service
+  namespace: media
+spec:
+  selector:
+    app: ersatztv
+  ports:
+  - port: 8409
+    targetPort: 8409
+    protocol: TCP

clusters/ipv6/media/ersatztv/ersatztv.yml

@@ -0,0 +1,48 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ersatztv
+  namespace: media
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ersatztv
+  template:
+    metadata:
+      labels:
+        app: ersatztv
+    spec:
+      containers:
+      - name: ersatztv
+        image: jasongdove/ersatztv:v25.9.0
+        ports:
+        - containerPort: 8409
+        volumeMounts:
+        - name: data
+          mountPath: /root/.local/share/ersatztv
+        - name: i915
+          mountPath: /dev/dri/
+        - name: merge
+          mountPath: /mnt/merge
+        securityContext:
+          privileged: true
+        resources:
+          requests:
+            gpu.intel.com/i915: "1"
+          limits:
+            gpu.intel.com/i915: "1"
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: ersatztv-longhorn
+      - name: i915
+        hostPath:
+          path: /dev/dri
+      - name: merge
+        nfs:
+          server: 10.0.0.123
+          path: /merge

clusters/ipv6/media/immich/immich-db.yml

@@ -0,0 +1,54 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: immich-psql
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: immich-psql
+  serviceName: immich-psql
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: immich-psql
+    spec:
+      initContainers:
+      - name: cleanup
+        image: busybox
+        command: ['sh', '-c', 'rm -rf /var/lib/postgresql/data/lost+found']
+        volumeMounts:
+        - name: immich-db
+          mountPath: /var/lib/postgresql/data
+      containers:
+      - name: immich-psql
+        image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
+        ports:
+        - containerPort: 5432
+          name: postgres
+        env:
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: immich-postgres-secret
+              key: password
+        - name: POSTGRES_USER
+          value: "postgres"
+        - name: POSTGRES_DB
+          value: "immich"
+        - name: POSTGRES_INITDB_ARGS
+          value: "--data-checksums"
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: immich-db
+  volumeClaimTemplates:
+  - metadata:
+      name: immich-db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 5Gi
+      storageClassName: longhorn

clusters/ipv6/media/immich/immich-ingress.yml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: immich-ingress
+  namespace: media
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - immich.akshun-lab.cc
+    secretName: immich-tls
+  rules:
+  - host: immich.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: immich-service
+            port:
+              number: 2283

clusters/ipv6/media/immich/immich-ml.yml

@@ -0,0 +1,43 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: immich-ml
+  namespace: media
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: immich-ml
+  template:
+    metadata:
+      labels:
+        app: immich-ml
+    spec:
+      runtimeClassName: nvidia
+      containers:
+      - name: immich-machine-learning
+        image: ghcr.io/immich-app/immich-machine-learning:v2.4.1-cuda
+        ports:
+        - containerPort: 3003
+        env:
+        - name: REDIS_HOSTNAME
+          value: "immich-redis-service"
+        - name: NVIDIA_VISIBLE_DEVICES
+          value: "all"
+        - name: MACHINE_LEARNING_DEVICE_IDS
+          value: "0"
+        volumeMounts:
+        - name: model-cache
+          mountPath: /cache
+        resources:
+          requests:
+            nvidia.com/gpu: "1"
+          limits:
+            nvidia.com/gpu: "1"
+      volumes:
+      - name: model-cache
+        persistentVolumeClaim:
+          claimName: immich-cache-longhorn

clusters/ipv6/media/immich/immich-pvc.yml

@@ -0,0 +1,55 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: immich-cache-longhorn
+  namespace: media
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: longhorn
+
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  annotations:
+    pv.kubernetes.io/provisioned-by: smb.csi.k8s.io
+  name: immich-pictures-pv
+  namespace: media
+spec:
+  capacity:
+    storage: 100Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: immich-pictures-pv
+  mountOptions:
+    - dir_mode=0777
+    - file_mode=0777
+  csi:
+    driver: smb.csi.k8s.io
+    volumeHandle: 10.0.0.123#pictures#immich
+    volumeAttributes:
+      source: //10.0.0.123/pictures
+    nodeStageSecretRef:
+      name: smb-creds
+      namespace: media
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: immich-pictures-pvc
+  namespace: media
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: immich-pictures-pv
+  resources:
+    requests:
+      storage: 100Gi

