From 16e7cd43a8b015fef138709bfd9af4a4a9973278 Mon Sep 17 00:00:00 2001
From: Jean-Francois Roy <jf@devklog.net>
Date: Fri, 10 Jan 2025 12:43:54 -0800
Subject: [PATCH] feat(stash): deploy nams as a sidecar

---
 .../apps/default/stash/app/helmrelease.yaml   | 69 +++++++++++++++++--
 .../apps/default/stash/app/kustomization.yaml |  1 +
 .../apps/default/stash/app/secret.sops.yaml   | 28 ++++++++
 3 files changed, 92 insertions(+), 6 deletions(-)
 create mode 100644 kubernetes/apps/default/stash/app/secret.sops.yaml

diff --git a/kubernetes/apps/default/stash/app/helmrelease.yaml b/kubernetes/apps/default/stash/app/helmrelease.yaml
index 79c0fb434..9aebdd45d 100644
--- a/kubernetes/apps/default/stash/app/helmrelease.yaml
+++ b/kubernetes/apps/default/stash/app/helmrelease.yaml
@@ -33,7 +33,7 @@ spec:
           stash:
             image:
               repository: ghcr.io/jfroy/stash
-              tag: v0.27.2-cudajellyfin.1@sha256:05f55b61bc95857602a46bab41285126c9a0d36374a2c07c22ab64707a0810c5
+              tag: v0.27.2-cudajellyfin.2@sha256:c810c63a64fc43a75ae49df0daf897976456faa6f6436f15c0e9f7055b747a5c
             env:
               HOME: /config
               NVIDIA_DRIVER_CAPABILITIES: compute,utility,video
@@ -64,6 +64,30 @@ spec:
               limits:
                 nvidia.com/gpu: 1
             workingDir: /config
+        initContainers:
+          nams:
+            image:
+              repository: registry.${PUBLIC_DOMAIN0}/nams
+              tag: 2.0.0@sha256:bff337ca9ec86b1879263f2d1a2ab75c72ce34e86afd1fb09273d48cd441bb01
+            env:
+              TZ: America/Los_Angeles
+            probes:
+              liveness: &probe
+                enabled: false
+                custom: true
+                spec:
+                  httpGet:
+                    path: /
+                    port: &port 8000
+              readiness: *probe
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+            resources:
+              limits:
+                nvidia.com/gpu: 1
+            restartPolicy: Always
         pod:
           runtimeClassName: nvidia
           tolerations:
@@ -98,31 +122,64 @@ spec:
     persistence:
       cache:
         type: emptyDir
+        advancedMounts:
+          stash:
+            stash:
+              - path: /cache
       config:
         existingClaim: ${APP}
