Add kyoo v5

Add grafana
Add grafana operator
2025-12-05 23:06:23 +00:00 · 2025-11-10 19:51:14 +01:00 · 2025-11-10 18:37:07 +01:00 · 2025-11-10 17:38:31 +01:00 · 2025-11-10 13:56:35 +00:00 · 2025-11-10 12:55:56 +01:00
8 changed files with 325 additions and 25 deletions
--- a/apps/grafana-operator.yaml
+++ b/apps/grafana-operator.yaml
@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: grafana-operator
+  namespace: argocd
+spec:
+  project: default
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: grafana
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+  source:
+    repoURL: ghcr.io/grafana/helm-charts
+    chart: grafana-operator
+    targetRevision: v5.20.0
+    helm:
+      valuesObject: {}
--- a/apps/grafana.yaml
+++ b/apps/grafana.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: grafana
+  namespace: argocd
+spec:
+  project: default
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: grafana
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: false
+    syncOptions:
+      - CreateNamespace=true
+  source:
+    repoURL: https://github.com/zoriya/snow
+    targetRevision: HEAD
+    path: apps/grafana
--- a/apps/grafana/grafana.yaml
+++ b/apps/grafana/grafana.yaml
@@ -0,0 +1,85 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: Grafana
+metadata:
+  name: grafana
+  labels:
+    dashboards: "grafana"
+spec:
+  config:
+    log:
+      mode: "console"
+    auth:
+      disable_login_form: "false"
+      signout_redirect_url: "https://authentik.sdg.moe/application/o/grafana/end-session/"
+      oauth_auto_login: "true"
+    server:
+      root_url: https://grafana.sdg.moe
+    auth.generic_oauth:
+      name: authentik
+      enabled: "true"
+      allow_sign_up: "true"
+      client_id: ${AUTH_CLIENT_ID}
+      client_secret: ${AUTH_CLIENT_SECRET}
+      scopes: "openid profile email"
+      auth_url: "https://authentik.sdg.moe/application/o/authorize/"
+      token_url: "https://authentik.sdg.moe/application/o/token/"
+      api_url: "https://authentik.sdg.moe/application/o/userinfo/"
+      role_attribute_path: 'Admin' #contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'
+
+  persistentVolumeClaim:
+    spec:
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 10Gi
+  deployment:
+    spec:
+      template:
+        spec:
+          securityContext:
+            fsGroup: 10001
+          containers:
+            - name: grafana
+              env:
+                - name: AUTH_CLIENT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: grafana-oidc
+                      key: clientId
+                - name: AUTH_CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      name: grafana-oidc
+                      key: clientSecret
+              readinessProbe:
+                failureThreshold: 3
+          volumes:
+            - name: grafana-data
+              persistentVolumeClaim:
+                claimName: grafana-pvc
+      strategy:
+        type: Recreate
+
+  ingress:
+    metadata:
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+        acme.cert-manager.io/http01-edit-in-place: "true"
+    spec:
+      ingressClassName: cilium
+      rules:
+        - host: grafana.sdg.moe
+          http:
+            paths:
+              - path: /
+                pathType: Prefix
+                backend:
+                  service:
+                    name: grafana-service
+                    port:
+                      number: 3000
+      tls:
+        - hosts:
+            - grafana.sdg.moe
+          secretName: grafana-ssl
--- a/apps/grafana/oidc.yaml
+++ b/apps/grafana/oidc.yaml
@@ -0,0 +1,12 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: grafana-oidc
+spec:
+  refreshInterval: 24h
+  secretStoreRef:
+    name: bitwarden
+    kind: ClusterSecretStore
+  dataFrom:
+  - extract:
+      key: grafana-sso
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -6,7 +6,7 @@ helmCharts:
    name: immich
    releaseName: immich
    namespace: immich
-    version: 0.10.1
+    version: 0.10.2
    valuesFile: values.yaml

