Add qbittorrent & PreferNoSchedule TODO for rook nodes

README.md

@@ -10,11 +10,11 @@ _Below is mostly braindumps & rough commands for creating/tweaking these service
 
 ```
 # First node
-curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.29.6+k3s2 INSTALL_K3S_EXEC="server --cluster-init" sh -
+curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.32.3+k3s1 INSTALL_K3S_EXEC="server --cluster-init" sh -
 export NODE_TOKEN=$(cat /var/lib/rancher/k3s/server/node-token)
 
 # Remaining nodes
-curl -sfL https://get.k3s.io | K3S_TOKEN=$NODE_TOKEN INSTALL_K3S_VERSION=v1.29.6+k3s2 INSTALL_K3S_EXEC="server --server https://<server node ip>:6443 --kubelet-arg=allowed-unsafe-sysctls=net.ipv4.*,net.ipv6.conf.all.forwarding" sh -
+curl -sfL https://get.k3s.io | K3S_TOKEN=$NODE_TOKEN INSTALL_K3S_VERSION=v1.32.3+k3s1 INSTALL_K3S_EXEC="server --server https://<server node ip>:6443 --kubelet-arg=allowed-unsafe-sysctls=net.ipv4.*,net.ipv6.conf.all.forwarding" sh -
 ```
 
 
@@ -399,4 +399,5 @@ This is a nice PVC option for simpler backup target setups.
 - [ ] explore anubis https://xeiaso.net/talks/2025/surreal-joy-homelab/
 - [ ] explore bitwarden secret integration (similar to 1password integration in https://xeiaso.net/talks/2025/surreal-joy-homelab/)
 - [ ] finish this writeup 🥺👉👈
-- [ ] node affinity + eviction: how do i limit non-rook pods running on rook nodes?
+- [ ] node affinity + eviction: how do i limit non-rook pods running on rook nodes?
+  - PreferNoSchedule taint on rook nodes

gogs-pvc.yaml

@@ -11,4 +11,4 @@ spec:
     - ReadWriteOnce
   resources:
     requests:
-      storage: 2Gi
+      storage: 4Gi

gogs.yaml

@@ -23,7 +23,7 @@ spec:
     spec:
       containers:
       - name: gogs
-        image: gogs/gogs:0.13.0
+        image: gogs/gogs:0.13.2
         env:
         - name: SOCAT_LINK
           value: "false"

monitoring/targets/qbittorrentvpn-exporter.yaml

@@ -0,0 +1,19 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app: qbittorrentvpn-exporter
+    name: qbittorrentvpn-exporter
+  name: qbittorrentvpn-exporter
+  namespace: plex
+spec:
+  endpoints:
+  - port: metrics
+    path: /metrics
+  namespaceSelector:
+    matchNames:
+    - plex
+  selector:
+    matchLabels:
+      app: qbittorrentvpn-exporter
+

qbittorrentvpn-pvc.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: qbittorrentvpn-pvc
+  namespace: plex
+  labels:
+    app: qbittorrentvpn
+spec:
+  storageClassName: ceph-block-ssd
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 500Mi

