autobrrrrrrrrrrrrrr (#5628)

Author: joryirving

.vscode/settings.json

@@ -12,6 +12,7 @@
   "explorer.autoReveal": true,
   "files.associations": {
     "**/*.json5": "json5",
+    "**/*.tofu": "terraform",
   },
   "files.trimTrailingWhitespace": true,
   "material-icon-theme.files.associations": {

kubernetes/apps/base/downloads/autobrr/externalsecret.yaml

@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://kube-schemas.pages.dev/external-secrets.io/externalsecret_v1.json
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: &name autobrr
+spec:
+  refreshInterval: 5m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: *name
+    template:
+      data:
+        AUTOBRR__SESSION_SECRET: "{{ .AUTOBRR_SESSION_SECRET }}"
+        AUTOBRR__OIDC_ENABLED: "true"
+        AUTOBRR__OIDC_ISSUER: https://sso.jory.dev/application/o/autobrr/
+        AUTOBRR__OIDC_REDIRECT_URL: https://autobrr.jory.dev/api/auth/oidc/callback
+        AUTOBRR__OIDC_DISABLE_BUILT_IN_LOGIN: "false"
+        AUTOBRR__OIDC_CLIENT_ID: "{{ .AUTOBRR_CLIENT_ID }}"
+        AUTOBRR__OIDC_CLIENT_SECRET: "{{ .AUTOBRR_CLIENT_SECRET }}"
+  dataFrom:
+    - extract:
+        key: autobrr

kubernetes/apps/base/downloads/autobrr/helmrelease.yaml

@@ -0,0 +1,95 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s-labs/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: autobrr
+spec:
+  chartRef:
+    kind: OCIRepository
+    name: app-template
+  dependsOn: []
+  interval: 15m
+  values:
+    controllers:
+      autobrr:
+        type: statefulset
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          app:
+            image:
+              repository: ghcr.io/autobrr/autobrr
+              tag: v1.71.0@sha256:db9794958a0f9db93059c1e9f06193a063ce3846d346d7a7c9eca607c6617c51
+            env:
+              AUTOBRR__HOST: 0.0.0.0
+              AUTOBRR__PORT: &port 80
+              AUTOBRR__METRICS_ENABLED: true
+              AUTOBRR__METRICS_HOST: 0.0.0.0
+              AUTOBRR__METRICS_PORT: &metricsPort 9094
+              AUTOBRR__CHECK_FOR_UPDATES: false
+              AUTOBRR__LOG_LEVEL: INFO
+            envFrom:
+              - secretRef:
+                  name: "{{ .Release.Name }}"
+            probes:
+              liveness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /api/healthz/liveness
+                    port: *port
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /api/healthz/readiness
+                    port: *port
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: {drop: ["ALL"]}
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 256Mi
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 100
+        fsGroup: 100
+        fsGroupChangePolicy: OnRootMismatch
+    service:
+      app:
+        ports:
+          http:
+            port: *port
+          metrics:
+            port: *metricsPort
+    serviceMonitor:
+      app:
+        endpoints:
+          - port: metrics
+    route:
+      app:
+        hostnames: ["{{ .Release.Name }}.jory.dev"]
+        parentRefs:
+          - name: envoy-internal
+            namespace: network
+    persistence:
+      config:
+        existingClaim: "{{ .Release.Name }}"
+      tmp:
+        type: emptyDir

kubernetes/apps/base/downloads/autobrr/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
+  - ./prometheusrule.yaml

kubernetes/apps/base/downloads/autobrr/prometheusrule.yaml

@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://kube-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: autobrr
+spec:
+  groups:
+    - name: autobrr.rules
+      rules:
+        - alert: AutobrrNetworkUnmonitored
+          expr: |-
+            autobrr_irc_channel_enabled_total != autobrr_irc_channel_monitored_total
+          for: 1h
+          annotations:
+            summary: >-
+              {{ $labels.network }} is not being monitored by Autobrr
+          labels:
+            severity: critical

kubernetes/apps/main/downloads/autobrr.yaml

@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://kube-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app autobrr
+spec:
+  components:
+    - ../../../../components/volsync
+  interval: 1h
+  path: ./kubernetes/apps/base/downloads/autobrr
+  postBuild:
+    substitute:
+      APP: *app
+      CLUSTER: ${CLUSTER}
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  wait: false

kubernetes/apps/main/downloads/kustomization.yaml

@@ -8,6 +8,7 @@ components:
 replacements:
   - path: ../../../components/replacements/ks.yaml
 resources:
+  - ./autobrr.yaml
   - ./bazarr.yaml
   # - ./cross-seed.yaml
   - ./flaresolverr.yaml

terraform/authentik/applications.tofu

@@ -1,5 +1,6 @@
 locals {
   oauth_apps = [
+    "autobrr",
     "Arcane",
     "ErsatzTV",
     "Grafana",
@@ -23,6 +24,15 @@ module "onepassword_application" {
 
 locals {
   applications = {
+    autobrr = {
+      client_id         = module.onepassword_application["autobrr"].fields["AUTOBRR_CLIENT_ID"]
+      client_secret     = module.onepassword_application["autobrr"].fields["AUTOBRR_CLIENT_SECRET"]
+      group             = "media"
+      icon_url          = "https://raw.githubusercontent.com/homarr-labs/dashboard-icons/main/png/autobrr.png"
+      redirect_uri      = "https://autobrr.${var.CLUSTER_DOMAIN}/api/auth/oidc/callback"
+      launch_url        = "https://autobrr.${var.CLUSTER_DOMAIN}"
+      property_mappings = local.default_property_mappings
+    },
     Arcane = {
       client_id         = module.onepassword_application["Arcane"].fields["ARCANE_CLIENT_ID"]
       client_secret     = module.onepassword_application["Arcane"].fields["ARCANE_CLIENT_SECRET"]