From e4e67c226d4795f363ac54ceba5a0e06567a278a Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Thu, 27 Feb 2025 19:37:42 -0600 Subject: [PATCH] add vpn --- .../templates/external-secret.yaml | 25 ++++++++++++ .../applications/tubearchivist/values.yaml | 38 +++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml b/clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml index 20f84be3c..d5f20b4f4 100644 --- a/clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml +++ b/clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml @@ -53,3 +53,28 @@ spec: key: /cl01tl/tubearchivist/env metadataPolicy: None property: ELASTIC_PASSWORD + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: tubearchivist-wireguard-conf + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: tubearchivist-wireguard-conf + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: private-key + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /protonvpn/conf/cl01tl + metadataPolicy: None + property: private-key diff --git a/clusters/cl01tl/applications/tubearchivist/values.yaml b/clusters/cl01tl/applications/tubearchivist/values.yaml index 10c748a09..868ecf497 100644 --- a/clusters/cl01tl/applications/tubearchivist/values.yaml +++ b/clusters/cl01tl/applications/tubearchivist/values.yaml @@ -49,6 +49,44 @@ tubearchivist: requests: cpu: 10m memory: 1Gi + gluetun: + image: + repository: ghcr.io/qdm12/gluetun + tag: v3.40.0@sha256:2b42bfa046757145a5155acece417b65b4443c8033fb88661a8e9dcf7fda5a00 + pullPolicy: IfNotPresent + env: + - name: VPN_SERVICE_PROVIDER + value: protonvpn + - name: VPN_TYPE + value: wireguard + - name: WIREGUARD_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: tubearchivist-wireguard-conf + key: private-key + - name: VPN_PORT_FORWARDING + value: "on" + - name: PORT_FORWARD_ONLY + value: "on" + - name: FIREWALL_OUTBOUND_SUBNETS + value: 192.168.1.0/24,10.244.0.0/16 + - name: FIREWALL_INPUT_PORTS + value: 80,8000 + - name: DOT + value: "off" + securityContext: + privileged: True + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + resources: + requests: + squat.ai/tun: "1" + cpu: 10m + memory: 128Mi + limits: + squat.ai/tun: "1" serviceAccount: create: true service: