recovery(post-outage): restore jellyfin and maintenance sync

services/jellyfin/deployment.yaml

@@ -77,23 +77,26 @@ spec:
               mountPath: /config
       affinity:
         nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: longhorn-host
+                    operator: In
+                    values:
+                      - "true"
+                  - key: node-role.kubernetes.io/worker
+                    operator: In
+                    values:
+                      - "true"
           preferredDuringSchedulingIgnoredDuringExecution:
             - weight: 100
               preference:
                 matchExpressions:
-                  - key: kubernetes.io/hostname
+                  - key: hardware
                     operator: In
                     values:
-                      - titan-22
+                      - rpi5
             - weight: 80
-              preference:
-                matchExpressions:
-                  - key: kubernetes.io/hostname
-                    operator: In
-                    values:
-                      - titan-20
-                      - titan-21
-            - weight: 60
               preference:
                 matchExpressions:
                   - key: kubernetes.io/hostname
@@ -105,7 +108,6 @@ spec:
         fsGroup: 65532
         fsGroupChangePolicy: OnRootMismatch
         runAsGroup: 65532
-      runtimeClassName: nvidia
       containers:
         - name: jellyfin
           image: docker.io/jellyfin/jellyfin:10.11.5
@@ -118,8 +120,6 @@ spec:
             - name: http
               containerPort: 8096
           env:
-            - name: NVIDIA_DRIVER_CAPABILITIES
-              value: "compute,video,utility"
             - name: JELLYFIN_PublishedServerUrl
               value: "https://stream.bstein.dev"
             - name: PUID
@@ -131,12 +131,7 @@ spec:
             - name: VAULT_COPY_FILES
               value: /vault/secrets/ldap-config.xml:/config/plugins/configurations/LDAP-Auth.xml
           resources:
-            limits:
-              nvidia.com/gpu.shared: 1
-            #   cpu: "4"
-            #   memory: 8Gi
             requests:
-              nvidia.com/gpu.shared: 1
               cpu: "500m"
               memory: 1Gi
           volumeMounts:

services/vault/scripts/vault_k8s_auth_configure.sh

@@ -237,7 +237,7 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
 write_policy_and_role "health" "health" "health-vault-sync" \
   "health/*" ""
 write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync,metis" \
-  "maintenance/ariadne-db maintenance/metis-oidc maintenance/soteria-oidc maintenance/metis-ssh-keys maintenance/metis-runtime portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull harbor/harbor-core" "" \
+  "maintenance/ariadne-db maintenance/metis-oidc maintenance/soteria-oidc maintenance/metis-ssh-keys maintenance/metis-runtime portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull shared/soteria-restic harbor/harbor-core" "" \
   '
 path "kv/data/atlas/nodes/*" {
   capabilities = ["read"]