From 077ad34a892524321f555f33f3bd7d25ad8b066b Mon Sep 17 00:00:00 2001
From: gitea-bot <gitea-bot@alexlebens.net>
Date: Thu, 8 Jan 2026 06:43:12 +0000
Subject: [PATCH] Automated Manifest Update (#3102)

This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3102
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
---
 .../Deployment-tubearchivist.yaml             |  4 --
 .../Deployment-yubal-playlist.yaml            | 59 +++++++++++++++++++
 ...lSecret-yubal-playlist-wireguard-conf.yaml | 35 +++++++++++
 3 files changed, 94 insertions(+), 4 deletions(-)
 create mode 100644 clusters/cl01tl/manifests/yubal-playlist/ExternalSecret-yubal-playlist-wireguard-conf.yaml

diff --git a/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml b/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml
index 5684e9af7..d195a671d 100644
--- a/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml
+++ b/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml
@@ -54,10 +54,6 @@ spec:
                 secretKeyRef:
                   key: proton-password
                   name: tubearchivist-wireguard-conf
-            - name: VPN_PORT_FORWARDING
-              value: "on"
-            - name: PORT_FORWARD_ONLY
-              value: "on"
             - name: FIREWALL_OUTBOUND_SUBNETS
               value: 10.0.0.0/8
             - name: FIREWALL_INPUT_PORTS
diff --git a/clusters/cl01tl/manifests/yubal-playlist/Deployment-yubal-playlist.yaml b/clusters/cl01tl/manifests/yubal-playlist/Deployment-yubal-playlist.yaml
index 6722e9184..7621f7a21 100644
--- a/clusters/cl01tl/manifests/yubal-playlist/Deployment-yubal-playlist.yaml
+++ b/clusters/cl01tl/manifests/yubal-playlist/Deployment-yubal-playlist.yaml
@@ -34,6 +34,65 @@ spec:
       hostPID: false
       dnsPolicy: ClusterFirst
       containers:
+        - env:
+            - name: VPN_SERVICE_PROVIDER
+              value: protonvpn
+            - name: VPN_TYPE
+              value: wireguard
+            - name: WIREGUARD_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: private-key
+                  name: yubal-playlist-wireguard-conf
+            - name: UPDATER_PROTONVPN_EMAIL
+              valueFrom:
+                secretKeyRef:
+                  key: proton-email
+                  name: yubal-playlist-wireguard-conf
+            - name: UPDATER_PROTONVPN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: proton-password
+                  name: yubal-playlist-wireguard-conf
+            - name: FIREWALL_OUTBOUND_SUBNETS
+              value: 10.0.0.0/8
+            - name: FIREWALL_INPUT_PORTS
+              value: 80,8000,24000
+            - name: DNS_UPSTREAM_RESOLVER_TYPE
+              value: dot
+          image: ghcr.io/qdm12/gluetun:v3.41.0@sha256:6b54856716d0de56e5bb00a77029b0adea57284cf5a466f23aad5979257d3045
+          imagePullPolicy: IfNotPresent
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  - /bin/sh
+                  - -c
+                  - (ip rule del table 51820; ip -6 rule del table 51820) || true
+          livenessProbe:
+            exec:
+              command:
+                - /gluetun-entrypoint
+                - healthcheck
+            failureThreshold: 5
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            successThreshold: 1
+            timeoutSeconds: 15
+          name: gluetun
+          resources:
+            limits:
+              devic.es/tun: "1"
+            requests:
+              cpu: 10m
+              devic.es/tun: "1"
+              memory: 128Mi
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - SYS_MODULE
+            privileged: true
         - env:
             - name: YUBAL_TZ
               value: America/Chicago
diff --git a/clusters/cl01tl/manifests/yubal-playlist/ExternalSecret-yubal-playlist-wireguard-conf.yaml b/clusters/cl01tl/manifests/yubal-playlist/ExternalSecret-yubal-playlist-wireguard-conf.yaml
new file mode 100644
index 000000000..0240fa8b6
--- /dev/null
+++ b/clusters/cl01tl/manifests/yubal-playlist/ExternalSecret-yubal-playlist-wireguard-conf.yaml
@@ -0,0 +1,35 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: yubal-playlist-wireguard-conf
+  namespace: yubal-playlist
+  labels:
+    app.kubernetes.io/name: yubal-playlist-wireguard-conf
+    app.kubernetes.io/instance: yubal-playlist
+    app.kubernetes.io/part-of: yubal-playlist
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: private-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: private-key
+    - secretKey: proton-email
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: email
+    - secretKey: proton-password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: password