titan-iac/services/jellyfin/deployment.yaml

# services/jellyfin/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: jellyfin
  namespace: jellyfin
  labels:
    app: jellyfin
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
  selector:
    matchLabels:
      app: jellyfin
  template:
    metadata:
      labels:
        app: jellyfin
    spec:
      # Clean up any lingering OIDC artifacts and strip the injected script tag
      initContainers:
        - name: strip-oidc
          image: docker.io/jellyfin/jellyfin:10.11.5
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          command:
            - /bin/sh
            - -c
            - |
              set -euxo pipefail
              cp -a /jellyfin/jellyfin-web/. /web-root
              # remove injected OIDC script tags everywhere just in case
              for f in $(find /web-root -type f -name 'index.html'); do
                sed -i '/oidc\/inject/d' "$f"
                printf '%s\n' "$f"
              done
              # clean any lingering OIDC plugin artifacts on the config volume
              rm -rf "/config/plugins/OIDC Authentication_"* /config/plugins/configurations/JellyfinOIDCPlugin.v2.xml || true
          volumeMounts:
            - name: web-root
              mountPath: /web-root
            - name: config
              mountPath: /config
        # Force all users to authenticate via the LDAP plugin provider by updating the DB on start.
        # This keeps Flux enforcement for auth provider drift (e.g., after UI edits).
        - name: set-ldap-auth-provider
          image: docker.io/library/alpine:3.20
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          command:
            - /bin/sh
            - -c
            - |
              set -euxo pipefail
              apk add --no-cache sqlite
              db="/config/data/jellyfin.db"
              if [ -f "$db" ]; then
                sqlite3 "$db" "UPDATE Users SET AuthenticationProviderId='Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin', Password=NULL, EnableLocalPassword=0 WHERE AuthenticationProviderId!='Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin';"
              else
                echo "db not found at $db, skipping"
              fi
          volumeMounts:
            - name: config
              mountPath: /config
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/hostname
                    operator: In
                    values:
                      - titan-20
                      - titan-21
                      - titan-22
                      - titan-24
      securityContext:
        runAsUser: 1000 
        fsGroup: 65532
        fsGroupChangePolicy: OnRootMismatch
        runAsGroup: 65532
      runtimeClassName: nvidia
      containers:
        - name: jellyfin
          image: docker.io/jellyfin/jellyfin:10.11.5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
              containerPort: 8096
          env:
            - name: NVIDIA_DRIVER_CAPABILITIES
              value: "compute,video,utility"
            - name: JELLYFIN_PublishedServerUrl
              value: "https://stream.bstein.dev"
            - name: PUID
              value: "1000"
            - name: PGID
              value: "65532"
            - name: UMASK
              value: "002"
          resources:
            limits:
              nvidia.com/gpu.shared: 1
            #   cpu: "4"
            #   memory: 8Gi
            requests:
              nvidia.com/gpu.shared: 1
              cpu: "500m"
              memory: 1Gi
          volumeMounts:
            - name: config
              mountPath: /config
            # Override LDAP plugin configuration from a secret to avoid embedding credentials in the PVC.
            - name: ldap-config
              mountPath: /config/plugins/configurations/LDAP-Auth.xml
              subPath: ldap-config.xml
            - name: cache
              mountPath: /cache
            - name: media
              mountPath: /media
            - name: web-root
              mountPath: /jellyfin/jellyfin-web
