feat: add gluetun VPN container and pia-credentials management for secure connections
This commit is contained in:
parent
0aa886b6a2
commit
cfce656854
@ -34,4 +34,7 @@ DISCORD_TOKEN=your_discord_token_here
|
|||||||
GUILD_ID=your_discord_guild_id_here
|
GUILD_ID=your_discord_guild_id_here
|
||||||
|
|
||||||
# Immich database credentials
|
# Immich database credentials
|
||||||
IMMICH_POSTGRES_PASSWORD=your_password_here
|
IMMICH_POSTGRES_PASSWORD=your_password_here
|
||||||
|
|
||||||
|
PIA_USER=your_pia_username_here
|
||||||
|
PIA_PASSWORD=your_pia_password_here
|
||||||
@ -19,6 +19,34 @@ spec:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role: storage
|
node-role: storage
|
||||||
containers:
|
containers:
|
||||||
|
- name: gluetun
|
||||||
|
image: qmcgaw/gluetun:latest
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
add:
|
||||||
|
- NET_ADMIN
|
||||||
|
env:
|
||||||
|
- name: VPN_SERVICE_PROVIDER
|
||||||
|
value: private internet access
|
||||||
|
- name: VPN_TYPE
|
||||||
|
value: wireguard
|
||||||
|
- name: SERVER_REGIONS
|
||||||
|
value: Japan
|
||||||
|
- name: OPENVPN_USER
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: pia-credentials
|
||||||
|
key: OPENVPN_USER
|
||||||
|
- name: OPENVPN_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: pia-credentials
|
||||||
|
key: OPENVPN_PASSWORD
|
||||||
|
- name: FIREWALL_OUTBOUND_SUBNETS
|
||||||
|
value: "10.42.0.0/16,10.43.0.0/16,192.168.7.0/24"
|
||||||
|
volumeMounts:
|
||||||
|
- name: tun
|
||||||
|
mountPath: /dev/net/tun
|
||||||
- name: jdownloader
|
- name: jdownloader
|
||||||
image: jlesage/jdownloader-2:latest
|
image: jlesage/jdownloader-2:latest
|
||||||
ports:
|
ports:
|
||||||
@ -70,6 +98,10 @@ spec:
|
|||||||
|
|
||||||
http.server.HTTPServer(('0.0.0.0', 9666), Handler).serve_forever()
|
http.server.HTTPServer(('0.0.0.0', 9666), Handler).serve_forever()
|
||||||
volumes:
|
volumes:
|
||||||
|
- name: tun
|
||||||
|
hostPath:
|
||||||
|
path: /dev/net/tun
|
||||||
|
type: CharDevice
|
||||||
- name: config
|
- name: config
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /data/jdownloader
|
path: /data/jdownloader
|
||||||
|
|||||||
14
manifests/media/pia-credentials-sealed.yaml
Normal file
14
manifests/media/pia-credentials-sealed.yaml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
apiVersion: bitnami.com/v1alpha1
|
||||||
|
kind: SealedSecret
|
||||||
|
metadata:
|
||||||
|
name: pia-credentials
|
||||||
|
namespace: downloads
|
||||||
|
spec:
|
||||||
|
encryptedData:
|
||||||
|
OPENVPN_PASSWORD: AgBiXTfKX8k2vSuQELreOXqDvenViIm732zW0BjOzMg5GZE0gnjwkJ6tCX784w1eVql8MVoeH0OuTD9exLW5LgKpff0RYzKBZdJmfoCjxWUcOcVqgWVxm1KoK/HconRDLsWwIWSb6RlE8i7hD0xXvLWbD1swCrSWZOgT1Cf56iG4w0LsWL2WuoRQIFeBHNeOIQsJta4YIYw/Lm37mWAN29SA+tRNoIV+ZQ6sVMc0yS3QCI83xzQicfnTDGmXlakFqMkyknhS5kgWM3EnI5mdl4J0xbZThsLH4Q98wfQmXIHgQp6yT42Mgj/i2ro+iAsFbgLXU+TLvqSRVtXqyXoc3UnyToUUZPWmuja6IVwZKyaWepu6tDZ4/74t86llQsasq//4Z04pqXsLC4lKgk8zOF0r2o658x3or6iveyq9I8e8+4Es/qaF0LBCvGjqnStqC4/MZvtmJ0sYb7/tEWt4O5fvVGNER+KnC1nA3HAzrZA7TLJ19qERtS3ac94oHPYm+yei09UzJBcq/iZoSADdA8dQyKHDUHWXol6Yk83u4VdvksifD7N1eQmztvIgVYjuKU45OsRkvysmZYxotC/UJ9L0ue+2eaeeyb1fWPpytJ49MQkesxznhOJb/+HepImDav0aONN+3u933EAiglEv6zM2Cly6NC6qXz5yuz38nHxJoSvGKqjmbs7oUKUJGlDi7zdrEuJpXtpxpQ==
