From 854f3646ce66df0c19897bd319ba8a28c9877e1d Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Fri, 20 Mar 2026 04:08:30 +0000 Subject: [PATCH] feat: switch to airvpn (#4912) Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4912 --- .../templates/external-secret.yaml | 21 ++- .../cl01tl/helm/music-grabber/values.yaml | 132 +++++++++--------- .../templates/external-secret.yaml | 21 ++- clusters/cl01tl/helm/qbittorrent/values.yaml | 17 ++- .../helm/slskd/templates/external-secret.yaml | 21 ++- clusters/cl01tl/helm/slskd/values.yaml | 23 +-- .../templates/external-secret.yaml | 21 ++- .../cl01tl/helm/tubearchivist/values.yaml | 10 +- .../helm/yubal/templates/external-secret.yaml | 21 ++- clusters/cl01tl/helm/yubal/values.yaml | 18 +-- 10 files changed, 175 insertions(+), 130 deletions(-) diff --git a/clusters/cl01tl/helm/music-grabber/templates/external-secret.yaml b/clusters/cl01tl/helm/music-grabber/templates/external-secret.yaml index 8f4d10f65..d3b8adc10 100644 --- a/clusters/cl01tl/helm/music-grabber/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/music-grabber/templates/external-secret.yaml @@ -60,20 +60,27 @@ spec: remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None property: private-key - - secretKey: proton-email + - secretKey: preshared-key remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None - property: email - - secretKey: proton-password + property: preshared-key + - secretKey: addresses remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None - property: password + property: addresses + - secretKey: input-ports + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /airvpn/conf/cl01tl + metadataPolicy: None + property: input-ports diff --git a/clusters/cl01tl/helm/music-grabber/values.yaml b/clusters/cl01tl/helm/music-grabber/values.yaml index 5830c165a..0845b54ae 100644 --- a/clusters/cl01tl/helm/music-grabber/values.yaml +++ b/clusters/cl01tl/helm/music-grabber/values.yaml @@ -50,72 +50,72 @@ music-grabber: requests: cpu: 10m memory: 512Mi - gluetun: - image: - repository: ghcr.io/qdm12/gluetun - tag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab - pullPolicy: IfNotPresent - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"] - env: - - name: VPN_SERVICE_PROVIDER - value: protonvpn - - name: VPN_TYPE - value: wireguard - - name: WIREGUARD_PRIVATE_KEY - valueFrom: - secretKeyRef: - name: music-grabber-wireguard-conf - key: private-key - - name: UPDATER_PROTONVPN_EMAIL - valueFrom: - secretKeyRef: - name: music-grabber-wireguard-conf - key: proton-email - - name: UPDATER_PROTONVPN_PASSWORD - valueFrom: - secretKeyRef: - name: music-grabber-wireguard-conf - key: proton-password - - name: FIREWALL_OUTBOUND_SUBNETS - value: 10.0.0.0/8 - - name: FIREWALL_INPUT_PORTS - value: 8080 - - name: DNS_UPSTREAM_RESOLVER_TYPE - value: dot - - name: HTTPPROXY - value: "off" - - name: SHADOWSOCKS - value: "off" - securityContext: - privileged: True - capabilities: - add: - - NET_ADMIN - - SYS_MODULE - probes: - liveness: - enabled: true - custom: true - spec: - exec: - command: - - /gluetun-entrypoint - - healthcheck - failureThreshold: 5 - initialDelaySeconds: 30 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 15 - resources: - limits: - devic.es/tun: "1" - requests: - devic.es/tun: "1" - cpu: 10m - memory: 128Mi + # gluetun: + # image: + # repository: ghcr.io/qdm12/gluetun + # tag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab + # pullPolicy: IfNotPresent + # lifecycle: + # postStart: + # exec: + # command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"] + # env: + # - name: VPN_SERVICE_PROVIDER + # value: airvpn + # - name: VPN_TYPE + # value: wireguard + # - name: WIREGUARD_PRIVATE_KEY + # valueFrom: + # secretKeyRef: + # name: music-grabber-wireguard-conf + # key: private-key + # - name: WIREGUARD_PRESHARED_KEY + # valueFrom: + # secretKeyRef: + # name: music-grabber-wireguard-conf + # key: preshared-key + # - name: WIREGUARD_ADDRESSES + # valueFrom: + # secretKeyRef: + # name: music-grabber-wireguard-conf + # key: addresses + # - name: FIREWALL_OUTBOUND_SUBNETS + # value: 10.0.0.0/8 + # - name: FIREWALL_INPUT_PORTS + # value: 8080 + # - name: DNS_UPSTREAM_RESOLVER_TYPE + # value: dot + # - name: HTTPPROXY + # value: "off" + # - name: SHADOWSOCKS + # value: "off" + # securityContext: + # privileged: True + # capabilities: + # add: + # - NET_ADMIN + # - SYS_MODULE + # probes: + # liveness: + # enabled: true + # custom: true + # spec: + # exec: + # command: + # - /gluetun-entrypoint + # - healthcheck + # failureThreshold: 5 + # initialDelaySeconds: 30 + # periodSeconds: 30 + # successThreshold: 1 + # timeoutSeconds: 15 + # resources: + # limits: + # devic.es/tun: "1" + # requests: + # devic.es/tun: "1" + # cpu: 10m + # memory: 128Mi service: main: controller: main diff --git a/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml b/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml index f369f1685..f869825f1 100644 --- a/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml @@ -16,23 +16,30 @@ spec: remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None property: private-key - - secretKey: proton-email + - secretKey: preshared-key remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None - property: email - - secretKey: proton-password + property: preshared-key + - secretKey: addresses remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None - property: password + property: addresses + - secretKey: input-ports + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /airvpn/conf/cl01tl + metadataPolicy: None + property: input-ports --- apiVersion: external-secrets.io/v1 diff --git a/clusters/cl01tl/helm/qbittorrent/values.yaml b/clusters/cl01tl/helm/qbittorrent/values.yaml index 81b80f78f..edb5d2153 100644 --- a/clusters/cl01tl/helm/qbittorrent/values.yaml +++ b/clusters/cl01tl/helm/qbittorrent/values.yaml @@ -56,7 +56,7 @@ qbittorrent: command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"] env: - name: VPN_SERVICE_PROVIDER - value: protonvpn + value: airvpn - name: VPN_TYPE value: wireguard - name: WIREGUARD_PRIVATE_KEY @@ -64,20 +64,23 @@ qbittorrent: secretKeyRef: name: qbittorrent-wireguard-conf key: private-key - - name: UPDATER_PROTONVPN_EMAIL + - name: WIREGUARD_PRESHARED_KEY valueFrom: secretKeyRef: name: qbittorrent-wireguard-conf - key: proton-email - - name: UPDATER_PROTONVPN_PASSWORD + key: preshared-key + - name: WIREGUARD_ADDRESSES valueFrom: secretKeyRef: name: qbittorrent-wireguard-conf - key: proton-password + key: addresses - name: VPN_PORT_FORWARDING value: "on" - - name: VPN_PORT_FORWARDING_UP_COMMAND - value: '/bin/sh -c "/gluetun/update.sh {{ printf "{{PORTS}}" }}"' + - name: FIREWALL_VPN_INPUT_PORTS + valueFrom: + secretKeyRef: + name: qbittorrent-wireguard-conf + key: input-ports - name: PORT_FORWARD_ONLY value: "on" - name: FIREWALL_OUTBOUND_SUBNETS diff --git a/clusters/cl01tl/helm/slskd/templates/external-secret.yaml b/clusters/cl01tl/helm/slskd/templates/external-secret.yaml index 3ccfdfdbb..79d86adcc 100644 --- a/clusters/cl01tl/helm/slskd/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/slskd/templates/external-secret.yaml @@ -62,20 +62,27 @@ spec: remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None property: private-key - - secretKey: proton-email + - secretKey: preshared-key remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None - property: email - - secretKey: proton-password + property: preshared-key + - secretKey: addresses remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None - property: password + property: addresses + - secretKey: input-ports + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /airvpn/conf/cl01tl + metadataPolicy: None + property: input-ports diff --git a/clusters/cl01tl/helm/slskd/values.yaml b/clusters/cl01tl/helm/slskd/values.yaml index 54ab7568b..ad28ea93e 100644 --- a/clusters/cl01tl/helm/slskd/values.yaml +++ b/clusters/cl01tl/helm/slskd/values.yaml @@ -54,30 +54,37 @@ slskd: command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"] env: - name: VPN_SERVICE_PROVIDER - value: protonvpn + value: airvpn - name: VPN_TYPE value: wireguard - name: WIREGUARD_PRIVATE_KEY valueFrom: secretKeyRef: - name: slskd-wireguard-conf + name: qbittorrent-wireguard-conf key: private-key - - name: UPDATER_PROTONVPN_EMAIL + - name: WIREGUARD_PRESHARED_KEY valueFrom: secretKeyRef: - name: slskd-wireguard-conf - key: proton-email - - name: UPDATER_PROTONVPN_PASSWORD + name: qbittorrent-wireguard-conf + key: preshared-key + - name: WIREGUARD_ADDRESSES valueFrom: secretKeyRef: - name: slskd-wireguard-conf - key: proton-password + name: qbittorrent-wireguard-conf + key: addresses - name: VPN_PORT_FORWARDING value: "on" + - name: FIREWALL_VPN_INPUT_PORTS + valueFrom: + secretKeyRef: + name: qbittorrent-wireguard-conf + key: input-ports - name: PORT_FORWARD_ONLY value: "on" - name: FIREWALL_OUTBOUND_SUBNETS value: 192.168.1.0/24,10.244.0.0/16 + - name: FIREWALL_OUTBOUND_SUBNETS + value: 192.168.1.0/24,10.244.0.0/16 - name: FIREWALL_INPUT_PORTS value: 5030,50300 - name: DNS_UPSTREAM_RESOLVER_TYPE diff --git a/clusters/cl01tl/helm/tubearchivist/templates/external-secret.yaml b/clusters/cl01tl/helm/tubearchivist/templates/external-secret.yaml index a3f40d859..dcb667d4f 100644 --- a/clusters/cl01tl/helm/tubearchivist/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/tubearchivist/templates/external-secret.yaml @@ -83,20 +83,27 @@ spec: remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None property: private-key - - secretKey: proton-email + - secretKey: preshared-key remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None - property: email - - secretKey: proton-password + property: preshared-key + - secretKey: addresses remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None - property: password + property: addresses + - secretKey: input-ports + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /airvpn/conf/cl01tl + metadataPolicy: None + property: input-ports diff --git a/clusters/cl01tl/helm/tubearchivist/values.yaml b/clusters/cl01tl/helm/tubearchivist/values.yaml index e22c62435..137fe7ff7 100644 --- a/clusters/cl01tl/helm/tubearchivist/values.yaml +++ b/clusters/cl01tl/helm/tubearchivist/values.yaml @@ -53,7 +53,7 @@ tubearchivist: command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"] env: - name: VPN_SERVICE_PROVIDER - value: protonvpn + value: airvpn - name: VPN_TYPE value: wireguard - name: WIREGUARD_PRIVATE_KEY @@ -61,16 +61,16 @@ tubearchivist: secretKeyRef: name: tubearchivist-wireguard-conf key: private-key - - name: UPDATER_PROTONVPN_EMAIL + - name: WIREGUARD_PRESHARED_KEY valueFrom: secretKeyRef: name: tubearchivist-wireguard-conf - key: proton-email - - name: UPDATER_PROTONVPN_PASSWORD + key: preshared-key + - name: WIREGUARD_ADDRESSES valueFrom: secretKeyRef: name: tubearchivist-wireguard-conf - key: proton-password + key: addresses - name: FIREWALL_OUTBOUND_SUBNETS value: 10.0.0.0/8 - name: FIREWALL_INPUT_PORTS diff --git a/clusters/cl01tl/helm/yubal/templates/external-secret.yaml b/clusters/cl01tl/helm/yubal/templates/external-secret.yaml index 70e539fdc..5dbc54124 100644 --- a/clusters/cl01tl/helm/yubal/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/yubal/templates/external-secret.yaml @@ -16,20 +16,27 @@ spec: remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None property: private-key - - secretKey: proton-email + - secretKey: preshared-key remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None - property: email - - secretKey: proton-password + property: preshared-key + - secretKey: addresses remoteRef: conversionStrategy: Default decodingStrategy: None - key: /protonvpn/conf/cl01tl + key: /airvpn/conf/cl01tl metadataPolicy: None - property: password + property: addresses + - secretKey: input-ports + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /airvpn/conf/cl01tl + metadataPolicy: None + property: input-ports diff --git a/clusters/cl01tl/helm/yubal/values.yaml b/clusters/cl01tl/helm/yubal/values.yaml index aaa407b3e..818caa98f 100644 --- a/clusters/cl01tl/helm/yubal/values.yaml +++ b/clusters/cl01tl/helm/yubal/values.yaml @@ -40,11 +40,7 @@ yubal: # command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"] # env: # - name: VPN_SERVICE_PROVIDER - # value: protonvpn - # - name: PUID - # value: "1000" - # - name: PGID - # value: "1000" + # value: airvpn # - name: VPN_TYPE # value: wireguard # - name: WIREGUARD_PRIVATE_KEY @@ -52,22 +48,26 @@ yubal: # secretKeyRef: # name: yubal-wireguard-conf # key: private-key - # - name: UPDATER_PROTONVPN_EMAIL + # - name: WIREGUARD_PRESHARED_KEY # valueFrom: # secretKeyRef: # name: yubal-wireguard-conf - # key: proton-email - # - name: UPDATER_PROTONVPN_PASSWORD + # key: preshared-key + # - name: WIREGUARD_ADDRESSES # valueFrom: # secretKeyRef: # name: yubal-wireguard-conf - # key: proton-password + # key: addresses # - name: FIREWALL_OUTBOUND_SUBNETS # value: 10.0.0.0/8 # - name: FIREWALL_INPUT_PORTS # value: 8000 # - name: DNS_UPSTREAM_RESOLVER_TYPE # value: dot + # - name: HTTPPROXY + # value: "off" + # - name: SHADOWSOCKS + # value: "off" # securityContext: # privileged: True # capabilities: