From ed59fb67763bf3703a8b85f3b030aba6f58380ad Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Wed, 7 Jan 2026 17:56:21 -0600 Subject: [PATCH] add gluetun to yubal --- .../cl01tl/helm/tubearchivist/values.yaml | 4 -- .../templates/external-secret.yaml | 37 +++++++++++ .../cl01tl/helm/yubal-playlist/values.yaml | 62 +++++++++++++++++++ 3 files changed, 99 insertions(+), 4 deletions(-) diff --git a/clusters/cl01tl/helm/tubearchivist/values.yaml b/clusters/cl01tl/helm/tubearchivist/values.yaml index d8480c866..0b837a7a5 100644 --- a/clusters/cl01tl/helm/tubearchivist/values.yaml +++ b/clusters/cl01tl/helm/tubearchivist/values.yaml @@ -66,10 +66,6 @@ tubearchivist: secretKeyRef: name: tubearchivist-wireguard-conf key: proton-password - - name: VPN_PORT_FORWARDING - value: "on" - - name: PORT_FORWARD_ONLY - value: "on" - name: FIREWALL_OUTBOUND_SUBNETS value: 10.0.0.0/8 - name: FIREWALL_INPUT_PORTS diff --git a/clusters/cl01tl/helm/yubal-playlist/templates/external-secret.yaml b/clusters/cl01tl/helm/yubal-playlist/templates/external-secret.yaml index 1b8d7232f..d17ac33c6 100644 --- a/clusters/cl01tl/helm/yubal-playlist/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/yubal-playlist/templates/external-secret.yaml @@ -19,3 +19,40 @@ spec: key: /cl01tl/lidarr2/key metadataPolicy: None property: key + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: yubal-playlist-wireguard-conf + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: yubal-playlist-wireguard-conf + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: private-key + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /protonvpn/conf/cl01tl + metadataPolicy: None + property: private-key + - secretKey: proton-email + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /protonvpn/conf/cl01tl + metadataPolicy: None + property: email + - secretKey: proton-password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /protonvpn/conf/cl01tl + metadataPolicy: None + property: password diff --git a/clusters/cl01tl/helm/yubal-playlist/values.yaml b/clusters/cl01tl/helm/yubal-playlist/values.yaml index 1f9bc81a0..7af3d21ca 100644 --- a/clusters/cl01tl/helm/yubal-playlist/values.yaml +++ b/clusters/cl01tl/helm/yubal-playlist/values.yaml @@ -31,6 +31,68 @@ yubal-playlist: requests: cpu: 10m memory: 128Mi + gluetun: + image: + repository: ghcr.io/qdm12/gluetun + tag: v3.41.0@sha256:6b54856716d0de56e5bb00a77029b0adea57284cf5a466f23aad5979257d3045 + pullPolicy: IfNotPresent + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"] + env: + - name: VPN_SERVICE_PROVIDER + value: protonvpn + - name: VPN_TYPE + value: wireguard + - name: WIREGUARD_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: yubal-playlist-wireguard-conf + key: private-key + - name: UPDATER_PROTONVPN_EMAIL + valueFrom: + secretKeyRef: + name: yubal-playlist-wireguard-conf + key: proton-email + - name: UPDATER_PROTONVPN_PASSWORD + valueFrom: + secretKeyRef: + name: yubal-playlist-wireguard-conf + key: proton-password + - name: FIREWALL_OUTBOUND_SUBNETS + value: 10.0.0.0/8 + - name: FIREWALL_INPUT_PORTS + value: 80,8000,24000 + - name: DNS_UPSTREAM_RESOLVER_TYPE + value: dot + securityContext: + privileged: True + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + probes: + liveness: + enabled: true + custom: true + spec: + exec: + command: + - /gluetun-entrypoint + - healthcheck + failureThreshold: 5 + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 15 + resources: + limits: + devic.es/tun: "1" + requests: + devic.es/tun: "1" + cpu: 10m + memory: 128Mi service: main: controller: main