From bb56038f7ce5549dd5ee74fdfdafb23fcd960dcc Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Thu, 7 Nov 2024 15:47:40 -0600
Subject: [PATCH] add shoko server

---
 kubernetes/apps/anime/kustomization.yaml      |   2 +-
 .../apps/anime/shoko/app/externalsecret.yaml  |  31 +++++
 .../apps/anime/shoko/app/helmrelease.yaml     | 125 ++++++++++++++++++
 .../apps/anime/shoko/app/kustomization.yaml   |   9 ++
 kubernetes/apps/anime/shoko/ks.yaml           |  24 ++++
 5 files changed, 190 insertions(+), 1 deletion(-)
 create mode 100644 kubernetes/apps/anime/shoko/app/externalsecret.yaml
 create mode 100644 kubernetes/apps/anime/shoko/app/helmrelease.yaml
 create mode 100644 kubernetes/apps/anime/shoko/app/kustomization.yaml
 create mode 100644 kubernetes/apps/anime/shoko/ks.yaml

diff --git a/kubernetes/apps/anime/kustomization.yaml b/kubernetes/apps/anime/kustomization.yaml
index e0f11baa..632ac145 100644
--- a/kubernetes/apps/anime/kustomization.yaml
+++ b/kubernetes/apps/anime/kustomization.yaml
@@ -9,5 +9,5 @@ resources:
   - ./jellyfin/ks.yaml    # sqlite
   - ./jellyseerr/ks.yaml  # sqlite
   - ./radarr/ks.yaml      # postgres
-  # - ./shoko/ks.yaml       # sqlite
+  - ./shoko/ks.yaml       # sqlite
   - ./sonarr/ks.yaml      # postgres
diff --git a/kubernetes/apps/anime/shoko/app/externalsecret.yaml b/kubernetes/apps/anime/shoko/app/externalsecret.yaml
new file mode 100644
index 00000000..e4dce10c
--- /dev/null
+++ b/kubernetes/apps/anime/shoko/app/externalsecret.yaml
@@ -0,0 +1,31 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: shokoserver
+spec:
+  refreshInterval: 5m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: shokoserver-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: WIREGUARD_ENDPOINT_IP
+      remoteRef:
+        key: ProtonVPN
+        property: shokoserver_vpn_endpoint_ip
+    - secretKey: WIREGUARD_PUBLIC_KEY
+      remoteRef:
+        key: ProtonVPN
+        property: shokoserver_wireguard_public_key
+    - secretKey: WIREGUARD_PRIVATE_KEY
+      remoteRef:
+        key: ProtonVPN
+        property: shokoserver_wireguard_private_key
+    - secretKey: WIREGUARD_ADDRESSES
+      remoteRef:
+        key: ProtonVPN
+        property: wireguard_addresses
diff --git a/kubernetes/apps/anime/shoko/app/helmrelease.yaml b/kubernetes/apps/anime/shoko/app/helmrelease.yaml
new file mode 100644
index 00000000..862a91f5
--- /dev/null
+++ b/kubernetes/apps/anime/shoko/app/helmrelease.yaml
@@ -0,0 +1,125 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app shokoserver
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  dependsOn:
+    - name: rook-ceph-cluster
+      namespace: rook-ceph
+    - name: volsync
+      namespace: volsync-system
+  values:
+    controllers:
+      shokoserver:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          gluetun:
+            image:
+              repository: ghcr.io/qdm12/gluetun
+              tag: v3.39.1
+            env:
+              DOT: "off"
+              VPN_SERVICE_PROVIDER: protonvpn
+              VPN_TYPE: wireguard
+              VPN_INTERFACE: wg0
+              FIREWALL_INPUT_PORTS: "80"
+            envFrom:
+              - secretRef:
+                  name: shokoserver-secret
+            resources:
+              limits:
+                kernel.org/tun: 1
+            restartPolicy: Always
+            securityContext:
+              capabilities:
+                add: ["NET_ADMIN"]
+              allowPrivilegeEscalation: false
+        containers:
+          app:
+            image:
+              repository: ghcr.io/jahanson/shokoserver
+              tag: v5.0.0@sha256:193aedf3e3f2d7031a76274d5bae0004c3d920c24831d688d991f85d4bb24ce2
+            env:
+              TZ: America/Chicago
+              PORT: &port 80
+            # probes:
+            #   liveness: &probes
+            #     enabled: true
+            #     custom: true
+            #     spec:
+            #       httpGet:
+            #         path: /status
+            #         port: *port
+            #       initialDelaySeconds: 0
+            #       periodSeconds: 10
+            #       timeoutSeconds: 1
+            #       failureThreshold: 3
+            #   readiness: *probes
+            #   startup:
+            #     enabled: false
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 568
+        runAsGroup: 568
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile: { type: RuntimeDefault }
+    service:
+      app:
+        controller: shokoserver
+        ports:
+          http:
+            port: *port
+            targetPort: 8111
+    ingress:
+      app:
+        className: internal-nginx
+        hosts:
+          - host: "${APP}.jahanson.tech"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+    persistence:
+      config:
+        existingClaim: "${APP}"
+        globalMounts:
+          - path: /.shoko
+      media:
+        type: nfs
+        server: 10.1.1.61
+        path: /moria/media/
+        globalMounts:
+          - path: /data/moria-media
+      # logs:
+      #   type: emptyDir
+      #   globalMounts:
+      #     - path: /app/config/logs
+      tmp:
+        type: emptyDir
diff --git a/kubernetes/apps/anime/shoko/app/kustomization.yaml b/kubernetes/apps/anime/shoko/app/kustomization.yaml
new file mode 100644
index 00000000..29c10b8c
--- /dev/null
+++ b/kubernetes/apps/anime/shoko/app/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
+  - ../../../../templates/gatus/internal
+  - ../../../../templates/volsync
diff --git a/kubernetes/apps/anime/shoko/ks.yaml b/kubernetes/apps/anime/shoko/ks.yaml
new file mode 100644
index 00000000..a47681b6
--- /dev/null
+++ b/kubernetes/apps/anime/shoko/ks.yaml
@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app shoko
+  namespace: flux-system
+spec:
+  targetNamespace: anime
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/anime/shoko/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: false
+  interval: 30m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app
+      VOLSYNC_CAPACITY: 5Gi