# RoMM - ROM Manager # https://github.com/rommapp/romm # Version: 4.5.0 # Domain: arcade.dooplex.hu # Auth: Native OIDC with Authentik # # Authentik Setup: # 1. Create OAuth2/OIDC Provider: # - Name: romm # - Client Type: Confidential # - Redirect URIs: https://arcade.dooplex.hu/api/oauth/openid # - Scopes: openid, email, profile # 2. Create Application linked to this provider # - Slug: romm (important for OIDC_SERVER_APPLICATION_URL) --- apiVersion: v1 kind: Namespace metadata: name: arcade-system labels: app.kubernetes.io/name: romm --- apiVersion: v1 kind: ConfigMap metadata: name: romm-config-template namespace: arcade-system data: config.yml: | # ROMM Configuration File # Most settings are handled via environment variables in the deployment. # This file satisfies the requirement for the config.yml to be present. romm: # You can add specific overrides here if needed # Reference: https://docs.romm.app/4.5.0/Getting-Started/Configuration-File/ --- apiVersion: apps/v1 kind: Deployment metadata: name: romm-redis namespace: arcade-system labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-redis spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-redis template: metadata: labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-redis spec: containers: - name: redis image: redis:7.2-alpine ports: - containerPort: 6379 name: redis resources: requests: cpu: 50m memory: 64Mi limits: cpu: 200m memory: 128Mi --- apiVersion: apps/v1 kind: Deployment metadata: name: romm namespace: arcade-system labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm app.kubernetes.io/version: "4.5.0" spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm strategy: type: Recreate template: metadata: labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm app.kubernetes.io/version: "4.5.0" spec: securityContext: fsGroup: 1000 initContainers: - name: init-config image: busybox:1.36 command: - sh - -c - | # Copy the template to the PVC only if it doesn't exist if [ ! -f /romm/config/config.yml ]; then echo "Creating initial config.yml from template..." cp /tmp/template/config.yml /romm/config/config.yml # Ensure the ROMM user (1000) owns the file chown 1000:1000 /romm/config/config.yml else echo "config.yml already exists, skipping copy." fi volumeMounts: - name: config-template mountPath: /tmp/template - name: config-storage mountPath: /romm/config containers: - name: romm image: rommapp/romm:4.5.0 env: # Database - name: DB_HOST value: "romm-db" # was postgresql-rw.database-system... - name: DB_PORT value: "3306" # was 5432 - name: DB_NAME valueFrom: secretKeyRef: name: romm-db key: database - name: DB_USER valueFrom: secretKeyRef: name: romm-db key: username - name: DB_PASSWD valueFrom: secretKeyRef: name: romm-db key: password # Redis - name: REDIS_HOST value: "romm-redis" - name: REDIS_PORT value: "6379" # Auth - name: ROMM_AUTH_SECRET_KEY valueFrom: secretKeyRef: name: romm-app key: auth-secret-key # OIDC with Authentik - name: OIDC_ENABLED value: "true" - name: OIDC_PROVIDER value: "authentik" - name: OIDC_CLIENT_ID valueFrom: secretKeyRef: name: romm-oidc key: client-id - name: OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: romm-oidc key: client-secret - name: OIDC_REDIRECT_URI value: "https://arcade.dooplex.hu/api/oauth/openid" - name: OIDC_SERVER_APPLICATION_URL value: "https://authentik.dooplex.hu/application/o/arcade" - name: ROMM_PORT value: "8080" # API Keys (optional) - name: IGDB_CLIENT_ID valueFrom: secretKeyRef: name: romm-app key: igdb-client-id - name: IGDB_CLIENT_SECRET valueFrom: secretKeyRef: name: romm-app key: igdb-client-secret - name: STEAMGRIDDB_API_KEY valueFrom: secretKeyRef: name: romm-app key: steamgriddb-api-key - name: SCREENSCRAPER_USER valueFrom: secretKeyRef: name: romm-app key: screenscraper-user - name: SCREENSCRAPER_PASSWORD valueFrom: secretKeyRef: name: romm-app key: screenscraper-password ports: - containerPort: 8080 name: http resources: requests: cpu: 100m memory: 256Mi limits: cpu: 1000m memory: 1Gi volumeMounts: - name: library mountPath: /romm/library - name: resources mountPath: /romm/resources - name: config-storage mountPath: /romm/config livenessProbe: httpGet: path: /api/heartbeat port: http initialDelaySeconds: 60 periodSeconds: 30 readinessProbe: httpGet: path: /api/heartbeat port: http initialDelaySeconds: 30 periodSeconds: 10 volumes: - name: library hostPath: path: /mnt/4_hdd/data/roms type: DirectoryOrCreate - name: resources persistentVolumeClaim: claimName: romm-resources - name: config-storage persistentVolumeClaim: claimName: romm-config - name: config-template configMap: name: romm-config-template --- apiVersion: v1 kind: Service metadata: name: romm-redis namespace: arcade-system labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-redis spec: type: ClusterIP ports: - name: redis port: 6379 targetPort: redis selector: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-redis --- apiVersion: v1 kind: Service metadata: name: romm namespace: arcade-system labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm spec: type: ClusterIP ports: - name: http port: 8080 targetPort: http selector: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: romm namespace: arcade-system labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: arcade.dooplex.hu,arcade.home nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "5g" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" spec: ingressClassName: nginx-internal rules: - host: arcade.dooplex.hu http: paths: - path: / pathType: Prefix backend: service: name: romm port: number: 8080 - host: arcade.home http: paths: - path: / pathType: Prefix backend: service: name: romm port: number: 8080 tls: - hosts: - arcade.dooplex.hu secretName: romm-tls --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: romm-resources namespace: arcade-system labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-resources recurring-job-group.longhorn.io/needbackup: enabled recurring-job.longhorn.io/source: enabled spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 10Gi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: romm-config namespace: arcade-system labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-config recurring-job-group.longhorn.io/needbackup: enabled recurring-job.longhorn.io/source: enabled spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 1Gi --- apiVersion: apps/v1 kind: Deployment metadata: name: romm-db namespace: arcade-system labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-db spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-db strategy: type: Recreate template: metadata: labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-db spec: containers: - name: mariadb image: mariadb:11 env: - name: MARIADB_ROOT_PASSWORD valueFrom: secretKeyRef: name: romm-db key: root-password - name: MARIADB_DATABASE valueFrom: secretKeyRef: name: romm-db key: database - name: MARIADB_USER valueFrom: secretKeyRef: name: romm-db key: username - name: MARIADB_PASSWORD valueFrom: secretKeyRef: name: romm-db key: password ports: - containerPort: 3306 name: mariadb resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 512Mi volumeMounts: - name: data mountPath: /var/lib/mysql volumes: - name: data persistentVolumeClaim: claimName: romm-db --- apiVersion: v1 kind: Service metadata: name: romm-db namespace: arcade-system labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-db spec: type: ClusterIP ports: - name: mariadb port: 3306 targetPort: mariadb selector: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-db --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: romm-db namespace: arcade-system labels: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-db recurring-job-group.longhorn.io/needbackup: enabled recurring-job.longhorn.io/source: enabled spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 2Gi