--- # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app calibre-web-automated namespace: default spec: interval: 1h chartRef: kind: OCIRepository name: app-template install: remediation: retries: 3 upgrade: cleanupOnFail: true remediation: strategy: rollback retries: 3 values: defaultPodOptions: securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false seccompProfile: { type: RuntimeDefault } controllers: ${APP}: containers: app: image: repository: ghcr.io/crocodilestick/calibre-web-automated tag: V3.1.4@sha256:577e846f104fd21453ef306eefb4a95dd95b3b9ddd2463a150944494284da0fd env: CACHE_DIR: /cache # Skips/soft fail on privileged actions that shouldn't exist anyways NETWORK_SHARE_MODE: true S6_YES_I_WANT_A_WORLD_WRITABLE_RUN_BECAUSE_KUBERNETES: 1 S6_READ_ONLY_ROOT: 1 securityContext: allowPrivilegeEscalation: true readOnlyRootFilesystem: false capabilities: drop: - ALL add: # S6 - CHOWN - SETUID - SETGID - FOWNER - DAC_OVERRIDE probes: liveness: &probes enabled: true custom: true spec: httpGet: port: &port 8083 path: /login readiness: *probes resources: requests: cpu: 50m memory: 200Mi limits: memory: 600Mi service: app: controller: *app ports: http: port: *port route: app: hostnames: ["calibre.${SECRET_EXTERNAL_DOMAIN}"] parentRefs: - name: internal namespace: network sectionName: https rules: - backendRefs: - name: *app port: *port persistence: config: enabled: true existingClaim: *app globalMounts: - path: /config tmpfs: type: emptyDir globalMounts: - path: /cache subPath: cache - path: /tmp subPath: tmp - path: /run subPath: run ingest: type: nfs server: &nas 192.168.9.10 path: /var/mnt/vol1/apps/calibre/ingest globalMounts: - path: /cwa-book-ingest library: type: nfs server: *nas path: /var/mnt/vol1/apps/calibre/library globalMounts: - path: /calibre-library