+        advancedMounts:
+          stash:
+            stash:
+              - path: /config
       data:
         type: persistentVolumeClaim
         storageClass: ceph-block
         accessMode: ReadWriteOnce
         retain: true
         size: 200Gi
-        globalMounts:
-          - path: /blobs
-            subPath: blobs
-          - path: /generated
-            subPath: generated
+        advancedMounts:
+          stash:
+            stash:
+              - path: /blobs
+                subPath: blobs
+              - path: /generated
+                subPath: generated
+      nams-license:
+        type: secret
+        name: nams-license
+        advancedMounts:
+          stash:
+            nams:
+              - path: /app/models/licenseV1.0.lic
+                subPath: licenseV1.0.lic
+      nams-logs:
+        type: emptyDir
+        sizeLimit: 10Mi
+        advancedMounts:
+          stash:
+            nams:
+              - path: /app/logs
       plugins:
         type: persistentVolumeClaim
         storageClass: openebs-hostpath
         accessMode: ReadWriteOnce
         retain: true
         size: 100Mi
+        advancedMounts:
+          stash:
+            stash:
+              - path: /plugins
       scrapers:
         type: persistentVolumeClaim
         storageClass: openebs-hostpath
         accessMode: ReadWriteOnce
         retain: true
         size: 100Mi
+        advancedMounts:
+          stash:
+            stash:
+              - path: /scrapers
       sss:
         type: persistentVolumeClaim
         existingClaim: media-smb-media1
diff --git a/kubernetes/apps/default/stash/app/kustomization.yaml b/kubernetes/apps/default/stash/app/kustomization.yaml
index 170a3795c..02b102ebb 100644
--- a/kubernetes/apps/default/stash/app/kustomization.yaml
+++ b/kubernetes/apps/default/stash/app/kustomization.yaml
@@ -4,5 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
+  - ./secret.sops.yaml
   - ../../../../templates/gatus/guarded
   - ../../../../templates/volsync
diff --git a/kubernetes/apps/default/stash/app/secret.sops.yaml b/kubernetes/apps/default/stash/app/secret.sops.yaml
new file mode 100644
index 000000000..dcd5c6334
--- /dev/null
+++ b/kubernetes/apps/default/stash/app/secret.sops.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nams-license
+type: Opaque
+data:
