feat: add gluetun VPN container and pia-credentials management for secure connections

This commit is contained in:
Nik Afiq 2026-05-12 19:52:56 +09:00
parent 0aa886b6a2
commit cfce656854
5 changed files with 99 additions and 1 deletions

View File

@ -34,4 +34,7 @@ DISCORD_TOKEN=your_discord_token_here
GUILD_ID=your_discord_guild_id_here GUILD_ID=your_discord_guild_id_here
# Immich database credentials # Immich database credentials
IMMICH_POSTGRES_PASSWORD=your_password_here IMMICH_POSTGRES_PASSWORD=your_password_here
PIA_USER=your_pia_username_here
PIA_PASSWORD=your_pia_password_here

View File

@ -19,6 +19,34 @@ spec:
nodeSelector: nodeSelector:
node-role: storage node-role: storage
containers: containers:
- name: gluetun
image: qmcgaw/gluetun:latest
securityContext:
capabilities:
add:
- NET_ADMIN
env:
- name: VPN_SERVICE_PROVIDER
value: private internet access
- name: VPN_TYPE
value: wireguard
- name: SERVER_REGIONS
value: Japan
- name: OPENVPN_USER
valueFrom:
secretKeyRef:
name: pia-credentials
key: OPENVPN_USER
- name: OPENVPN_PASSWORD
valueFrom:
secretKeyRef:
name: pia-credentials
key: OPENVPN_PASSWORD
- name: FIREWALL_OUTBOUND_SUBNETS
value: "10.42.0.0/16,10.43.0.0/16,192.168.7.0/24"
volumeMounts:
- name: tun
mountPath: /dev/net/tun
- name: jdownloader - name: jdownloader
image: jlesage/jdownloader-2:latest image: jlesage/jdownloader-2:latest
ports: ports:
@ -70,6 +98,10 @@ spec:
http.server.HTTPServer(('0.0.0.0', 9666), Handler).serve_forever() http.server.HTTPServer(('0.0.0.0', 9666), Handler).serve_forever()
volumes: volumes:
- name: tun
hostPath:
path: /dev/net/tun
type: CharDevice
- name: config - name: config
hostPath: hostPath:
path: /data/jdownloader path: /data/jdownloader