clusters/ipv6/media/immich/immich-redis.yml

@@ -0,0 +1,23 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: immich-redis
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: immich-redis
+  serviceName: immich-redis
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: immich-redis
+    spec:
+      containers:
+      - name: redis
+        image: docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571
+        ports:
+        - containerPort: 6379
+          name: redis

clusters/ipv6/media/immich/immich-secrets-sealed.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: immich-postgres-secret
+  namespace: media
+spec:
+  encryptedData:
+    password: AgBu1TYgl5+c8HAEZ62WcBcD6ebaF0YXl64RiumT5fOA8F16FA1OeATh17MTXUZuaF+WxpzJoJNSFp8GkfejSczMC2ZkViE/XR6spTGinHd6YI/HWQe0A1ojmTucohssWa00Ql0i6L6OTcD6fOS3gWZnUAi8W42vh4NVgdRx5AWSvjCwsF/visu5OwTFU0vRyTcYN3jrr/uYqLCrLKIQhf/jlfl7BdKN4Y/oZXMWP8K0mVp3deDqDF9NgL5fboL6B5XPihR7lPAZMmTQpf3ansxMMqesnWMKFUAyh50h4JEKcriSKPPuHhtsWTqKQmgUl+pmaTjDI31zmHKNQRbI4dTmkP0hVYGZ8hKomsbLvq9x8ZDfjGz2Vgt57ZMvMftMiz6Fvw8aQ+6XgTpfpYq6ZA4i3+p17nTrdQtMOuH1ogq5b09t2I6AB+0KANFJVG1iPTVGhG0nt23nZQydDHJ42ijl4OtRfJPHf28bUUpYSJ2X6g0/PGzTP8o2Hb+aLG5nJFfy6vikEHDDI4Z75hNSYrftHtQLxImxnEiMdIde1g26b00ECQ9roaOhszozQkGlKImC1+RpdUx1Mgi5yvqk7+RBRHolj9oxa0bdO9uj7u/SIuw8d7XHzHts2NBro9v6HpYjDiFmD35UTCvcaAi4PTUE/Sn2H5BWUDRnznrk1vp5EK3iv4uSM1L0EcD3Lkm6kTbwlctJaS0=
+  template:
+    metadata:
+      name: immich-postgres-secret
+      namespace: media
+    type: Opaque

clusters/ipv6/media/immich/immich-svc.yml

@@ -0,0 +1,55 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: immich-service
+  namespace: media
+spec:
+  selector:
+    app: immich-app
+  ports:
+  - port: 2283
+    targetPort: 2283
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: immich-machine-learning-service
+  namespace: media
+spec:
+  selector:
+    app: immich-ml
+  ports:
+  - port: 3003
+    targetPort: 3003
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: immich-psql
+  namespace: media
+spec:
+  selector:
+    app: immich-psql
+  ports:
+    - name: postgres
+      port: 5432
+      targetPort: 5432
+  clusterIP: None
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: immich-redis
+  namespace: media
+spec:
+  selector:
+    app: immich-redis
+  ports:
+    - name: redis
+      port: 6379
+      targetPort: 6379
+  clusterIP: None

clusters/ipv6/media/immich/immich.yml

@@ -0,0 +1,56 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: immich-app
+  namespace: media
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: immich-app
+  template:
+    metadata:
+      labels:
+        app: immich-app
+    spec:
+      containers:
+      - name: immich-server
+        image: ghcr.io/immich-app/immich-server:v2.4.1
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              pg_isready -h immich-psql.media.svc.cluster.local -U postgres -p 5432
+          initialDelaySeconds: 10
+          periodSeconds: 5
+          failureThreshold: 5
+        ports:
+        - containerPort: 2283
+        env:
+        - name: TZ
+          value: "Asia/Kolkata"
+        - name: REDIS_HOSTNAME
+          value: "immich-redis.media.svc.cluster.local"
+        - name: DB_USERNAME
+          value: "postgres"
+        - name: DB_DATABASE_NAME
+          value: "immich"
+        - name: DB_HOSTNAME
+          value: "immich-psql.media.svc.cluster.local"
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: immich-postgres-secret
+              key: password
+        volumeMounts:
+        - mountPath: /usr/src/app/upload
+          name: pictures
+      volumes:
+      - name: pictures
+        persistentVolumeClaim:
+          claimName: immich-pictures-pvc

