Deploying a Kubernetes-Based Media Server

This is the setup I use to run a full media automation stack on my Kubernetes cluster. It covers Jellyfin for streaming, Radarr and Sonarr for media management, Jackett for indexers, qBittorrent for downloads, and Gluetun for VPN tunneling. Config lives on Longhorn; media is stored on a Synology NAS DS223 mounted via NFS 4.1 as a PersistentVolume.

Components

Application	Role
Jellyfin	Media streaming
Radarr	Movie library management
Sonarr	TV show management
Jackett	Torrent indexer proxy
qBittorrent	Download client
Gluetun	VPN sidecar for qBittorrent

Synology NAS NFS Setup

If you’re using a Synology NAS, this is the NFS share rule I use — applied before mounting on the Kubernetes side.

NFS rule configuration on Synology NAS

PersistentVolumes and PVCs

Media Storage

Create nfs-media-pv-and-pvc.yaml:

1
apiVersion: v1
2
kind: PersistentVolume
3
metadata:
4
  name: jellyfin-videos
5
spec:
6
  capacity:
7
    storage: 400Gi
8
  accessModes:
9
    - ReadWriteOnce
10
  nfs:
11
    path: /volume1/server/k3s/media
12
    server: storage.merox.cloud
13
  persistentVolumeReclaimPolicy: Retain
14
  mountOptions:
15
    - hard
16
    - nfsvers=3
17
  storageClassName: ""
18
---
19
apiVersion: v1
20
kind: PersistentVolumeClaim
21
metadata:
22
  name: jellyfin-videos
23
  namespace: media
24
spec:
25
  accessModes:
26
    - ReadWriteOnce
27
  resources:
28
    requests:
29
      storage: 400Gi
30
  volumeName: jellyfin-videos
31
  storageClassName: ""

kubectl apply -f nfs-media-pv-and-pvc.yaml

Download Storage

Create nfs-download-pv-and-pvc.yaml:

1
apiVersion: v1
2
kind: PersistentVolume
3
metadata:
4
  name: qbitt-download
5
spec:
6
  capacity:
7
    storage: 400Gi
8
  accessModes:
9
    - ReadWriteOnce
10
  nfs:
11
    path: /volume1/server/k3s/media/download
12
    server: storage.merox.cloud
13
  persistentVolumeReclaimPolicy: Retain
14
  mountOptions:
15
    - hard
16
    - nfsvers=3
17
  storageClassName: ""
18
---
19
apiVersion: v1
20
kind: PersistentVolumeClaim
21
metadata:
22
  name: qbitt-download
23
  namespace: media
24
spec:
25
  accessModes:
26
    - ReadWriteOnce
27
  resources:
28
    requests:
29
      storage: 400Gi
30
  volumeName: qbitt-download
31
  storageClassName: ""

kubectl apply -f nfs-download-pv-and-pvc.yaml

Longhorn PVC for App Configs

Create app-config-pvc.yaml (repeat for each app):

1
apiVersion: v1
2
kind: PersistentVolumeClaim
3
metadata:
4
  name: app # radarr for example
5
  namespace: media
6
spec:
7
  accessModes:
8
    - ReadWriteOnce
9
  storageClassName: longhorn
10
  resources:
11
    requests:
12
      storage: 5Gi

kubectl apply -f app-config-pvc.yaml

Danger

You need a separate PVC for each application: Jellyfin, Sonarr, Radarr, Jackett, and qBittorrent.