          lifecycle:
            postStart:
              exec:
                command:
                  - /bin/sh
                  - -c
                  - |
                    set -eux
                    for f in $(find /jellyfin/jellyfin-web -type f -name 'index.html'); do
                      sed -i '/oidc\/inject/d' "$f" || true
                    done
          securityContext:
            runAsUser: 0
            runAsGroup: 0
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: false
      volumes:
        - name: web-root
          emptyDir: {}
        - name: config
          persistentVolumeClaim:
            claimName: jellyfin-config-astreae
        - name: cache
          persistentVolumeClaim:
            claimName: jellyfin-cache-astreae
        - name: media
          persistentVolumeClaim:
            claimName: jellyfin-media-asteria-new
        - name: ldap-config
          secret:
            secretName: jellyfin-ldap-config
            items:
              - key: ldap-config.xml
                path: ldap-config.xml
install jellyfin 2025-08-25 12:35:36 -05:00			`# services/jellyfin/deployment.yaml`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: jellyfin`
			`namespace: jellyfin`
			`labels:`
			`app: jellyfin`
			`spec:`
jellyfin restart 2025-10-07 23:28:40 -05:00			`replicas: 1`
migrate jellyfin to stable version 2025-09-02 19:46:21 -05:00			`strategy:`
migrate jellyfin to stable version 2025-09-02 20:12:29 -05:00			`type: RollingUpdate`
			`rollingUpdate:`
			`maxSurge: 0`
			`maxUnavailable: 1`
install jellyfin 2025-08-25 12:35:36 -05:00			`selector:`
			`matchLabels:`
			`app: jellyfin`
			`template:`
			`metadata:`
			`labels:`
			`app: jellyfin`
			`spec:`
jellyfin: drop OIDC plugin and strip injected script 2025-12-24 15:26:02 -03:00			`# Clean up any lingering OIDC artifacts and strip the injected script tag`
jellyfin: bootstrap oidc plugin 2025-12-19 21:13:31 -03:00			`initContainers:`
jellyfin: drop OIDC plugin and strip injected script 2025-12-24 15:26:02 -03:00			`- name: strip-oidc`
			`image: docker.io/jellyfin/jellyfin:10.11.5`
jellyfin: pull oidc plugin from streaming harbor and fix oidc redirect 2025-12-20 13:32:36 -03:00			`securityContext:`
			`runAsUser: 0`
jellyfin: drop OIDC plugin and strip injected script 2025-12-24 15:26:02 -03:00			`runAsGroup: 0`
			`command:`
			`- /bin/sh`
			`- -c`
jellyfin: pull oidc plugin from streaming harbor and fix oidc redirect 2025-12-20 13:32:36 -03:00			`- \|`
jellyfin: drop OIDC plugin and strip injected script 2025-12-24 15:26:02 -03:00			`set -euxo pipefail`
			`cp -a /jellyfin/jellyfin-web/. /web-root`
			`# remove injected OIDC script tags everywhere just in case`
			`for f in $(find /web-root -type f -name 'index.html'); do`
			`sed -i '/oidc\/inject/d' "$f"`
			`printf '%s\n' "$f"`
			`done`
			`# clean any lingering OIDC plugin artifacts on the config volume`
			`rm -rf "/config/plugins/OIDC Authentication_"* /config/plugins/configurations/JellyfinOIDCPlugin.v2.xml \|\| true`
jellyfin: upgrade to 10.11 and seed oidc plugin 2025-12-19 21:30:04 -03:00			`volumeMounts:`
jellyfin: drop OIDC plugin and strip injected script 2025-12-24 15:26:02 -03:00			`- name: web-root`
			`mountPath: /web-root`
jellyfin: upgrade to 10.11 and seed oidc plugin 2025-12-19 21:30:04 -03:00			`- name: config`
			`mountPath: /config`
jellyfin: enforce ldap auth provider on start 2025-12-24 17:25:07 -03:00			`# Force all users to authenticate via the LDAP plugin provider by updating the DB on start.`
			`# This keeps Flux enforcement for auth provider drift (e.g., after UI edits).`
			`- name: set-ldap-auth-provider`
			`image: docker.io/library/alpine:3.20`
			`securityContext:`
			`runAsUser: 0`
			`runAsGroup: 0`
			`command:`
			`- /bin/sh`
			`- -c`
			`- \|`
			`set -euxo pipefail`
			`apk add --no-cache sqlite`
			`db="/config/data/jellyfin.db"`
			`if [ -f "$db" ]; then`
jellyfin: fix LDAP auth provider id 2026-01-01 12:22:22 -03:00			`sqlite3 "$db" "UPDATE Users SET AuthenticationProviderId='Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin', Password=NULL, EnableLocalPassword=0 WHERE AuthenticationProviderId!='Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin';"`