clusters/ipv6/media/immich/smb-secrets-sealed.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: smb-creds
+  namespace: media
+spec:
+  encryptedData:
+    password: AgC+7n+UgTpWtKSAT2pM3ko4DyqXlw3PzlBgcX/goSOGbLmxhN/wP1VFh8KJTy/+InMLjPs+Ja0mks6J5YCbl3hvOHFxEnwScnk8vRXgQUgpJTLwZQUR6TOQVJw1jsGqkPOHDzXQiqzvxYgWDdtAX1Fl4Lj6BUOS0zyZqJjC2DKlhLSNqEs2ABuoPLaTwT0i7BEVtUMjIKNJvu+bt2Tc+zdGLeT/RCGiDjiEUvyFOW7/5exPAn0s569EbhG60Wu6Baywz8c+QrgHTkoUkBO+kdSKy1yYMxpNrJ73rblgEUSzxTI/moNrWdpkre3C7hjD99a07zqf83znwwDB7njgecn/Xk4aWy5xyVgViQ4BFcaynR089zuInOtiJHKwv55hvW0jf4xR1pazgHlM/ZEAEv+WZXGd9nwWoCFiPOB/0hta4iJWUkcpfImzNlTq4xbVOUt4DqhNPEKqUAfjBr7krg0LM5y8wAUtepvbD99NVz4yfGMMmZBNBE/REhkJxN5WDPBQZGRdIq0X20wRWN2uCnaj7VYaxLnQbpczka76+dzO/GOlnBLBWkTUwV8VgKn3nsyNYG/7gbvi5c+7U4iDh8oa2/vn3O0nw0vEfnKCKkK5PYy8Ocfe05atQtq+ydtYP131XC/gQMJazOsjmS+8+mJ41b3JnhSI1ptWt0qE1NwcfaUsCFxhjJT6NsUtgvbelz1ixLswyFA=
+    username: AgAebr79UtTr4TK8wwndPZTBoWdeMs/6TCyfh2PWSw81IH3TV6xiVvey/IS3VK+0inXnF5Mx5osNqP7pvigZ+nRy1Opo8Yi1f+9l7dbDQ1LU4InAX4v/SHrNmyZYHfmLTTLfpoh8D+beLmNWXJDd4mz5CxleOIeai/UBdmsasHoQvvKZFBeIIRz2uv+fWurjQFT+8ZOjtyANa7W1Wqd/2WQI/3rP6CRRfOALoANj/+y3oCXXixzcyl/mEv1GN+p1B9g6AgQycpQSr8kNCeigFEiurU4flliRjwOP6NoZOxc6Vu8i2s4BqGexfgdVpEOLjFL2LtsIf5qLL1MXaquyx7ycXMM3zS8+yeitJ76U65HYswt6EpuksUKay+RFBAMXAzRvjY1MaLzdzso2qUh8yueQ28yI8HEXZLCMuEfTLs3vSHfFApk/JpTCYOtsUJynrF2EY7TxWYNlmn00f9i33Asikv3al+gKzjiN3btdk8y27LhIN3vCmzogHOO+Dt5kEuUCwMjfVGfnoVqQ7GpX7blEdhV9yNlY7evpwJJTYdY3avJnxVD7CXRihS0o2AYgQ5qfVllwR4BePsnyUlr4kwdsMf+PJRYXEBtGEKnJJGA6N+n3hSm6UYRaDXJxy7iCGMUOhiilA9gfnEZ/Zmmy0W7l034o+cFMZxaWOR9/hF3s8keF9iN8SUgsxrPMwdfJ2jgpzhDe9cA=
+  template:
+    metadata:
+      name: smb-creds
+      namespace: media
+    type: Opaque

clusters/ipv6/media/invidious/invidious-companion.yml

@@ -0,0 +1,28 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: invidious-companion
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: invidious-companion
+  template:
+    metadata:
+      labels:
+        app: invidious-companion
+    spec:
+      containers:
+      - name: inv-companion
+        image: quay.io/invidious/invidious-companion@sha256:639c8b32dec2e0200c36ed369cf494eb0ca765fdb14d5890d7f460c89a34272d
+        env:
+        - name: SERVER_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: invidious-secrets
+              key: INVIDIOUS_COMPANION_KEY
+        securityContext:
+          capabilities:
+            drop:
+            - ALL

