add protonvpn

2025-12-06 20:52:20 -06:00
parent 18a5ef9b6f
commit 722694b022
2 changed files with 63 additions and 0 deletions
--- a/clusters/cl01tl/helm/searxng/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/searxng/templates/external-secret.yaml
@@ -1,5 +1,28 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
+metadata:
+  name: searxng-wireguard-conf
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: searxng-wireguard-conf
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: private-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /protonvpn/conf/cl01tl
+        metadataPolicy: None
+        property: private-key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
 metadata:
  name: searxng-api-config-secret
  namespace: {{ .Release.Namespace }}
--- a/clusters/cl01tl/helm/searxng/values.yaml
+++ b/clusters/cl01tl/helm/searxng/values.yaml
@@ -62,6 +62,46 @@ searxng:
            requests:
              cpu: 10m
              memory: 256Mi
+        gluetun:
+          image:
+            repository: ghcr.io/qdm12/gluetun
+            tag: v3.40.3@sha256:ef4a44819a60469682c7b5e69183e6401171891feaa60186652d292c59e41b30
+            pullPolicy: IfNotPresent
+          env:
+            - name: VPN_SERVICE_PROVIDER
+              value: protonvpn
+            - name: VPN_TYPE
+              value: wireguard
+            - name: WIREGUARD_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: searxng-wireguard-conf
+                  key: private-key
+            - name: VPN_PORT_FORWARDING
+              value: "on"
+            - name: VPN_PORT_FORWARDING_UP_COMMAND
+              value: '/bin/sh -c "/gluetun/update.sh {{ printf "{{PORTS}}" }}"'
+            - name: PORT_FORWARD_ONLY
+              value: "on"
+            - name: FIREWALL_OUTBOUND_SUBNETS
+              value: 192.168.1.0/24,10.244.0.0/16
+            - name: FIREWALL_INPUT_PORTS
+              value: 8080
+            - name: DOT
+              value: "off"
+          securityContext:
+            privileged: True
+            capabilities:
+              add:
+                - NET_ADMIN
+                - SYS_MODULE
+          resources:
+            limits:
+              devic.es/tun: "1"
+            requests:
+              devic.es/tun: "1"
+              cpu: 10m
+              memory: 64Mi
  service:
    api:
      controller: api