alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Activity

feat: add more

Browse Source
This commit is contained in:
Alex Lebens
2026-04-22 19:14:38 -05:00
parent f0bd248799
commit 5d23f3c391
22 changed files with 252 additions and 201 deletions
Download Patch File Download Diff File Expand all files Collapse all files
clusters/cl01tl/helm/qbittorrent/Chart.yaml
+1 -1
View File
@@ -5,7 +5,7 @@ description: qBittorrent
keywords:
- qbittorrent
- torrent
home: https://docs.alexlebens.dev/applications/prowlarr/
home: https://docs.alexlebens.dev/applications/qbittorrent/
sources:
- https://github.com/qbittorrent/qBittorrent
- https://github.com/qdm12/gluetun
clusters/cl01tl/helm/qbittorrent/templates/_helpers.tpl
+7
View File
@@ -12,3 +12,10 @@ Selector labels
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.storageNfsName" -}}
qbittorrent-nfs-storage
{{- end -}}
clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml
+74 -37
View File
@@ -1,75 +1,112 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: qbittorrent-wireguard-conf
name: qbit-manage-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: qbittorrent-wireguard-conf
app.kubernetes.io/name: qbit-manage-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
ntfy-url: "{{ `{{ .endpoint }}` }}/qbit-manage"
data:
- secretKey: endpoint
remoteRef:
key: /cl01tl/ntfy/users/cl01tl
property: internal-endpoint-credential
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: qui-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: qui-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: secret
remoteRef:
key: /cl01tl/authentik/oidc/qui
property: secret
- secretKey: client
remoteRef:
key: /cl01tl/authentik/oidc/qui
property: client
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: airvpn-wireguard-conf
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: airvpn-wireguard-conf
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: conf
remoteRef:
key: /airvpn/config
property: conf
- secretKey: private-key
remoteRef:
key: /airvpn/conf/cl01tl
key: /airvpn/config
property: private-key
- secretKey: preshared-key
remoteRef:
key: /airvpn/conf/cl01tl
key: /airvpn/config
property: preshared-key
- secretKey: addresses
remoteRef:
key: /airvpn/conf/cl01tl
key: /airvpn/config
property: addresses
- secretKey: input-ports
remoteRef:
key: /airvpn/conf/cl01tl
key: /airvpn/config
property: input-ports
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: qbittorrent-qbit-manage-config
name: protonvpn-wireguard-conf
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: qbittorrent-qbit-manage-config
app.kubernetes.io/name: protonvpn-wireguard-conf
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: ntfy-url
- secretKey: conf
remoteRef:
key: /cl01tl/qbittorrent/qbit-manage
property: ntfy-url
- secretKey: config.yml
key: /protonvpn/config
property: conf
- secretKey: email
remoteRef:
key: /cl01tl/qbittorrent/qbit-manage
property: config.yml
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: qui-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: qui-oidc-secret
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
key: /protonvpn/config
property: email
- secretKey: password
remoteRef:
key: /authentik/oidc/qui
property: secret
- secretKey: client
key: /protonvpn/config
property: password
- secretKey: private-key
remoteRef:
key: /authentik/oidc/qui
property: client
key: /protonvpn/config
property: private-key
clusters/cl01tl/helm/qbittorrent/templates/namespace.yaml
+2 -2
View File
@@ -1,9 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
name: qbittorrent
name: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: qbittorrent
app.kubernetes.io/name: {{ .Release.Namespace }}
{{- include "custom.labels" . | nindent 4 }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
clusters/cl01tl/helm/qbittorrent/templates/persistent-volume-claim.yaml
+3 -3
View File
@@ -1,13 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: qbittorrent-nfs-storage
name: {{ include "custom.storageNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: qbittorrent-nfs-storage
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
volumeName: qbittorrent-nfs-storage
volumeName: {{ include "custom.storageNfsName" . }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany
clusters/cl01tl/helm/qbittorrent/templates/persistent-volume.yaml
+2 -2
View File
@@ -1,10 +1,10 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: qbittorrent-nfs-storage