jellyfin: enforce ldap auth provider on start 2025-12-24 17:25:07 -03:00			`else`
			`echo "db not found at $db, skipping"`
			`fi`
			`volumeMounts:`
			`- name: config`
			`mountPath: /config`
gpu: enable time-slicing and refresh dashboards 2026-01-01 14:16:08 -03:00			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: kubernetes.io/hostname`
			`operator: In`
			`values:`
			`- titan-20`
			`- titan-21`
			`- titan-22`
			`- titan-24`
jellyfin: drop OIDC plugin and strip injected script 2025-12-24 15:26:02 -03:00			`securityContext:`
			`runAsUser: 1000`
			`fsGroup: 65532`
			`fsGroupChangePolicy: OnRootMismatch`
			`runAsGroup: 65532`
install jellyfin 2025-08-25 12:35:36 -05:00			`runtimeClassName: nvidia`
			`containers:`
			`- name: jellyfin`
jellyfin: upgrade to 10.11 and seed oidc plugin 2025-12-19 21:30:04 -03:00			`image: docker.io/jellyfin/jellyfin:10.11.5`
install jellyfin 2025-08-25 12:35:36 -05:00			`imagePullPolicy: IfNotPresent`
			`ports:`
			`- name: http`
			`containerPort: 8096`
			`env:`
			`- name: NVIDIA_DRIVER_CAPABILITIES`
			`value: "compute,video,utility"`
			`- name: JELLYFIN_PublishedServerUrl`
			`value: "https://stream.bstein.dev"`
jellyfin and pegasus in same group 2025-09-18 08:52:58 -05:00			`- name: PUID`
			`value: "1000"`
			`- name: PGID`
			`value: "65532"`
			`- name: UMASK`
			`value: "002"`
install jellyfin 2025-08-25 12:35:36 -05:00			`resources:`
			`limits:`
gpu: enable time-slicing and refresh dashboards 2026-01-01 14:16:08 -03:00			`nvidia.com/gpu.shared: 1`
install jellyfin 2025-08-25 12:35:36 -05:00			`# cpu: "4"`
			`# memory: 8Gi`
			`requests:`
gpu: enable time-slicing and refresh dashboards 2026-01-01 14:16:08 -03:00			`nvidia.com/gpu.shared: 1`
install jellyfin 2025-08-25 12:35:36 -05:00			`cpu: "500m"`
			`memory: 1Gi`
			`volumeMounts:`
			`- name: config`
			`mountPath: /config`
jellyfin: drop OIDC plugin and strip injected script 2025-12-24 15:26:02 -03:00			`# Override LDAP plugin configuration from a secret to avoid embedding credentials in the PVC.`
			`- name: ldap-config`
			`mountPath: /config/plugins/configurations/LDAP-Auth.xml`
			`subPath: ldap-config.xml`
install jellyfin 2025-08-25 12:35:36 -05:00			`- name: cache`
			`mountPath: /cache`
			`- name: media`
			`mountPath: /media`
jellyfin: drop OIDC plugin and strip injected script 2025-12-24 15:26:02 -03:00			`- name: web-root`
			`mountPath: /jellyfin/jellyfin-web`
			`lifecycle:`
			`postStart:`
			`exec:`
			`command:`
			`- /bin/sh`
			`- -c`
			`- \|`
			`set -eux`
			`for f in $(find /jellyfin/jellyfin-web -type f -name 'index.html'); do`
			`sed -i '/oidc\/inject/d' "$f" \|\| true`
			`done`
install jellyfin 2025-08-25 12:35:36 -05:00			`securityContext:`
jellyfin: pull oidc plugin from streaming harbor and fix oidc redirect 2025-12-20 13:32:36 -03:00			`runAsUser: 0`
			`runAsGroup: 0`
install jellyfin 2025-08-25 12:35:36 -05:00			`allowPrivilegeEscalation: false`
			`readOnlyRootFilesystem: false`
			`volumes:`
jellyfin: drop OIDC plugin and strip injected script 2025-12-24 15:26:02 -03:00			`- name: web-root`
			`emptyDir: {}`
install jellyfin 2025-08-25 12:35:36 -05:00			`- name: config`
			`persistentVolumeClaim:`
migrate jellyfin to stable version 2025-09-02 19:46:21 -05:00			`claimName: jellyfin-config-astreae`
install jellyfin 2025-08-25 12:35:36 -05:00			`- name: cache`
			`persistentVolumeClaim:`
migrate jellyfin to stable version 2025-09-02 19:46:21 -05:00			`claimName: jellyfin-cache-astreae`
install jellyfin 2025-08-25 12:35:36 -05:00			`- name: media`
			`persistentVolumeClaim:`
monitoring add, jellyfin/pegasus update, and traefik tweaks 2025-10-07 23:26:27 -05:00			`claimName: jellyfin-media-asteria-new`
jellyfin: drop OIDC plugin and strip injected script 2025-12-24 15:26:02 -03:00			`- name: ldap-config`
			`secret:`
			`secretName: jellyfin-ldap-config`
			`items:`
			`- key: ldap-config.xml`
			`path: ldap-config.xml`