--- apiVersion: v1 kind: Namespace metadata: name: servarr-system --- # Prowlarr - Indexer Manager apiVersion: apps/v1 kind: Deployment metadata: labels: app: prowlarr app.kubernetes.io/instance: servarr app.kubernetes.io/name: prowlarr name: prowlarr namespace: servarr-system spec: replicas: 1 selector: matchLabels: app: prowlarr strategy: type: Recreate template: metadata: labels: app: prowlarr spec: containers: - name: prowlarr image: linuxserver/prowlarr:latest imagePullPolicy: Always env: - name: PUID value: "1000" - name: PGID value: "1000" - name: TZ value: Europe/Budapest ports: - containerPort: 9696 protocol: TCP readinessProbe: httpGet: path: /ping port: 9696 initialDelaySeconds: 60 periodSeconds: 10 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi volumeMounts: - name: config mountPath: /config securityContext: fsGroup: 1000 volumes: - name: config persistentVolumeClaim: claimName: prowlarr-config-pvc --- # Radarr - Movie Manager apiVersion: apps/v1 kind: Deployment metadata: labels: app: radarr app.kubernetes.io/instance: servarr app.kubernetes.io/name: radarr name: radarr namespace: servarr-system spec: replicas: 1 selector: matchLabels: app: radarr strategy: type: Recreate template: metadata: labels: app: radarr spec: containers: - name: radarr image: linuxserver/radarr:latest imagePullPolicy: Always env: - name: PUID value: "1000" - name: PGID value: "1000" - name: TZ value: Europe/Budapest ports: - containerPort: 7878 protocol: TCP readinessProbe: httpGet: path: /ping port: 7878 initialDelaySeconds: 60 periodSeconds: 10 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi volumeMounts: - name: config mountPath: /config - name: movies mountPath: /mnt/2_hdd securityContext: fsGroup: 1000 volumes: - name: config persistentVolumeClaim: claimName: radarr-config-pvc - name: movies hostPath: path: /mnt/2_hdd type: Directory --- # Sonarr - TV Show Manager apiVersion: apps/v1 kind: Deployment metadata: labels: app: sonarr app.kubernetes.io/instance: servarr app.kubernetes.io/name: sonarr name: sonarr namespace: servarr-system spec: replicas: 1 selector: matchLabels: app: sonarr strategy: type: Recreate template: metadata: labels: app: sonarr spec: containers: - name: sonarr image: linuxserver/sonarr:latest imagePullPolicy: IfNotPresent env: - name: PUID value: "1000" - name: PGID value: "1000" - name: TZ value: Europe/Budapest ports: - containerPort: 8989 name: webui protocol: TCP readinessProbe: httpGet: path: /ping port: 8989 initialDelaySeconds: 60 periodSeconds: 10 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi volumeMounts: - name: config mountPath: /config - name: tv mountPath: /mnt/1_hdd securityContext: fsGroup: 1000 volumes: - name: config persistentVolumeClaim: claimName: sonarr-config-pvc - name: tv hostPath: path: /mnt/1_hdd type: Directory --- # qBittorrent - Download Client apiVersion: apps/v1 kind: Deployment metadata: labels: app: qbittorrent app.kubernetes.io/instance: servarr app.kubernetes.io/name: qbittorrent name: qbittorrent namespace: servarr-system spec: replicas: 1 selector: matchLabels: app: qbittorrent strategy: type: Recreate template: metadata: labels: app: qbittorrent spec: containers: - name: qbittorrent image: linuxserver/qbittorrent:latest imagePullPolicy: Always env: - name: PUID value: "1000" - name: PGID value: "1000" - name: TZ value: Europe/Budapest - name: WEBUI_PORT value: "8080" ports: - containerPort: 8080 protocol: TCP - containerPort: 6881 protocol: TCP readinessProbe: httpGet: path: / port: 8080 initialDelaySeconds: 30 periodSeconds: 10 resources: limits: cpu: "1" memory: 1Gi requests: cpu: 100m memory: 256Mi volumeMounts: - name: config mountPath: /config - name: 2hdd mountPath: /mnt/2_hdd - name: 1hdd mountPath: /mnt/1_hdd volumes: - name: config persistentVolumeClaim: claimName: qbittorrent-config-pvc - name: 2hdd hostPath: path: /mnt/2_hdd type: Directory - name: 1hdd hostPath: path: /mnt/1_hdd type: Directory --- # Services apiVersion: v1 kind: Service metadata: labels: app: prowlarr name: prowlarr namespace: servarr-system spec: type: ClusterIP ports: - name: http port: 9696 protocol: TCP targetPort: 9696 selector: app: prowlarr --- apiVersion: v1 kind: Service metadata: labels: app: radarr name: radarr namespace: servarr-system spec: type: ClusterIP ports: - name: http port: 7878 protocol: TCP targetPort: 7878 selector: app: radarr --- apiVersion: v1 kind: Service metadata: labels: app: sonarr name: sonarr namespace: servarr-system spec: type: ClusterIP ports: - name: http port: 8989 protocol: TCP targetPort: 8989 selector: app: sonarr --- apiVersion: v1 kind: Service metadata: labels: app: qbittorrent name: qbittorrent namespace: servarr-system spec: type: ClusterIP ports: - name: http port: 8080 protocol: TCP targetPort: 8080 - name: torrent port: 6881 protocol: TCP targetPort: 6881 selector: app: qbittorrent --- # Authentik outpost service reference apiVersion: v1 kind: Service metadata: name: ak-outpost-arr-outpost namespace: servarr-system spec: type: ExternalName externalName: ak-outpost-arr-outpost.auth-system.svc.cluster.local ports: - port: 9000 --- # Ingresses with Authentik proxy auth apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: prowlarr.dooplex.hu,prowlarr.home nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email nginx.ingress.kubernetes.io/auth-signin: https://prowlarr.