qbittorrentvpn.yaml

@@ -0,0 +1,174 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qbittorrentvpn
+  namespace: plex
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: qbittorrentvpn
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: qbittorrentvpn
+      annotations:
+        backup.velero.io/backup-volumes-excludes: seedbox,media,media2,data-ec
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: cluster-ingress
+                operator: In
+                values:
+                - "true"
+      containers:
+      - name: qbittorrentvpn
+        image: binhex/arch-qbittorrentvpn:5.0.2-1-01
+        ports:
+        - containerPort: 8080
+          name: http-web-svc
+        securityContext:
+          privileged: true
+        envFrom:
+        - secretRef:
+            name: qbittorrentvpn-secret
+        volumeMounts:
+        - mountPath: "/data"
+          name: seedbox
+        - mountPath: "/media"
+          name: media
+        - mountPath: "/media2"
+          name: media2
+        - mountPath: "/dataec"
+          name: data-ec
+        - mountPath: "/config"
+          name: config
+        resources:
+          requests:
+            memory: "0"
+          limits:
+            memory: "4Gi"
+      volumes:
+      - name: seedbox
+        persistentVolumeClaim:
+          claimName: seedbox-pvc
+      - name: media
+        persistentVolumeClaim:
+          claimName: plex-pvc
+      - name: media2
+        persistentVolumeClaim:
+          claimName: media2-pvc
+      - name: data-ec
+        persistentVolumeClaim:
+          claimName: data-ec-pvc
+      - name: config
+        persistentVolumeClaim:
+          claimName: qbittorrentvpn-pvc
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: qbittorrentvpn-exporter
+  namespace: plex
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: qbittorrentvpn-exporter
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: qbittorrentvpn-exporter
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: cluster-ingress
+                operator: In
+                values:
+                - "true"
+      containers:
+      - name: qbittorrentvpn-exporter
+        image: ghcr.io/esanchezm/prometheus-qbittorrent-exporter:v1.6.0
+        ports:
+        - containerPort: 8000
+          name: metrics
+        envFrom:
+        - secretRef:
+            name: qbittorrentvpn-exporter-secret
+        livenessProbe:
+          exec:
+            command:
+            - "/bin/sh"
+            - "-c"
+            - 'wget -O - 0.0.0.0:8000 | grep -E "qbittorrent_up\{.* 1.0"'
+          initialDelaySeconds: 3
+          periodSeconds: 3
+        resources:
+          requests:
+            memory: "0"
+          limits:
+            memory: "256Mi"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: qbittorrentvpn-service
+  namespace: plex
+spec:
+  selector:
+    app: qbittorrentvpn
+  type: ClusterIP
+  ports:
+  - name: qbittorrentvpn-web-port
+    protocol: TCP
+    port: 8080
+    targetPort: http-web-svc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: qbittorrentvpn-exporter-service
+  namespace: plex
+  labels:
+    app: qbittorrentvpn-exporter
+spec:
+  selector:
+    app: qbittorrentvpn-exporter
+  type: ClusterIP
+  ports:
+  - name: metrics
+    protocol: TCP
+    port: 8000
+    targetPort: metrics
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: qbittorrentvpn
+  namespace: plex
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-lanonly@kubernetescrd
+spec:
+  rules:
+    - host: qbittorrentvpn.lan.jibby.org
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: qbittorrentvpn-service
+                port:
+                  number: 8080

rook/rook-ceph-cluster-values.yaml

@@ -249,8 +249,10 @@ cephClusterSpec:
       podAntiAffinity:
       topologySpreadConstraints:
       tolerations:
-      - key: storage-node
-        operator: Exists
+        - key: storage-node
+          operator: Equal
+          value: "true"
+          effect: PreferNoSchedule
   #   # The above placement information can also be specified for mon, osd, and mgr components
   #   mon:
   #   # Monitor deployments may contain an anti-affinity rule for avoiding monitor
@@ -576,7 +578,9 @@ cephFileSystems:
           topologySpreadConstraints:
           tolerations:
           - key: storage-node
-            operator: Exists
+            operator: Equal
+            value: "true"
+            effect: PreferNoSchedule
         priorityClassName: system-cluster-critical
     storageClass:
       enabled: true

rook/rook-ceph-operator-values.yaml

@@ -407,9 +407,10 @@ csi:
 
   # -- Array of tolerations in YAML format which will be added to CSI provisioner deployment
   provisionerTolerations:
-  #    - key: key
-  #      operator: Exists
-  #      effect: NoSchedule
+    - key: storage-node
+      operator: Equal
+      value: "true"
+      effect: PreferNoSchedule
 
   # -- The node labels for affinity of the CSI provisioner deployment [^1]
   provisionerNodeAffinity: "storage-node=true" #key1=value1,value2; key2=value3
@@ -417,7 +418,11 @@ csi:
   # The CSI plugins need to be started on all the nodes where the clients need to mount the storage.
 
   # -- Array of tolerations in YAML format which will be added to CephCSI plugin DaemonSet
-  pluginTolerations: []
+  pluginTolerations:
+    - key: storage-node
+      operator: Equal
+      value: "true"
+      effect: PreferNoSchedule
 
   # -- The node labels for affinity of the CephCSI RBD plugin DaemonSet [^1]
   pluginNodeAffinity: "storage-node=true,false" # key1=value1,value2; key2=value3