clusters/ipv6/media/invidious/invidious-config.yml

@@ -0,0 +1,19 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: invidious-config
+  namespace: media
+data:
+  invidious.yml: |
+    db:
+      dbname: invidious
+      user: kemal
+      password: ${INVIDIOUS_DB_PASSWORD}
+      host: invidious-db.media.svc.cluster.local
+      port: 5432
+    check_tables: true
+    invidious_companion:
+    - private_url: "http://invidious-companion-service.media.svc.cluster.local:8282/companion"
+    invidious_companion_key: ${INVIDIOUS_COMPANION_KEY}
+    hmac_key: ${INVIDIOUS_HMAC_KEY}

clusters/ipv6/media/invidious/invidious-db-secrets-sealed.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: invidious-db-secrets
+  namespace: media
+spec:
+  encryptedData:
+    postgres-db: AgDCRTGZMrx88eyNM/JENijAUak+FHV1llYWvG9CXqe+p3FqFxL1BBh2vICymkDGX1p7UeASvcNDWQQh+jeuzzPjfEo1t+tyBpZdA8KibIzR8LnQdcIWd76KKUpkDx9QLlu1d+j+zXOxlloTDe1kD/LNlGsb/5EWKfTsxD9xwtv9HDbHctqMLkQPK+fwVZNpaO60LII6dKc2igFjEbcV4203jiWG3Dx3oUMqb3xfNYrb0m2bndU9TfFCHV0TGkLgNX6impmIaHoQvozfniRRvrzjlFdClQW8FrwhnpLZ/gLk+W+zYbvZlHvfU2MeV+VKMDAuTOm36h2iEc6VrS6hy7xhAUY1vLTi+F9fA91qLeH5ZlU9/DTN4U3S47HsTumz3Fu9dvxsg/qtl+7mqBXTJpL7DusHJXE0pia1+RjM8ZwIXd4VLh1rrTt1ohUgOtytYdIzP42UWpIqKXfnzio74jk+CUULMaqB97R92gh2FdLzsSxY7znB+YT7Jie7cOCtSWds+OSNLiX/tm99CIKY+g6mYhCfgBWy/ZIZ4VSHIS2UZDKeqqbDa81IX+f5ASSCLD5daMVIl4qz37tboa0ah7YIvGS5Le9u0XiBWiy/+QOvp1nLYB2/N41kwDMsSqqAtpyqKzBJxu3eTb8QH1h0wllylFpO7yQNKHaZkcwOWqHyfpJQiDvcGr11inJDvkjU1U+ml5Nuq4IHNCg=
+    postgres-password: AgB0s+vZL++A9kEIBaknYFzwRNGQhsj3LQo7gfR0PebuaM96gFJxsBlrDgDrsIjfOWuwU8abg2Fjif4iU/N43Jz/mTmSVQe0WBhWYV0eBS/KMg8hEzQYA6Hm+WM1W0xS36QGgObP73eguHCictD6NcN0ff3IUZzg1z2Jyr+vDCGy98V2ANbPhiPPamIYaE8NG2B0cxFhi0XCcqkNIy6JTjFbVq/ivFNDmlZY6lZhATWjHine9BKgoTRAwqYHLFx/R0DR1fYiG/fHAzbNGBtDDnLcvL/uCj0LFLLHJ4DxvSmi4re61iBiG/ZFck/ET0bGnusUl7rjz/o9prUcINHtrFmhs6Oh2FwzzCvA1op1xbhOeKWceMAFNkd8BpY31DVjoVrQ1/JQRvqoS4J9TZ10YMtMdpOWxgmOb66W+kwhZOgT9bYrkSkOirGNLeFpC5uOt+rAm5rfiFrKsaLD4OTj1YDuSfewNpnM5rPawK36t9y5VFtSsJamtbS09vXLnKnO9D1M+Z/fxyCoBkeTE8UmSEfFZ52BODIasy1YVrXGLW6jXJOTLrj9ZaMajzS1LnlxeGPrJ/l7Q4qCo88/iEgrENHgx+x2j8kJm7jRsvyfa/U7vTpfIfuUIhSBxl8pHL1i7N/ZFL6Ses5lNEJ+53rXLSpkHEYh7gWId9eKUNTWikLkoAyNzcSS62jAWc2jUSO3V8rdoTPapE2OVifJ5g==
+    postgres-user: AgAMdnMR0vcu5ox07A1eZW55ihOs+qqA4sdoCZZa6VIgz0RoVO1R5XghBVk3l6XXn24bUFbufzZlWwAW+202ONLAsPHPOKjMB9ODOxk5iFP+D9iPiRlzpvuOf4cGdoyxlIuyr/p5OwTyAq9GQOZOzUZ0sB1bNyfQSpYISD+vTvkNIWe+O2LMQOXVegPkb0eWDCv5fHrjYrri0qurOQ9ah/wZMvSTRRRZcq+mpAU71VCycdC527JNb5/nxdhth7wXEVTuyh97il/Pu9fUdVyLMh8bnVPxB5cdxa1Bmo9txH7NKFyrscmlYfv9IinaxZhZSGKJxwX4zeaq4+wu8+JDPqD3OJr0jBepg88ZRWIkeFcDLFEjPcXeGjsF1B+fwb5iYI4KVI2QZGXNTrpFkFZQvTMjXh6WtH6BbluSBGsUAg4EW/gA6higfDQ7YM3ZN4KHXYy9Z8rK1TvC8TCNeWNRrG6hYN2wwkUmHh4Q9Y6Y3RSn8UNvdCvQCM7gF1SoUcyF4T97cJC0ER8YihwDKrsZHDDGNXXMtOV8gCi4MMNwdjuB2+lePrcidKMVYCtLhbevogyll6xgGPYU1PvZhyV0WSpY8z+ypcBlh9Z9kVd/PkbUcXRHdSm6znmzwKgWRi+zHfNfg9OxTBuy6oX/Kg48d1UIR59P2tGMteTTKf2e7SY3wQzRRdMrzY93sqa/rGilLu7RszYcCQ==
+  template:
+    metadata:
+      name: invidious-db-secrets
+      namespace: media
+    type: Opaque

