feat(tautulli): Add Tautulli

kubernetes/apps/media/kavita/app/helmrelease.yaml

@@ -39,14 +39,14 @@ spec:
                   periodSeconds: 10
             securityContext:
               allowPrivilegeEscalation: false
-              readOnlyRootFilesystem: true
+              readOnlyRootFilesystem: false
               capabilities: { drop: ["ALL"] }
     defaultPodOptions:
       securityContext:
-        fsGroup: 1005
+        fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
-        runAsUser: 1003
+        runAsUser: 1000
         fsGroupChangePolicy: OnRootMismatch
     service:
       app:

kubernetes/apps/media/tautulli/app.ks.yaml

@@ -0,0 +1,29 @@
+---
+# yaml-language-server: $schema=https://schemas.tholinka.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app tautulli
+  namespace: &namespace media
+spec:
+  interval: 1h
+  components:
+    - ../../../../components/volsync
+  dependsOn:
+    - name: storage-ready
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  path: ./kubernetes/apps/media/tautulli/app
+  postBuild:
+    substitute:
+      APP: *app
+      VOLSYNC_CAPACITY: 5Gi
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: *namespace

kubernetes/apps/media/tautulli/app/helmrelease.yaml

@@ -0,0 +1,82 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s-labs/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app tautulli
+spec:
+  interval: 1h
+  chartRef:
+    kind: OCIRepository
+    name: app-template
+  values:
+    controllers:
+      tautulli:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          app:
+            image:
+              repository: ghcr.io/home-operations/tautulli
+              tag: 2.16.1@sha256:6983eea603ee230b189f2d32e7d7fc0bb94917df735a71ba20460c4991877645
+            env:
+              TAUTULLI_HTTP_BASE_URL: https://tautulli.tholinka.dev
+              TAUTULLI_HTTP_PORT: &port 80
+            envFrom:
+              - secretRef:
+                  name: *app
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /status
+                    port: *port
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 1Gi
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+    service:
+      app:
+        ports:
+          http:
+            port: *port
+    route:
+      app:
+        hostnames:
+          - "{{ .Release.Name }}.laurivan.com"
+        parentRefs:
+          - name: envoy-internal
+            namespace: network
+    persistence:
+      config:
+        existingClaim: tautulli
+      config-cache:
+        existingClaim: tautulli-cache
+        globalMounts:
+          - path: /config/cache
+      tmpfs:
+        type: emptyDir
+        globalMounts:
+          - path: /config/logs
+            subPath: logs
+          - path: tmp
+            subPath: tmp

kubernetes/apps/media/tautulli/app/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secrets.sops.yaml
+  - ./pvc.yaml
+  - ./helmrelease.yaml

kubernetes/apps/media/tautulli/app/pvc.yaml

@@ -0,0 +1,12 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/persistentvolumeclaim-v1.json
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tautulli-cache
+spec:
+  accessModes: ['ReadWriteOnce']
+  resources:
+    requests:
+      storage: 15Gi
+  storageClassName: ceph-block

kubernetes/apps/media/tautulli/app/secrets.sops.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: tautulli
+stringData:
+    TAUTULLI_API_KEY: ENC[AES256_GCM,data:I5kgkO0afYLl7axAVVuXARTooXRddl3B6OwRXyTX7/xSzQuBeex8uw==,iv:rpjAMH+IIC4ZASd16N8Ke5pTqvGEWoSYydC2kEaLlDs=,tag:JYOGFk2NpxSChA/0O90fFQ==,type:str]
+sops:
+    age:
+        - recipient: age1yzrqhl9dk8ljswpmzsqme3enad5kxxhsptdvecy3lwlq0ms80gaqxrctst
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRDRDT2JzZmF2RlcyREg5
+            aEgyZ0QwNTJQK2JYbDBrNjRhT3BNSzdFZGlzCndQVloyK1RUU281S1Q2YnI4eXQv
+            RVoxa0UxOFNEVkZwQzB3ZUhTNHBMTWcKLS0tIGZLMTZ3YUs3d2FHWVBtczJzdzhp
+            dUtWdGJ0cjhjREI5YnVzVDk5VGJJS0kKpa+N5XC8a5/V/eUgqZoosxrio9CJMTYS
+            TzhILOHxY59zNtl4Jw7QtIy27jWki4+318WnQ2XGHO5yPUitc1yPuA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-27T13:21:23Z"
+    mac: ENC[AES256_GCM,data:BMFYoD+/cDW//YOqo0w70dEcfeAyr8CtVWit6ra61Sj3Gs17XqzWvggHya3J3+S6aSTrzDnBBdE+iw4ydWymLyxy48rDqzy/l2OILHOi0sQoK1UcWsCE066nLzXPe3E/cj2ohgWTU3RuVQC5Hf2AoEXWYC6faZKHuPUbnubi+ss=,iv:IqvIcsFPhngsD39JI9fpXCeAPRrINevMLou4hxHC0h4=,tag:qgGfbBCmdYkJBuIMndcSfg==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    mac_only_encrypted: true
+    version: 3.11.0

kubernetes/apps/media/tautulli/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./app.ks.yaml