+  licenseV1.0.lic: ENC[AES256_GCM,data:y2gmP19yLO7Qikua8SIVuUmTc/2DtY68Wt/J0X1P0DjaCEEQuprPPheEtun3baKtUCDituUIRynjHCTmblAsmaU/LapIVLO2nbKATpoLATm7Fk5NxZMajmRktYZF6i16WtpMlWkPtMJRCURFmj8aN4N5AVFCJ1/LP2BMG4iZln/WYgMtTFQ3w5FFwHw0UyQyeo5NaLsFekhWt7F04Yd2cgvx4N9T1n2M6wf2YuYvbIizzVWbytotzngM8/vY9OHwGGFKbMC+rFF75S5VFOK0EiL4SXivht/CMlaJm9RWL6Y/BvkhYkJrdvX0J2Hte94aduuvBjd55XzFL6MPp3I/Wqg+WmTV67Zv/P6/kvznX/jimaUd8kowVl3Xbz1zhUPrC1/pGkM2CMbRNeC6PEku1YRvyOWuhc9qYSLVvbend2hCsrVJOVOd/ZuY01Bvf2U5bM0X9R0WN0GVWq14XCC9u7lHPhOLvFtJ63qC5Su84ILDXD+BLPHQWZHaIeqYVvOX0Bb08lXcvvuE5TR1wpsCzr6g1TWw8jpkyj9O6ZRQHEW8P8yhN9GnbHTcTl3PRVHpAvAm0uz1BZmnIj+vDxw7VXl5ngnsOFX5znscxZy2B+rEFheVZIFzG2dwYDzuWvg+dwta050sku+u0lDyV3ZjTsrdmsU+9sbcqLC9mUx/FwDf3UyTIqSrTjkSI2ZSrEWr3lwe9ZKUqBMt+JMft2uhRaEkznIECbWu6pvPF9yVEcTlm/FO0uL6m0cbzefqrWtkNp+gBLXwkoL2e4RHtBejDXt7IM5S3yJ5ny+wlORy5luMVeDewPc9sFIXnhUD/gekxyQu3YQt76vb/TUcxDF8hgF3sIwdNEIj+UxKJONEQhW2Px8w6axm95stlwtrAj16+/iIVS3mVsgg41W1LH/VDTi4dZg9rtaGKDKYl5dj+9huvUZ+qc/gDYOr/AJh2+uY4lFZaXMSi4mkEWrYf9oHK/p58/79VcL7OW748kVf+QK510abMmMFHBj9nGDVvHOHxuxeiRzTrayHMGNijabKfbxSik/s3f3iXjXhAqf9Rn5ATgO71KIJx06PVrSl7tUqqzwM/lk1bfukTpsPUh1vOg+VEa25gcyIMMCK2tWrn3yPKJDAsiH94x7Rthh62RdJw5ZKbqr1K3Ni0XD1pdDbgh2TKBKkNM44Cvqi5usFe1Y9DNPUdsDSErYD0ZMRKYREcIW5/Th9NGMYVrMahMmDEYmpb+oPTvwyC2aEfzvpG0YRx3LJ0Co3OaYUrlv2ulBqDG3yOjojegJLjhBG04ETr9kRCarW434KdBy5zgwRsP8fDVzV/trvXNoxtSEG0tRP9k3pym0WhzGFe+N7ZIlVsFTCCvt2aEg6EyZ1JG97iF8Xuex8vzasOz/ppfRqlh1hNB2BYGeZPmRXQyvhdCjqbgFEHJG1ByspzLxik5kaZUXkg8Y4wIobn+OG1n1Yk676hilFK+Ny4SxI90W2yM6qT+wj/hc631u9wsnc5A/Wjf2dJ0r0Mk4V/+WcywM9XtgS65qRtbhfeSW55BcfhpdYxsKpekNAD+LxF9ZYqgJrA2hMzSTV0Men3TQJ/TZQGs35/KV5aFOHJhmf1rgAUx1jIqKFtFaHMfWHkoZfjmD+NQrXk30nxRnk+YZAu0SI3SnjpmL+4XUCQYaZgslqhZHzBc8X7EB0/S3xn+x+ZcwR/uFssLiwJ5BLo4vFjJEjZ1PgN9csXWXgmprB2vTsey5rWJu83zlUQRGWfDl0Uc3FJBc3JHe7SpByWyRfmIgcIBMRLQ+/nWx5Y9If5vmyQEShGsLlq+5KSXHchpd8ebH7tw2wexcqXIEyeku+cK1m2uj8FQwKM7GVPj4qdZojjrtPb6hK+CE0gu8q22qBD1HRKJPDK96oDliPOhssoXpNQdUgiJdSHjrfnDT2l/taFyxopLB0XWppah4nw5eqQ99sOOKOR3NwtOsWN3PxKWAqMaYMryfB1GE+OI7xovyh6O0+/wzwJsx1sdYHR72JPghFr4RpuH87xrh2Gng+TMwXdtVaJJd8UlmsypnlTJq1e/Q334tNOYOeQzRnHoAV9fQ8DUlmBg6CGZnua1XY2bgxqwxfmYsl+gD1mPFkCsxR0yTo6TR+Sva2IfiYHVKLHemw712MHu/pLjD3fHx57Lg0u/hAtO24WGNQxsY29afYEuQUIl7p3t9lWBK68UAh+wiL6g17a2XuTAKafVLPAly0oZEbC9ORefNc7M5gE09aj9dG2x1gnJekpsQrnjo+9qePnMGg9A3YQTMmV6/k1nhcrgTAwdeP1yxj1VeovuJ6wkroyUwkXYNoaHK2ak2beDsjxeguKzkb0fxDfCbgjvw7oR/LM9CHPGu3o7OHlMzntnEpijcxUTUDiMYFdvzIrdWE7i/ZlkLpqbR6NvbXxL5+WWM4hSFaXWJwWahARgWH79gSv/Sb4apBmsdiNTT2MJ4zeA/P3nQU/SfETZ/widX3nGzjcJQjN5sB6G6n2xMxK7U7k9vdXNjZMhn5gEVpUjvcnKt6DCyuXYdyzIVs2me0BKz/vvX7mr6b+2nD654OB5xPifHv55RsQGJuLxLE2tjB+5dg8ZXx0OEOzQvinq/G2YWj82961d+5nMz0gdmoQusyvL85ehYz81bpHn06MgshdgieMkMYbdj5iHtcfJrh05Yjz4pm6HFLWIj728MCzBCrlZexM1tcF8jk4hx+z5nxqILeNns6rixzeKd4AX1c8lGIWOhXnqaDDlWwHueZ2fc/+yltcuFUaYMZu5rMFs6QEE/3XtC19HHs5PC8l7+KPbrRGCEVcmgPtNWTJtfr4HsBpVb+D8nrisSQ3PlivGe7fvhZyD2BIywBD9Tf1+9DoXG4Vb0Kh5UeM1OQhA0LUlVtSdbp1WlE3IBUtCnp/bGz7yDlCez/TJRx/WFlc9k9/4xVUsdwnPByZfPwEej6DNcrdVlaTIKwdsaTHXO9PGA2+zpyvZ/rzy62mLhoRvppqJzchuNsgiaUgEd0eFMeA4S6Wc1P8tLJ4SkgsfYf5DfZ6H+J3pxT3Z0xElOSjSlm1AeNkn/l4iBODRQJsm3zwucKqAePkprKeBD/OcTxOx1QWtsYB8aVaE5/sZe80Fb+JCiYkCp05nFP4sYesnCjE1A68D238adagGm0ggH5FX8KmX/6H0SSDkwan6iZWSqpkkrvC+04CuqETZ4YwF1/OCoDpoa/LNpeTSnoFbcAY0W93LVXyjMiU6mOoWXFnJGFcGLivwIYX8P4tewbUCbtBxktL114zSofiYsVkqT7EwjV9VJEufGhDzx0vW+TY9CD703a3IEoG4r3cTnQPsmGzIgdsTeX3xHDLdKEaQfXzS2hxvL5xQPGzSKFD1wfq6gPx8HK1vDouBFpE8ppO0nAjgDjeACsLXA61xm7aHKWfL2g2u30JJwsRKS/3oL12ummzCM9sdK+rCz3+Db92MVGCIMfRBmTYJrDYJXm1be9t5XhqITBYN0c6PtwYxmhWfHOIrApDJemlZMZFWTVrZRDdGZFyEHgcHbb8lcdQJvWNe+zrr+T3SYXqeMvOd2DOXb3kgv6ohYnXkFf6IFTqeJm5LosNDr66Ucf9p1ZTk0A3r9jBhOkeNvNOItxF+/+xlEkHh83/uJ7jpsUBHFcHkcdG2ywVBwbghRPLkPqM3RNiKH7/sxN+HmMwvNPNMBPY5jfYLIJ+LYe5V53BKkxbABTUlUFdIIsBdeTdElO7l7d4o24FEBXTnbUn8ZLik9T3koUin0Enncw+sMI03Ieem0L,iv:fEjndQM+csI0G++Qdub2Og0mQ1ndn+jBN6SpePCVzEQ=,tag:thbINZospzEKRpsAGgbFuA==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQUh4NDYvcHROMnU4ZVBX
+        emJhSUdxUTljR01hNEZhbWNYdmpORUpvT1I4CnpBNzJrMFJkaEZKQngyL0FHSVBC
+        RWRHSzl1d3BsTnJWRE1GT2xrSklVUkkKLS0tIDB0aUlHdFU5WTQwSVp0cVFXbWhY
+        SzR4L0pMZmxPU2IyNDN3RFVvd0xiMTAKOmtviIdmZpuLtispijam7oAlk91InE1n
+        YX9LZYA5Z7ws/to5qkLgNz90qYe4MBtsQrpVm4++RjSXeTfbU3tImA==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2025-01-10T20:56:00Z"
+  mac: ENC[AES256_GCM,data:ft9OOB/T7plxN8p2X3HL5Q8Gvn3srJADzRljvaFNVh8dLKis/wz2S/TWzl5GMJlxjmSsBTBnbZ/AKVn1iQAtTQi3aRv7Tp6hdnZM4pxcXY/FABlRZi3iUpJjfczOtn2bZ+KI7QFuZrjX7JzvfVImwN+xl03k1+PE68P5CF17eBA=,iv:xJ1VwJ33xWn9eMOS2VsAhsRkm25w2/Rt6s0YZFqZqMQ=,tag:SK9jkxjgLHzntZQmoTNMkA==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData|password)$
+  mac_only_encrypted: true
+  version: 3.9.1