---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: &app shokoserver
spec:
  interval: 30m
  chart:
    spec:
      chart: app-template
      version: 3.5.1
      sourceRef:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
  install:
    remediation:
      retries: 3
  upgrade:
    cleanupOnFail: true
    remediation:
      strategy: rollback
      retries: 3
  dependsOn:
    - name: rook-ceph-cluster
      namespace: rook-ceph
    - name: volsync
      namespace: volsync-system
  values:
    controllers:
      shokoserver:
        annotations:
          reloader.stakater.com/auto: "true"
        initContainers:
          gluetun:
            image:
              repository: ghcr.io/qdm12/gluetun
              tag: v3.39.1
            env:
              DOT: "off"
              VPN_SERVICE_PROVIDER: protonvpn
              VPN_TYPE: wireguard
              VPN_INTERFACE: wg0
              FIREWALL_INPUT_PORTS: "80"
            envFrom:
              - secretRef:
                  name: shokoserver-secret
            resources:
              limits:
                kernel.org/tun: 1
            restartPolicy: Always
            securityContext:
              capabilities:
                add: ["NET_ADMIN"]
              allowPrivilegeEscalation: false
        containers:
          app:
            image:
              repository: ghcr.io/jahanson/shokoserver
              tag: v5.0.0@sha256:193aedf3e3f2d7031a76274d5bae0004c3d920c24831d688d991f85d4bb24ce2
            env:
              TZ: America/Chicago
              PORT: &port 80
            # probes:
            #   liveness: &probes
            #     enabled: true
            #     custom: true
            #     spec:
            #       httpGet:
            #         path: /status
            #         port: *port
            #       initialDelaySeconds: 0
            #       periodSeconds: 10
            #       timeoutSeconds: 1
            #       failureThreshold: 3
            #   readiness: *probes
            #   startup:
            #     enabled: false
            securityContext:
              allowPrivilegeEscalation: false
              readOnlyRootFilesystem: true
              capabilities: { drop: ["ALL"] }
    defaultPodOptions:
      securityContext:
        runAsNonRoot: true
        runAsUser: 568
        runAsGroup: 568
        fsGroup: 568
        fsGroupChangePolicy: OnRootMismatch
        seccompProfile: { type: RuntimeDefault }
    service:
      app:
        controller: shokoserver
        ports:
          http:
            port: *port
            targetPort: 8111
    ingress:
      app:
        className: internal-nginx
        hosts:
          - host: "${APP}.jahanson.tech"
            paths:
              - path: /
                service:
                  identifier: app
                  port: http
    persistence:
      config:
        existingClaim: "${APP}"
        globalMounts:
          - path: /.shoko
      media:
        type: nfs
        server: 10.1.1.61
        path: /moria/media/
        globalMounts:
          - path: /data/moria-media
      # logs:
      #   type: emptyDir
      #   globalMounts:
      #     - path: /app/config/logs
      tmp:
        type: emptyDir