|
||||||
|
OPENVPN_USER: AgAlh0nBCMCRoLD8Xl1ChGoavrUSBgm9xSNcqXbLxztmJ5RgicX/Xc8L44XAYQb1ahx+x9hBar4wjaC8YCQikK3QeQlbwayf0AiG/T8C3HmWItqcxwg2+PTsdGEF4iiJPOlCMLxlfmGElZKJQSj0dljlmoxrF1VDyP1qF2qvT/RhgLnGlIh2cah4CeAErxLiwQCMsub7kS4ntDXbPAH+Xl3YYv25EZ3vKP6xyNIfzIQqRgmWob392cEoNe1ESFtCJ/Oyqyx4j5ja0Nd4qnH10gKx+cbUXLf6jJu4zBgFdzu3ylVTGRldJYuaIYvpG4TlSF921oHJCYHkoCHMGniP0+v+RcLHRtbmKld5MMmCdjsjVOWqlsZ7l6zyBxjQRsYZoZbfYr5tsxeVcsGR3oQogeAsjDKyw7CzwxEhtSG4JP0aN1R2f7TaR5Q09k3CI8s2L/iFG9BtbqZ9YZDy17svAnAjn8DQz9f02RVerhyKaeRmukjSIkNTpKWORoMNDGl0tzhfrfhBGD/sVkiku/aQTrmxkt3ke7jm2CK7ZuT8Gy1IL9wKOHpAF9QQwR2TQ5ULIHVL8aqiizlEwbqmDYFwE5amPNcq9jpBuWsVwIt0tZ2H37PyKmvp510s4atJHhqOcoLefRCwRYmZwtTXgOe4gfzI9mBOwf+bceGJSFNvPxCi6NERgS1H9t0S9eoqX8dzEnQT2Dmkpkjjng==
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: pia-credentials
|
||||||
|
namespace: downloads
|
||||||
17
manifests/media/pia-secret.sh
Executable file
17
manifests/media/pia-secret.sh
Executable file
@ -0,0 +1,17 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||||
|
source "$SCRIPT_DIR/../../.env"
|
||||||
|
|
||||||
|
kubectl create secret generic pia-credentials \
|
||||||
|
--namespace=downloads \
|
||||||
|
--from-literal=OPENVPN_USER="${PIA_USER}" \
|
||||||
|
--from-literal=OPENVPN_PASSWORD="${PIA_PASSWORD}" \
|
||||||
|
--dry-run=client -o yaml \
|
||||||
|
| kubeseal \
|
||||||
|
--controller-namespace=kube-system \
|
||||||
|
--controller-name=sealed-secrets-controller \
|
||||||
|
--format=yaml \
|
||||||
|
> "$SCRIPT_DIR/pia-credentials-sealed.yaml"
|
||||||
|
|
||||||
|
echo "WWrote $SCRIPT_DIR/pia-credentials-sealed.yaml"
|
||||||
@ -39,6 +39,34 @@ spec:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role: storage
|
node-role: storage
|
||||||
containers:
|
containers:
|
||||||
|
- name: gluetun
|
||||||
|
image: qmcgaw/gluetun:latest
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
add:
|
||||||
|
- NET_ADMIN
|
||||||
|
env:
|
||||||
|
- name: VPN_SERVICE_PROVIDER
|
||||||
|
value: private internet access
|
||||||
|
- name: VPN_TYPE
|
||||||
|
value: wireguard
|
||||||
|
- name: SERVER_REGIONS
|
||||||
|
value: Japan
|
||||||
|
- name: OPENVPN_USER
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: pia-credentials
|
||||||
|
key: OPENVPN_USER
|
||||||
|
- name: OPENVPN_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: pia-credentials
|
||||||
|
key: OPENVPN_PASSWORD
|
||||||
|
- name: FIREWALL_OUTBOUND_SUBNETS
|
||||||
|
value: "10.42.0.0/16,10.43.0.0/16,192.168.7.0/24"
|
||||||
|
volumeMounts:
|
||||||
|
- name: tun
|
||||||
|
mountPath: /dev/net/tun
|
||||||
- name: qbittorrent
|
- name: qbittorrent
|
||||||
image: lscr.io/linuxserver/qbittorrent:5.2.0
|
image: lscr.io/linuxserver/qbittorrent:5.2.0
|
||||||
ports:
|
ports:
|
||||||
@ -58,6 +86,10 @@ spec:
|
|||||||
- name: torrents
|
- name: torrents
|
||||||
mountPath: /mnt/storage/torrents
|
mountPath: /mnt/storage/torrents
|
||||||
volumes:
|
volumes:
|
||||||
|
- name: tun
|
||||||
|
hostPath:
|
||||||
|
path: /dev/net/tun
|
||||||
|
type: CharDevice
|
||||||
- name: config
|
- name: config
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: qbittorrent-config
|
claimName: qbittorrent-config
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user