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; if ($request_uri ~ "^/.well-known/acme-challenge/") { return 200; } nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-arr-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/ssl-redirect: "true" name: prowlarr namespace: servarr-system spec: ingressClassName: nginx-internal rules: - host: prowlarr.dooplex.hu http: paths: # 1. Your existing App Path - path: / pathType: Prefix backend: service: name: prowlarr port: number: 9696 # 2. ADD THIS: The Auth Path (formerly managed by Authentik) - path: /outpost.goauthentik.io pathType: Prefix backend: service: name: ak-outpost-arr-outpost # Points to your ExternalName service port: number: 9000 - host: prowlarr.home http: paths: - backend: service: name: prowlarr port: number: 9696 path: / pathType: Prefix tls: - hosts: - prowlarr.dooplex.hu secretName: prowlarr-tls --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: radarr.dooplex.hu,radarr.home nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email nginx.ingress.kubernetes.io/auth-signin: https://radarr.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; if ($request_uri ~ "^/.well-known/acme-challenge/") { return 200; } nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-arr-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/ssl-redirect: "true" name: radarr namespace: servarr-system spec: ingressClassName: nginx-internal rules: - host: radarr.dooplex.hu http: paths: - backend: service: name: radarr port: number: 7878 path: / pathType: Prefix - host: radarr.home http: paths: - backend: service: name: radarr port: number: 7878 path: / pathType: Prefix tls: - hosts: - radarr.dooplex.hu secretName: radarr-tls --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: sonarr.dooplex.hu,sonarr.home nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,Authorization nginx.ingress.kubernetes.io/auth-signin: https://sonarr.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; if ($request_uri ~ "^/.well-known/acme-challenge/") { return 200; } nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-arr-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/ssl-redirect: "true" name: sonarr namespace: servarr-system spec: ingressClassName: nginx-internal rules: - host: sonarr.dooplex.hu http: paths: - backend: service: name: sonarr port: number: 8989 path: / pathType: Prefix - host: sonarr.home http: paths: - backend: service: name: sonarr port: number: 8989 path: / pathType: Prefix tls: - hosts: - sonarr.dooplex.hu secretName: sonarr-tls --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: qbittorrent.dooplex.hu,qbittorrent.home nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email nginx.ingress.kubernetes.io/auth-signin: https://qbittorrent.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; if ($request_uri ~ "^/.well-known/acme-challenge/") { return 200; } nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-arr-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/ssl-redirect: "true" name: qbittorrent namespace: servarr-system spec: ingressClassName: nginx-internal rules: - host: qbittorrent.dooplex.hu http: paths: - backend: service: name: qbittorrent port: number: 8080 path: / pathType: Prefix - host: qbittorrent.home http: paths: - backend: service: name: qbittorrent port: number: 8080 path: / pathType: Prefix tls: - hosts: - qbittorrent.dooplex.hu secretName: qbittorrent-tls --- # PVCs for config (keep existing, add Prune=false to prevent deletion) apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: argocd.argoproj.io/sync-options: Prune=false labels: app: prowlarr recurring-job-group.longhorn.io/needbackup: enabled recurring-job.longhorn.io/source: enabled name: prowlarr-config-pvc namespace: servarr-system spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: longhorn --- apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: argocd.argoproj.io/sync-options: Prune=false labels: app: radarr recurring-job-group.longhorn.io/needbackup: enabled recurring-job.longhorn.io/source: enabled name: radarr-config-pvc namespace: servarr-system spec: accessModes: - ReadWriteOnce resources: requests: storage: 3Gi storageClassName: longhorn --- apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: argocd.argoproj.io/sync-options: Prune=false labels: app: sonarr recurring-job-group.longhorn.io/needbackup: enabled recurring-job.longhorn.io/source: enabled name: sonarr-config-pvc namespace: servarr-system spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: longhorn --- apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: argocd.argoproj.io/sync-options: Prune=false labels: app: qbittorrent recurring-job-group.longhorn.io/needbackup: enabled recurring-job.longhorn.io/source: enabled name: qbittorrent-config-pvc namespace: servarr-system spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: longhorn