clusters/ipv6/media/invidious/invidious-db.yml

@@ -0,0 +1,59 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: invidious-db
+  namespace: media
+spec:
+  selector:
+    matchLabels:
+      app: invidious-db
+  serviceName: invidious-db
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: invidious-db
+    spec:
+      initContainers:
+      - name: clean-db-dir
+        image: busybox
+        command:
+        - sh
+        - -c
+        - |
+          rm -rf /var/lib/postgresql/lost+found
+        volumeMounts:
+        - name: postgres-data
+          mountPath: /var/lib/postgresql
+      containers:
+      - name: postgres
+        image: postgres:18
+        env:
+        - name: POSTGRES_DB
+          valueFrom:
+            secretKeyRef:
+              name: invidious-db-secrets
+              key: postgres-db
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: invidious-db-secrets
+              key: postgres-user
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: invidious-db-secrets
+              key: postgres-password
+        volumeMounts:
+        - name: postgres-data
+          mountPath: /var/lib/postgresql
+  volumeClaimTemplates:
+  - metadata:
+      name: postgres-data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 1Gi
+      storageClassName: longhorn

clusters/ipv6/media/invidious/invidious-ingress.yml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: invidious-ingress
+  namespace: media
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+    traefik.ingress.kubernetes.io/router.middlewares: tools-authelia@kubernetescrd
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - invidious.akshun-lab.cc
+    secretName: invidious-tls
+  rules:
+  - host: invidious.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: invidious-service
+            port:
+              number: 3000