name: {{ include "custom.storageNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: qbittorrent-nfs-storage
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
persistentVolumeReclaimPolicy: Retain
clusters/cl01tl/helm/qbittorrent/templates/secret-provider-class.yaml
+18
View File
@@ -0,0 +1,18 @@
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: qbit-manage-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: qbit-manage-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: qbittorrent
objects: |
- objectName: config.yml
fileName: config.yml
secretPath: secret/data/cl01tl/qbittorrent/qbit-manage
secretKey: config.yml
clusters/cl01tl/helm/qbittorrent/values.yaml
+47 -45
View File
@@ -62,33 +62,22 @@ qbittorrent:
command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
env:
- name: VPN_SERVICE_PROVIDER
value: airvpn
value: protonvpn
- name: VPN_TYPE
value: wireguard
- name: WIREGUARD_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: qbittorrent-wireguard-conf
name: protonvpn-wireguard-conf
key: private-key
- name: WIREGUARD_PRESHARED_KEY
valueFrom:
secretKeyRef:
name: qbittorrent-wireguard-conf
key: preshared-key
- name: WIREGUARD_ADDRESSES
valueFrom:
secretKeyRef:
name: qbittorrent-wireguard-conf
key: addresses
- name: FIREWALL_VPN_INPUT_PORTS
valueFrom:
secretKeyRef:
name: qbittorrent-wireguard-conf
key: input-ports
- name: FIREWALL_OUTBOUND_SUBNETS
value: 192.168.1.0/24,10.244.0.0/16
- name: FIREWALL_INPUT_PORTS
value: 8080,9022
value: 5030,50300
- name: VPN_PORT_FORWARDING
value: 'on'
- name: VPN_PORT_FORWARDING_UP_COMMAND
value: '/bin/sh -c "/gluetun/update.sh {{ printf "{{PORTS}}" }}"'
- name: DNS_UPSTREAM_RESOLVER_TYPE
value: dot
- name: BLOCK_MALICIOUS
@@ -141,6 +130,8 @@ qbittorrent:
reloader.stakater.com/auto: "true"
replicas: 1
strategy: Recreate
serviceAccount:
name: qbittorrent
initContainers:
init-copy-config:
image:
@@ -150,7 +141,7 @@ qbittorrent:
- /bin/sh
- -ec
- |
cp /config/config.yml /app/config/config.yml
cp /tmp/config.yml /app/config/config.yml
containers:
qbit-manage:
image:
@@ -194,7 +185,7 @@ qbittorrent:
- name: APPRISE_STATELESS_URLS
valueFrom:
secretKeyRef:
name: qbittorrent-qbit-manage-config
name: qbit-manage-config
key: ntfy-url
qui:
type: deployment
@@ -223,12 +214,12 @@ qbittorrent:
- name: QUI__OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: qui-oidc-secret
name: qui-oidc-authentik
key: client
- name: QUI__OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: qui-oidc-secret
name: qui-oidc-authentik
key: secret
- name: QUI__OIDC_REDIRECT_URL
value: https://qui.alexlebens.net/api/auth/oidc/callback
@@ -238,6 +229,10 @@ qbittorrent:
requests:
cpu: 10m
memory: 70Mi
serviceAccount:
qbittorrent:
enabled: true
staticToken: true
service:
main:
controller: main
@@ -347,22 +342,6 @@ qbittorrent:
gluetun:
- path: /gluetun/update.sh
subPath: update.sh
qbit-manage-config:
enabled: true
type: secret
name: qbittorrent-qbit-manage-config
advancedMounts:
qbit-manage:
init-copy-config:
- path: /config/config.yml
readOnly: true
mountPropagation: None
subPath: config.yml
qbit-manage:
- path: /config/config.yml
readOnly: true
mountPropagation: None
subPath: config.yml
config-data:
forceRename: qbittorrent-config-data
storageClass: ceph-filesystem
@@ -377,6 +356,27 @@ qbittorrent:
qbit-manage:
- path: /qbittorrent/qBittorrent
readOnly: false
qbit-manage-config:
enabled: true
type: custom
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: qbit-manage-config
advancedMounts:
qbit-manage:
init-copy-config:
- path: /tmp/config.yml
readOnly: true
mountPropagation: None
subPath: config.yml
qbit-manage:
- path: /tmp/config.yml
readOnly: true
mountPropagation: None
subPath: config.yml
qbit-manage-config-data:
forceRename: qbittorrent-qbit-manage-config-data
storageClass: ceph-block
@@ -390,6 +390,15 @@ qbittorrent:
qbit-manage:
- path: /app/config
readOnly: false
qbit-manage-config-var:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 500Mi
advancedMounts:
qbit-manage:
qbit-manage:
- path: /app/var
readOnly: false
qui-config-data:
forceRename: qbittorrent-qui-config-data
storageClass: ceph-block
@@ -400,13 +409,6 @@ qbittorrent:
qui:
- path: /config
readOnly: false
qbit-manage-config-var:
type: emptyDir
advancedMounts:
qbit-manage:
qbit-manage:
- path: /app/var
readOnly: false
storage:
type: persistentVolumeClaim
existingClaim: qbittorrent-nfs-storage