View File

@ -0,0 +1,14 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: pia-credentials
namespace: downloads
spec:
encryptedData:
OPENVPN_PASSWORD: AgBiXTfKX8k2vSuQELreOXqDvenViIm732zW0BjOzMg5GZE0gnjwkJ6tCX784w1eVql8MVoeH0OuTD9exLW5LgKpff0RYzKBZdJmfoCjxWUcOcVqgWVxm1KoK/HconRDLsWwIWSb6RlE8i7hD0xXvLWbD1swCrSWZOgT1Cf56iG4w0LsWL2WuoRQIFeBHNeOIQsJta4YIYw/Lm37mWAN29SA+tRNoIV+ZQ6sVMc0yS3QCI83xzQicfnTDGmXlakFqMkyknhS5kgWM3EnI5mdl4J0xbZThsLH4Q98wfQmXIHgQp6yT42Mgj/i2ro+iAsFbgLXU+TLvqSRVtXqyXoc3UnyToUUZPWmuja6IVwZKyaWepu6tDZ4/74t86llQsasq//4Z04pqXsLC4lKgk8zOF0r2o658x3or6iveyq9I8e8+4Es/qaF0LBCvGjqnStqC4/MZvtmJ0sYb7/tEWt4O5fvVGNER+KnC1nA3HAzrZA7TLJ19qERtS3ac94oHPYm+yei09UzJBcq/iZoSADdA8dQyKHDUHWXol6Yk83u4VdvksifD7N1eQmztvIgVYjuKU45OsRkvysmZYxotC/UJ9L0ue+2eaeeyb1fWPpytJ49MQkesxznhOJb/+HepImDav0aONN+3u933EAiglEv6zM2Cly6NC6qXz5yuz38nHxJoSvGKqjmbs7oUKUJGlDi7zdrEuJpXtpxpQ==
OPENVPN_USER: AgAlh0nBCMCRoLD8Xl1ChGoavrUSBgm9xSNcqXbLxztmJ5RgicX/Xc8L44XAYQb1ahx+x9hBar4wjaC8YCQikK3QeQlbwayf0AiG/T8C3HmWItqcxwg2+PTsdGEF4iiJPOlCMLxlfmGElZKJQSj0dljlmoxrF1VDyP1qF2qvT/RhgLnGlIh2cah4CeAErxLiwQCMsub7kS4ntDXbPAH+Xl3YYv25EZ3vKP6xyNIfzIQqRgmWob392cEoNe1ESFtCJ/Oyqyx4j5ja0Nd4qnH10gKx+cbUXLf6jJu4zBgFdzu3ylVTGRldJYuaIYvpG4TlSF921oHJCYHkoCHMGniP0+v+RcLHRtbmKld5MMmCdjsjVOWqlsZ7l6zyBxjQRsYZoZbfYr5tsxeVcsGR3oQogeAsjDKyw7CzwxEhtSG4JP0aN1R2f7TaR5Q09k3CI8s2L/iFG9BtbqZ9YZDy17svAnAjn8DQz9f02RVerhyKaeRmukjSIkNTpKWORoMNDGl0tzhfrfhBGD/sVkiku/aQTrmxkt3ke7jm2CK7ZuT8Gy1IL9wKOHpAF9QQwR2TQ5ULIHVL8aqiizlEwbqmDYFwE5amPNcq9jpBuWsVwIt0tZ2H37PyKmvp510s4atJHhqOcoLefRCwRYmZwtTXgOe4gfzI9mBOwf+bceGJSFNvPxCi6NERgS1H9t0S9eoqX8dzEnQT2Dmkpkjjng==
template:
metadata:
name: pia-credentials
namespace: downloads

17
manifests/media/pia-secret.sh Executable file
View File

@ -0,0 +1,17 @@
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../../.env"
kubectl create secret generic pia-credentials \
--namespace=downloads \
--from-literal=OPENVPN_USER="${PIA_USER}" \
--from-literal=OPENVPN_PASSWORD="${PIA_PASSWORD}" \
--dry-run=client -o yaml \
| kubeseal \
--controller-namespace=kube-system \
--controller-name=sealed-secrets-controller \
--format=yaml \
> "$SCRIPT_DIR/pia-credentials-sealed.yaml"
echo "WWrote $SCRIPT_DIR/pia-credentials-sealed.yaml"

View File

@ -39,6 +39,34 @@ spec:
nodeSelector: nodeSelector:
node-role: storage node-role: storage
containers: containers:
- name: gluetun
image: qmcgaw/gluetun:latest
securityContext:
capabilities:
add:
- NET_ADMIN
env:
- name: VPN_SERVICE_PROVIDER
value: private internet access
- name: VPN_TYPE
value: wireguard
- name: SERVER_REGIONS
value: Japan
- name: OPENVPN_USER
valueFrom:
secretKeyRef:
name: pia-credentials
key: OPENVPN_USER
- name: OPENVPN_PASSWORD
valueFrom:
secretKeyRef:
name: pia-credentials
key: OPENVPN_PASSWORD
- name: FIREWALL_OUTBOUND_SUBNETS
value: "10.42.0.0/16,10.43.0.0/16,192.168.7.0/24"
volumeMounts:
- name: tun
mountPath: /dev/net/tun
- name: qbittorrent - name: qbittorrent
image: lscr.io/linuxserver/qbittorrent:5.2.0 image: lscr.io/linuxserver/qbittorrent:5.2.0
ports: ports:
@ -58,6 +86,10 @@ spec:
- name: torrents - name: torrents
mountPath: /mnt/storage/torrents mountPath: /mnt/storage/torrents
volumes: volumes:
- name: tun
hostPath:
path: /dev/net/tun
type: CharDevice
- name: config - name: config
persistentVolumeClaim: persistentVolumeClaim:
claimName: qbittorrent-config claimName: qbittorrent-config