clusters/ipv6/media/invidious/invidious-secrets-sealed.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: invidious-secrets
+  namespace: media
+spec:
+  encryptedData:
+    INVIDIOUS_COMPANION_KEY: AgDRcKWTyaK2LAPkjlHXJyhVkxkVg1AG6eLAh1JQjgz+w5f5op8/G7RJ+9rVEJd1liHNu8dZKxSJ09PHLbrgRW4WDwlOBoMA5YkP3UfmlsZC1oExxsIjSzjssvUU3ewDJY5ny/LVYeGD5I0KkKPGyVEDbaD1UL986t+GY56cVVF7xZJwyPyXokqRd23PahecmMgkOSk6Ikct0hyNBlKuAeB5obGB9kNdpNZwOHV33EyIjeZOsVlCd7mtf4kE2qIWKtZSR3MtGq2hGjelFXwD0s6++cLAZv3zC9nB6F9VY+JjZxmH2FZtB8QMcPSnjk0ea7qMDMIalYXqOn1AVPZ8v5l+V+iQeIRMOvoYnM5okY5ffP2Ug81V6h6lnSt2cqPg4+5U7Tu7GSct78sgudYCZwYvpUEZgoyJ5B8z9sqOhKtVSuyOwqnpWdzDufL4yLhIQVGsJ1T8U34IrietxEJ7YwwLsv5S/wkErgaUF54ZUED+C31gYXDebdJDdZcIrjWdSAp3gYXURoiv13sqmxLOZMgwsy9HZoozf1rzxKj67O45dRZWXE6JWuhFUDH8+boe9t8O/nHvpHwE7C4Gm79WC4AXJOO4cwzJySqiu8VZUywGojOHS6bGqRmcKootXSG+OM7o9ay0/6ctkYXbflKwza0JzzDorQ5vkt7A7vFhJss2y9sJa093WFvY2Wd0RsYwe8V48ZRx5ChXU6PB53/xt8KD
+    INVIDIOUS_DB_PASSWORD: AgCYcytQkrWQMQXlp1zRHgA2R/RO32tFXJTZufzjLh+uK6Na6lH9iRReWv/qLE3xR4qXDSy5Ph6+SbuQHi2GnqFKpmiU0CvjPvvl+dFmVhJvB7ho7AR06UYTmMqK9jLw9TWfLu21pUHQPBovZuofcNSllsEjZ9Zd6oN99gh51DiVFEwlJvLu2+bdIhM0wALqEphjihBJEdWzvr0WUOZoyqX8Dtb/d/bHeeEmmDRoIu8btmsyNwvMP+rDqfzXhQ+/HEhf40ZfnUWzxYGYfFz0m8CVVlk4WNxAJ8obb2jHfLDRIB1Fzwgyn+gQU6lhWo7vnAWLTZ2NAKKwN3Rs7Tu7B6SHkuNkAI89jwtlG1cSX3NnQe0gbvnNLtGG6yWBnh1ZJufseRgsOx2VU3CAYT16S6EM5Cpk41YKA0/tMu9Z8CG3MevnmTSQmke94AR+Yl2hFsEFDMqlOeCzS38urKM7oE1MkfMpdB8th19fPj00jdBixmEY5FlMBltQwX4T+xMdZEpZQnlFWfvLrIRwg1l8/JQAI+KRP6Ym8RwShWwc+DW58VSgaAjg/rqWl1nHPmZVdYGghyCM77HXQ1N7H+nMesFL0ebxg+bm0OTllNAL8m2S1l2lukH7d8OUoQT5yTrwuD/DvMv5S9RAVGBE/41ZQ3MSx1s/5DrIvUaFk8gdIpbIMhoKP5KaB4PdFnzy9yd3nQIgTfzMixrMlhW1ww==
+    INVIDIOUS_HMAC_KEY: AgCY3C9mojZsBnGVbs8HuJrm0H2A4qOMDWnuh7Ifru0cc6TGjMbkYUki63uETk/mNl/WH5t+kQkyZhXACjPbFCoW+CI4uLMR7YnNoVRUsftRDDG3mAZ4g2skGo3QSkI7HYC/UOTpBT+TYldwEznS5cZjKit4R0EvqJBRSE4BfE1cqn9pVnJX4SOeQNCKDWi5biGfMuZt3htZYYXCQrihLDCtgOMHJgYk3AgO9vCJZl3j5IwyQT77iA38xpio93AKkhyYL+XzdX38K4eQDkDJf/jyl4ZzRCeFNAKUX5WhBPkTfkn5Mp0rPvxk3/aDXqdNgTmcGYn1iM3uev4k38u9EaJ1ESbbh97CzDAK1nHVXbXtMJzUWsjN+E9xojsknkaucuMcVFrq5ZuE8EVzmoows+kVsXyYaahg4at0RgxtNovLbJ8Ct1SB1oNwwd/VaNNxl0Uy+5hO+9n2jjnP6j83U52SlkBPoqXp8hLCQxiglMiGhN3QapkghHoaN3DFjYtmTC6q/BCzFvF10Daa/iRALt/fBO7VbR9+hvknmYvv1Z6L/s2Rm4xYKkunjB4qWZdHIfwt4lSVHF94wg6NsRm3dkF4RA/AJlx9wfXaSvVJLj7Gfri/nZQ236RojFtPpvLrDAYV2qfNv2nmpCnpFH1XgWQmwn6xjcaT/VEf4pUdn4yu2T1mnjJkWua1oJ53hUyCK5lZDeJQurZj5f7y8HHv3pBo
+  template:
+    metadata:
+      name: invidious-secrets
+      namespace: media
+    type: Opaque

