# services/jellyfin/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: jellyfin namespace: jellyfin labels: app: jellyfin spec: replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxSurge: 0 maxUnavailable: 1 selector: matchLabels: app: jellyfin template: metadata: labels: app: jellyfin annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "pegasus" vault.hashicorp.com/agent-inject-secret-ldap-config.xml: "kv/data/atlas/pegasus/jellyfin-ldap-config" vault.hashicorp.com/agent-inject-template-ldap-config.xml: | {{- with secret "kv/data/atlas/pegasus/jellyfin-ldap-config" -}}{{ index .Data.data "ldap-config.xml" }}{{- end -}} spec: serviceAccountName: pegasus-vault-sync # Clean up any lingering OIDC artifacts and strip the injected script tag initContainers: - name: strip-oidc image: docker.io/jellyfin/jellyfin:10.11.5 securityContext: runAsUser: 0 runAsGroup: 0 command: - /bin/sh - -c - | set -euxo pipefail cp -a /jellyfin/jellyfin-web/. /web-root # remove injected OIDC script tags everywhere just in case for f in $(find /web-root -type f -name 'index.html'); do sed -i '/oidc\/inject/d' "$f" printf '%s\n' "$f" done # clean any lingering OIDC plugin artifacts on the config volume rm -rf "/config/plugins/OIDC Authentication_"* /config/plugins/configurations/JellyfinOIDCPlugin.v2.xml || true volumeMounts: - name: web-root mountPath: /web-root - name: config mountPath: /config # Force all users to authenticate via the LDAP plugin provider by updating the DB on start. # This keeps Flux enforcement for auth provider drift (e.g., after UI edits). - name: set-ldap-auth-provider image: docker.io/library/alpine:3.20 securityContext: runAsUser: 0 runAsGroup: 0 command: - /bin/sh - -c - | set -euxo pipefail apk add --no-cache sqlite db="/config/data/jellyfin.db" if [ -f "$db" ]; then sqlite3 "$db" "UPDATE Users SET AuthenticationProviderId='Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin', Password=NULL, EnableLocalPassword=0 WHERE AuthenticationProviderId!='Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin';" else echo "db not found at $db, skipping" fi volumeMounts: - name: config mountPath: /config affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: kubernetes.io/hostname operator: In values: - titan-22 - weight: 80 preference: matchExpressions: - key: kubernetes.io/hostname operator: In values: - titan-20 - titan-21 - weight: 60 preference: matchExpressions: - key: kubernetes.io/hostname operator: In values: - titan-24 securityContext: runAsUser: 1000 fsGroup: 65532 fsGroupChangePolicy: OnRootMismatch runAsGroup: 65532 runtimeClassName: nvidia containers: - name: jellyfin image: docker.io/jellyfin/jellyfin:10.11.5 imagePullPolicy: IfNotPresent command: - /entrypoint.sh args: - /jellyfin/jellyfin ports: - name: http containerPort: 8096 env: - name: NVIDIA_DRIVER_CAPABILITIES value: "compute,video,utility" - name: JELLYFIN_PublishedServerUrl value: "https://stream.bstein.dev" - name: PUID value: "1000" - name: PGID value: "65532" - name: UMASK value: "002" - name: VAULT_COPY_FILES value: /vault/secrets/ldap-config.xml:/config/plugins/configurations/LDAP-Auth.xml resources: limits: nvidia.com/gpu.shared: 1 # cpu: "4" # memory: 8Gi requests: nvidia.com/gpu.shared: 1 cpu: "500m" memory: 1Gi volumeMounts: - name: jellyfin-vault-entrypoint mountPath: /entrypoint.sh subPath: vault-entrypoint.sh - name: config mountPath: /config - name: cache mountPath: /cache - name: media mountPath: /media - name: web-root mountPath: /jellyfin/jellyfin-web lifecycle: postStart: exec: command: - /bin/sh - -c - | set -eux for f in $(find /jellyfin/jellyfin-web -type f -name 'index.html'); do sed -i '/oidc\/inject/d' "$f" || true done securityContext: runAsUser: 0 runAsGroup: 0 allowPrivilegeEscalation: false readOnlyRootFilesystem: false volumes: - name: jellyfin-vault-entrypoint configMap: name: jellyfin-vault-entrypoint defaultMode: 493 - name: web-root emptyDir: {} - name: config persistentVolumeClaim: claimName: jellyfin-config-astreae - name: cache emptyDir: {} - name: media persistentVolumeClaim: claimName: jellyfin-media-asteria-new