 resources:
--- a/apps/kyoo-v5.yaml
+++ b/apps/kyoo-v5.yaml
@@ -0,0 +1,93 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kyoo-v5
+  namespace: argocd
+spec:
+  project: default
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kyoo-next
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+  source:
+    repoURL: https://github.com/acelinkio/kyoo
+    path: chart
+    targetRevision: prepare_traefik
+    # repoURL: ghcr.io/zoriya/helm-charts
+    # chart: kyoo
+    # targetRevision: edge
+    helm:
+      valuesObject:
+        global:
+          image:
+            tag: edge
+            imagePullPolicy: Always
+          postgres:
+            kyoo_auth:
+              host: kyoo-v5-postgres
+            kyoo_api:
+              host: kyoo-v5-postgres
+            kyoo_scanner:
+              host: kyoo-v5-postgres
+            kyoo_transcoder:
+              host: kyoo-v5-postgres
+        postgres:
+          enabled: true
+        kyoo:
+          address: https://beta.sdg.moe
+          transcoderAcceleration: nvidia
+        transcoder:
+          runtimeClass: nvidia
+        ingress:
+          enabled: true
+          host: beta.sdg.moe
+          ingressClassName: cilium
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt
+            acme.cert-manager.io/http01-edit-in-place: "true"
+          tls: true
+          tlsSecret: kyoo-tls
+        extraObjects:
+          - apiVersion: v1
+            kind: Secret
+            metadata:
+              name: bigsecret
+            type: Opaque
+            stringData:
+              postgres_user: kyoo_all
+              postgres_password: watchSomething4me
+              scanner_apikey: scanner-triquarter4u
+
+          - apiVersion: v1
+            kind: PersistentVolume
+            metadata:
+              name: kyoo-v5-medias
+            spec:
+              accessModes:
+              - ReadWriteOnce
+              capacity:
+                storage: 200Ti
+              csi:
+                driver: zfs.csi.openebs.io
+                fsType: zfs
+                volumeAttributes:
+                  openebs.io/poolname: ocean
+                volumeHandle: "medias"
+              persistentVolumeReclaimPolicy: Retain
+          - apiVersion: v1
+            kind: PersistentVolumeClaim
+            metadata:
+              name: media
+            spec:
+              storageClassName: ""
+              volumeName: kyoo-v5-medias
+              accessModes:
+              - ReadWriteOnce
+              resources:
+                requests:
+                  storage: 200Ti
--- a/apps/otel/otel-clickhouse.yaml
+++ b/apps/otel/otel-clickhouse.yaml
@@ -3,25 +3,6 @@ kind: ClickHouseInstallation
 metadata:
  name: otel-cluster
 spec:
-  templates:
-    podTemplates:
-      - name: clickhouse-pod-template
-        spec:
-          containers:
-            - name: clickhouse
-              image: altinity/clickhouse-server:25.3.6.10034.altinitystable
-              volumeMounts:
-                - name: clickhouse-storage
-                  mountPath: /var/lib/clickhouse
-    volumeClaimTemplates:
-      - name: clickhouse-storage
-        reclaimPolicy: Retain
-        spec:
-          accessModes:
-            - ReadWriteOnce
-          resources:
-            requests:
-              storage: 5Gi
  configuration:
    clusters:
      - name: otel-cluster
@@ -30,3 +11,84 @@ spec:
          replicasCount: 1
        templates:
          podTemplate: clickhouse-pod-template
+    users:
+      collector/password:
+        valueFrom:
+          secretKeyRef:
+            name: clickhouse-passwords
+            key: collector
+      collector/networks/ip: "::/0"
+      collector/grants/query:
+        - GRANT SELECT, INSERT, UPDATE, DROP, DELETE, ALTER, CREATE ON otel.*
+        - GRANT CREATE DATABASE ON *.*
+      grafana/password:
+        valueFrom:
+          secretKeyRef:
+            name: clickhouse-passwords
+            key: grafana
+      grafana/networks/ip: "::/0"
+      grafana/grants/query:
+        - GRANT SELECT ON otel.*
+  defaults:
+    templates:
+      podTemplate: pod-template
+      dataVolumeClaimTemplate: data-volume-template
+      logVolumeClaimTemplate: log-volume-template
+  templates:
+    podTemplates:
+      - name: pod-template
+        spec:
+          containers:
+            - name: clickhouse
+              image: clickhouse/clickhouse-server:latest
+              env:
+                - name: CLICKHOUSE_ALWAYS_RUN_INITDB_SCRIPTS
+                  value: "true"
+              volumeMounts:
+                - name: bootstrap-configmap-volume
+                  mountPath: /docker-entrypoint-initdb.d
+          volumes:
+            - name: bootstrap-configmap-volume
+              configMap:
+                name: bootstrap-mounted-configmap
+    volumeClaimTemplates:
+      - name: data-volume-template
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 10Gi
+      - name: log-volume-template
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 1Gi
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: clickhouse-passwords
+spec:
+  refreshPolicy: CreatedOnce
+  dataFrom:
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: ClusterGenerator
+          name: uuid
+      rewrite:
+        - regexp:
+            source: uuid
+            target: collector
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: ClusterGenerator
+          name: uuid
+      rewrite:
+        - regexp:
+            source: uuid
+            target: grafana
--- a/apps/otel/otel.yaml
+++ b/apps/otel/otel.yaml
@@ -4,6 +4,12 @@ metadata:
  name: otel
 spec:
  mode: daemonset
+  env:
+  - name: CLICKHOUSE_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: clickhouse-passwords
+        key: collector
  config:
    receivers:
      # hostmetrics:
@@ -38,13 +44,13 @@ spec:
      debug:
        verbosity: detailed
      clickhouse:
-        endpoint: tcp://clickhouse-otel-cluster:9000?dial_timeout=10s&compress=lz4&async_insert=1
+        endpoint: tcp://clickhouse-otel-cluster.otel.svc.cluster.local:9000?dial_timeout=10s&compress=lz4&async_insert=1
+        username: collector
+        password: ${env:CLICKHOUSE_PASSWORD}
        ttl: 168h # a week
-        traces_table_name: otel_traces
-        logs_table_name: otel_logs
        create_schema: true
        timeout: 5s
-        database: default
+        database: otel
        sending_queue:
          queue_size: 1000
        retry_on_failure:
@@ -53,7 +59,6 @@ spec:
          max_interval: 30s
          max_elapsed_time: 300s

-
    extensions:
      health_check:
        endpoint: 0.0.0.0:13133
Author	SHA1	Message	Date
Zoe Roux	b7af6435a0	Add kyoo v5	2025-11-10 19:51:14 +01:00
Zoe Roux	a11c7ea3b8	Add grafana	2025-11-10 18:37:07 +01:00
Zoe Roux	38a8286b50	Add grafana operator	2025-11-10 17:38:31 +01:00
renovate[bot]	44e7809853	chore(deps): update immich docker tag to v0.10.2 (#51 ) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-11-10 13:56:35 +00:00
Zoe Roux	c49a4828e4	Add clickhouse users	2025-11-10 12:55:56 +01:00