clusters/ipv6/media/invidious/invidious-svc.yml

@@ -0,0 +1,40 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious-service
+  namespace: media
+spec:
+  selector:
+    app: invidious
+  ports:
+  - port: 3000
+    targetPort: 3000
+    protocol: TCP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious-companion-service
+  namespace: media
+spec:
+  selector:
+    app: invidious-companion
+  ports:
+  - port: 8282
+    targetPort: 8282
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious-db
+  namespace: media
+spec:
+  selector:
+    app: invidious-db
+  ports:
+  - port: 5432
+    targetPort: 5432
+  clusterIP: None

clusters/ipv6/media/invidious/invidious.yml

@@ -0,0 +1,70 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: invidious
+  namespace: media
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: invidious
+  template:
+    metadata:
+      labels:
+        app: invidious
+    spec:
+      initContainers:
+      - name: substitute-config
+        image: alpine
+        envFrom:
+        - secretRef:
+            name: invidious-secrets
+        command:
+        - sh
+        - -c
+        - apk add gettext && envsubst < /mnt/init/invidious.yml > /mnt/invidious.yml
+        volumeMounts:
+        - name: invidious-config
+          mountPath: /mnt/init/invidious.yml
+          subPath: invidious.yml
+        - name: tmp
+          mountPath: /mnt
+          subPath: invidious.yml
+      containers:
+      - name: invidious
+        image: quay.io/invidious/invidious@sha256:2836b5b8226a53a9cc2afdbd5f5fe6bccdd200f2e17cd92a828b4dc8d8b5cc06
+        command:
+        - sh
+        - -c
+        - |
+          export INVIDIOUS_CONFIG="$(cat /mnt/invidious.yml)" &&
+          exec /invidious/invidious
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              nc -z invidious-db.media.svc.cluster.local 5432 && nc -z invidious-companion-service.media.svc.cluster.local 8282
+        env:
+        - name: INVIDIOUS_PORT
+          value: "3000"
+        ports:
+        - containerPort: 3000
+        volumeMounts:
+        - name: logging
+          mountPath: /var/log/invidious
+        - name: tmp
+          mountPath: /mnt
+          subPath: invidious.yml
+      volumes:
+      - name: logging
+        emptyDir: {}
+      - name: tmp
+        emptyDir: {}
+      - name: invidious-config
+        configMap:
+          name: invidious-config

clusters/ipv6/media/jellyfin/jellyfin-ingress.yml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jellyfin-ingress
+  namespace: media
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-cloudflare
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - jellyfin.akshun-lab.cc
+    secretName: jellyfin-tls
+  rules:
+  - host: jellyfin.akshun-lab.cc
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: jellyfin-service
+            port:
+              number: 8096
+

clusters/ipv6/media/jellyfin/jellyfin-pvc.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-pvc
+  namespace: media
+spec:
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: longhorn
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+

clusters/ipv6/media/jellyfin/jellyfin-svc.yml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellyfin-service
+  namespace: media
+spec:
+  selector:
+    app: jellyfin
+  ports:
+  - port: 8096
+    targetPort: 8096
+    protocol: TCP
+

clusters/ipv6/media/jellyfin/jellyfin.yml

@@ -0,0 +1,53 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jellyfin
+  namespace: media
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jellyfin
+  template:
+    metadata:
+      labels:
+        app: jellyfin
+    spec:
+      containers:
+      - name: jellyfin
+        image: jellyfin/jellyfin:10.11.5
+        ports:
+        - containerPort: 8096
+        volumeMounts:
+        - name: media
+          mountPath: /media
+        - name: config
+          mountPath: /config
+        - name: cache
+          mountPath: /cache
+        - name: i915
+          mountPath: /dev/dri
+        securityContext:
+            privileged: true
+        resources:
+          requests:
+            gpu.intel.com/i915: "1"
+          limits:
+            gpu.intel.com/i915: "1"
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: jellyfin-pvc
+      - name: cache
+        emptyDir: {}
+      - name: media
+        nfs:
+          server: 10.0.0.123
+          path: /merge
+      - name: i915
+        hostPath:
+          path: /dev/dri
+

clusters/ipv6/media/namespace.yml

@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: media
+  labels:
+    name: media