Deployments

Jellyfin

Create jellyfin-deployment.yaml:

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: jellyfin
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: jellyfin
11
  template:
12
    metadata:
13
      labels:
14
        app: jellyfin
15
    spec:
16
      containers:
17
      - name: jellyfin
18
        image: jellyfin/jellyfin
19
        volumeMounts:
20
        - name: config
21
          mountPath: /config
22
        - name: videos
23
          mountPath: /data/videos
24
        ports:
25
        - containerPort: 8096
26
      volumes:
27
      - name: config
28
        persistentVolumeClaim:
29
          claimName: jellyfin-config
30
      - name: videos
31
        persistentVolumeClaim:
32
          claimName: jellyfin-videos

kubectl apply -f jellyfin-deployment.yaml

Sonarr

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: sonarr
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: sonarr
11
  template:
12
    metadata:
13
      labels:
14
        app: sonarr
15
    spec:
16
      containers:
17
      - name: sonarr
18
        image: linuxserver/sonarr
19
        env:
20
        - name: PUID
21
          value: "1057"
22
        - name: PGID
23
          value: "1056"
24
        volumeMounts:
25
        - name: config
26
          mountPath: /config
27
        - name: videos
28
          mountPath: /tv
29
        - name: downloads
30
          mountPath: /downloads
31
        ports:
32
        - containerPort: 8989
33
      volumes:
34
      - name: config
35
        persistentVolumeClaim:
36
          claimName: sonarr-config
37
      - name: videos
38
        persistentVolumeClaim:
39
          claimName: jellyfin-videos
40
      - name: downloads
41
        persistentVolumeClaim:
42
          claimName: qbitt-download

Radarr

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: radarr
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: radarr
11
  template:
12
    metadata:
13
      labels:
14
        app: radarr
15
    spec:
16
      containers:
17
      - name: radarr
18
        image: linuxserver/radarr
19
        env:
20
        - name: PUID
21
          value: "1057"
22
        - name: PGID
23
          value: "1056"
24
        volumeMounts:
25
        - name: config
26
          mountPath: /config
27
        - name: videos
28
          mountPath: /movies
29
        - name: downloads
30
          mountPath: /downloads
31
        ports:
32
        - containerPort: 7878
33
      volumes:
34
      - name: config
35
        persistentVolumeClaim:
36
          claimName: radarr-config
37
      - name: videos
38
        persistentVolumeClaim:
39
          claimName: jellyfin-videos
40
      - name: downloads
41
        persistentVolumeClaim:
42
          claimName: qbitt-download

Jackett

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: jackett
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: jackett
11
  template:
12
    metadata:
13
      labels:
14
        app: jackett
15
    spec:
16
      containers:
17
      - name: jackett
18
        image: linuxserver/jackett
19
        env:
20
        - name: PUID
21
          value: "1057"
22
        - name: PGID
23
          value: "1056"
24
        volumeMounts:
25
        - name: config
26
          mountPath: /config
27
        ports:
28
        - containerPort: 9117
29
      volumes:
30
      - name: config
31
        persistentVolumeClaim:
32
          claimName: jackett-config

qBittorrent (standalone)

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: qbittorrent
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: qbittorrent
11
  template:
12
    metadata:
13
      labels:
14
        app: qbittorrent
15
    spec:
16
      containers:
17
      - name: qbittorrent
18
        image: linuxserver/qbittorrent
19
        resources:
20
          limits:
21
            memory: "2Gi"
22
          requests:
23
            memory: "512Mi"
24
        env:
25
        - name: PUID
26
          value: "1057"
27
        - name: PGID
28
          value: "1056"
29
        volumeMounts:
30
        - name: config
31
          mountPath: /config
32
        - name: downloads
33
          mountPath: /downloads
34
        ports:
35
        - containerPort: 8080
36
      volumes:
37
      - name: config
38
        persistentVolumeClaim:
39
          claimName: qbitt-config
40
      - name: downloads
41
        persistentVolumeClaim:
42
          claimName: qbitt-download

qBittorrent with Gluetun

If you want to route qBittorrent traffic through a VPN, use this version instead — Gluetun runs as a sidecar and shares the network namespace.

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: qbittorrent
5
  namespace: media
6
spec:
7
  replicas: 1
8
  selector:
9
    matchLabels:
10
      app: qbittorrent
11
  template:
12
    metadata:
13
      labels:
14
        app: qbittorrent
15
    spec:
16
      containers:
17
        - name: qbittorrent
18
          image: linuxserver/qbittorrent
19
          resources:
20
            limits:
21
              memory: "2Gi"
22
            requests:
23
              memory: "512Mi"
24
          env:
25
           - name: PUID
26
             value: "1057"
27
           - name: PGID
28
             value: "1056"
29
          volumeMounts:
30
            - name: config
31
              mountPath: /config
32
            - name: downloads
33
              mountPath: /downloads
34
          ports:
35
            - containerPort: 8080
36

37
        - name: gluetun
38
          image: qmcgaw/gluetun
39
          env:
40
            - name: VPNSP
41
              value: "protonvpn"
42
            - name: OPENVPN_USER
43
              valueFrom:
44
                secretKeyRef:
45
                  name: protonvpn-secrets
46
                  key: PROTONVPN_USER
47
            - name: OPENVPN_PASSWORD
48
              valueFrom:
49
                secretKeyRef:
50
                  name: protonvpn-secrets
51
                  key: PROTONVPN_PASSWORD
52
            - name: COUNTRY
53
              value: "Germany"
54
          securityContext:
55
            capabilities:
56
              add:
57
                - NET_ADMIN
58
          volumeMounts:
59
            - name: gluetun-config
60
              mountPath: /gluetun
61

62
      volumes:
63
        - name: config
64
          persistentVolumeClaim:
65
            claimName: qbitt-config
66
        - name: downloads
67
          persistentVolumeClaim:
68
            claimName: qbitt-download
69
        - name: gluetun-config
70
          persistentVolumeClaim:
71
            claimName: gluetun-config

Note

I use ProtonVPN — no-logs policy, solid speeds, and reasonably priced.

ClusterIP Services

Each app needs a ClusterIP service so Traefik can route to it internally. Create app-service.yaml per application:

1
apiVersion: v1
2
kind: Service
3
metadata:
4
  name: app # radarr for example
5
  namespace: media
6
spec:
7
  type: ClusterIP
8
  ports:
9
    - port: 80
10
      targetPort: 7878
11
  selector:
12
    app: app # radarr for example

kubectl apply -f app-service.yaml

Traefik Middleware

Create default-headers-media.yaml:

1
apiVersion: traefik.containo.us/v1alpha1
2
kind: Middleware
3
metadata:
4
  name: default-headers-media
5
  namespace: media
6
spec:
7
  headers:
8
    browserXssFilter: true
9
    contentTypeNosniff: true
10
    forceSTSHeader: true
11
    stsIncludeSubdomains: true
12
    stsPreload: true
13
    stsSeconds: 15552000
14
    customFrameOptionsValue: SAMEORIGIN
15
    customRequestHeaders:
16
      X-Forwarded-Proto: https

kubectl apply -f default-headers-media.yaml

IngressRoutes

Create app-ingress-route.yaml per application:

1
apiVersion: traefik.containo.us/v1alpha1
2
kind: IngressRoute
3
metadata:
4
  name: app # radarr for example
5
  namespace: media
6
  annotations:
7
    kubernetes.io/ingress.class: traefik-external
8
spec:
9
  entryPoints:
10
    - websecure
11
  routes:
12
    - match: Host(`movies.merox.cloud`) # change to your domain
13
      kind: Rule
14
      services:
15
        - name: app # radarr for example
16
          port: 80
17
    - match: Host(`movies.merox.cloud`) # change to your domain
18
      kind: Rule
19
      services:
20
        - name: app # radarr for example
21
          port: 80
22
      middlewares:
23
        - name: default-headers-media
24
  tls:
25
    secretName: mycert-tls # change to your cert name

kubectl apply -f app-ingress-route.yaml

Danger

Add the hostname declared in your IngressRoute to your DNS server before applying.

Manifest Files

All manifests are available here — copy and deploy what you need:

All manifest files 🔗