Media Stack

Property	Value
Namespace	`media`
PSS	`privileged` (Jellyfin requires `/dev/dri` DRM ioctls for Intel QSV — set in `kubernetes/apps/media/namespace.yaml`)

Component	Image	Port	Purpose	Docs
Jellyfin HA	`harbor.k3s.internal.strommen.systems/production/jellyfin-ha:sha-<commit>`	8096	Media server with QSV transcoding (HA fork, PostgreSQL backend)	Jellyfin
Plex	`plexinc/pms-docker:1.43.0.10492-121068a07`	32400	Media server for external Plex apps (TV, mobile, desktop)	Plex
Jellyseerr	`ghcr.io/seerr-team/seerr:v3.1.0`	5055	Media request management — routes to Radarr/Sonarr	Jellyseerr
Radarr	`linuxserver/radarr:5.16.3`	7878	Movie download automation	Radarr
Sonarr	`linuxserver/sonarr:4.0.17`	8989	TV download automation	Sonarr
Prowlarr	`linuxserver/prowlarr:1.28.2`	9696	Indexer manager (TorrentLeech, etc.)	Prowlarr
Bazarr	`linuxserver/bazarr:1.4.5`	6767	Automated subtitle downloads	Bazarr
qBittorrent	`linuxserver/qbittorrent:5.0.3`	8080	Local torrent client (VPN-tunneled via gluetun)	qBittorrent
gluetun	`ghcr.io/qdm12/gluetun:v3.40.0`	8888	OpenVPN sidecar — kill switch + HTTP proxy for Prowlarr	qBittorrent
FlareSolverr	`ghcr.io/flaresolverr/flaresolverr:v3.3.21`	8191	Cloudflare bypass proxy for Prowlarr indexers	—
Tdarr Server	`ghcr.io/haveagitgat/tdarr:2.58.02`	8265/8266	Distributed transcode job queue and web UI	Tdarr
Tdarr Worker	`ghcr.io/haveagitgat/tdarr_node:2.58.02`	—	GPU-accelerated transcode worker (DaemonSet on GPU nodes)	Tdarr
Media Controller	`harbor.k3s.internal.strommen.systems/production/media-controller:sha-0bbd4a9`	8080	Automated media lifecycle: discovery, promotion, pruning of auto-managed library	Media Controller
Seedbox Sync	`alpine:3.19` (rsync)	—	rsync over SSH: RapidSeedbox → NAS (CronJob, every 4h)	Seedbox Sync
exportarr	`ghcr.io/onedr0p/exportarr:v2.3.0`	9707	Prometheus metrics sidecar for Radarr/Sonarr/Prowlarr/Bazarr	—
Intel GPU Exporter	`restreamio/intel-prometheus-gpu-exporter:0.0.3`	8080	GPU utilization metrics (DaemonSet)	—

Service	URL	Access
Jellyfin	https://jellyfin.k3s.strommen.systems	Public — Jellyfin native accounts (no Authentik; TV/mobile apps incompatible)
Plex	https://plex.k3s.strommen.systems	Public — Built-in Plex account auth (no Authentik; external clients need direct access)
Jellyseerr	https://jellyseerr.k3s.strommen.systems	Public — Authentik SSO
Radarr	https://radarr.k3s.strommen.systems	Public — Authentik SSO
Sonarr	https://sonarr.k3s.strommen.systems	Public — Authentik SSO
Prowlarr	https://prowlarr.k3s.strommen.systems	Public — Authentik SSO
Bazarr	https://bazarr.k3s.strommen.systems	Public — Authentik SSO
qBittorrent	https://qbt.k3s.internal.strommen.systems	Internal only — Authentik forwardAuth
Tdarr	https://tdarr.k3s.strommen.systems	Public — Authentik SSO
Media Controller	https://media-controller.k3s.strommen.systems	Public — Authentik SSO

Property	Value
URL	https://media-controller.k3s.strommen.systems (Authentik forwardAuth)
Port	8080
DB	PostgreSQL 16-alpine (5Gi Longhorn PVC), DB: `media_controller`
DB backup	Daily 4:00 AM UTC → S3 `postgres-backups/media/`

Account	UID	Access
svc-jellyfin	10010	Read all media
svc-bazarr	10011	Read movies/ + tv/
svc-rclone	10012	Read-write all (also used by qBittorrent — see TODO below)
svc-radarr	10013	Read-write movies/ + downloads/
svc-sonarr	10014	Read-write tv/ + downloads/
svc-prowlarr	10015	Config only
svc-tdarr	10016	Read-write all (transcode-in-place)
svc-media-ctrl	10017	Read-write auto-managed/ + permanent/
svc-plex	10018	Read all media

Component	Image	Purpose
jellyfin-ha (×2)	`production/jellyfin-ha:sha-<commit>`	Media server (StatefulSet)
PostgreSQL	`postgres:16.13-alpine`	Metadata + library database (5Gi Longhorn PVC)
Redis	`redis:7.4.2-alpine3.21`	Session cache (no persistence — reconstructable)
PDB	—	Ensures at least 1 replica during disruptions

Secret	Namespace	Keys	Purpose
`jellyfin-postgres-credentials`	media	`POSTGRES_USER`, `POSTGRES_PASSWORD`, `POSTGRES_DB`, `DATABASE_URL`	Jellyfin PostgreSQL access
`qbittorrent-vpn`	media	`vpn-username`, `vpn-password`	gluetun OpenVPN credentials (RapidSeedbox)
`seedbox-ssh`	media	`SSH_HOST`, `SSH_PORT`, `SSH_USER`, `SSH_PASS`	rsync-over-SSH credentials for seedbox sync CronJob
`arr-api-keys`	media	`RADARR_API_KEY`, `SONARR_API_KEY`	Consumed by seedbox-sync CronJob to trigger imports
`exportarr-api-keys`	media	`BAZARR_API_KEY`, `RADARR_API_KEY`, `SONARR_API_KEY`, `PROWLARR_API_KEY`	exportarr sidecar Prometheus scraping
`media-controller-secrets`	media	`jellyfin-api-key`, `jellyseerr-api-key`, `radarr-api-key`, `sonarr-api-key`, `jellyfin-user-id`, `slack-webhook-url`	Media Controller API integrations
`media-controller-postgres-credentials`	media	`username`, `password`	Media Controller PostgreSQL access

File	Purpose
`namespace.yaml`	Namespace (sets `privileged` PSS — required for GPU transcoding)
`nfs-pv.yaml`	NFS PersistentVolumes + PVCs for all services
`jellyfin.yaml`	StatefulSet (2 replicas), services, IngressRoute
`jellyfin-postgres.yaml`	PostgreSQL StatefulSet + PVC
`jellyfin-redis.yaml`	Redis session cache (production)
`jellyfin-valkey.yaml`	Valkey (staged Redis replacement, not yet active)
`jellyfin-cache-service.yaml`	Stable cache service alias
`jellyfin-networkpolicy.yaml`	Network isolation rules
`jellyfin-pdb.yaml`	PodDisruptionBudget
`jellyfin-pg-backup.yaml`	Nightly DB backup CronJob (3:30 AM UTC)
`plex.yaml`	Deployment, PVC, Service, IngressRoute, Certificate, PDB
`plex-library-scan.yaml`	CronJob (library refresh every 6h via Plex API)
`jellyseerr.yaml`	Deployment (chown init container), PVC, Service, Certificate
`radarr.yaml`	Deployment, PVC, IngressRoute, exportarr sidecar
`sonarr.yaml`	Deployment, PVC, IngressRoute, exportarr sidecar
`prowlarr.yaml`	Deployment, PVC, IngressRoute, exportarr sidecar
`bazarr.yaml`	Deployment, PVC, IngressRoute, exportarr sidecar
`qbittorrent.yaml`	Deployment (qBittorrent + gluetun), Services, IngressRoute
`qbittorrent-netpol.yaml`	Network policy for VPN pod
`flaresolverr.yaml`	Deployment, ClusterIP service
`tdarr.yaml`	Server Deployment + Worker DaemonSet, Services, IngressRoute
`media-controller.yaml`	PostgreSQL StatefulSet + media-controller Deployment, Service, IngressRoute
`media-controller-postgres-backup.yaml`	Daily backup CronJob (4:00 AM UTC)
`rclone-sync.yaml`	CronJob (rsync SSH → NAS, every 4h) — misnamed; uses rsync not rclone
`gpu-exporter.yaml`	Intel GPU metrics DaemonSet
`alerts.yaml`	PrometheusRules
`grafana-dashboard.yaml`	Grafana ConfigMap — Intel GPU metrics dashboard
`grafana-dashboard-media-stack.yaml`	Grafana ConfigMap — Jellyfin HA + arr suite overview

¶ Media Stack

¶ Components

¶ Endpoints

¶ Content Pipeline

¶ Media Controller

¶ Storage Architecture

¶ NAS Service Accounts

¶ Directory Layout

¶ GPU Configuration

¶ Jellyfin — HA Details

¶ Plex — Operational Notes

¶ qBittorrent — VPN Architecture

¶ Secrets

¶ Monitoring

¶ Setup Order

¶ Manifests

¶ Media Stack

¶ Components

¶ Endpoints

¶ Content Pipeline

¶ Media Controller

¶ Storage Architecture

¶ NAS Service Accounts

¶ Directory Layout

¶ GPU Configuration

¶ Jellyfin — HA Details

¶ Plex — Operational Notes

¶ qBittorrent — VPN Architecture

¶ Secrets

¶ Monitoring

¶ Setup Order

¶ Manifests

¶ Related Pages