diff --git a/cluster/core/networking/vpn-gateway/kustomization.yaml b/cluster/apps/download/kustomization.yaml similarity index 63% rename from cluster/core/networking/vpn-gateway/kustomization.yaml rename to cluster/apps/download/kustomization.yaml index 9e20722..5d81b5f 100644 --- a/cluster/core/networking/vpn-gateway/kustomization.yaml +++ b/cluster/apps/download/kustomization.yaml @@ -2,5 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml -- ./helm-repository.yaml -- ./helm-release.yaml \ No newline at end of file +- ./network_policy.yaml +- ./radarr +- ./sonarr +- ./vpn \ No newline at end of file diff --git a/cluster/apps/download/namespace.yaml b/cluster/apps/download/namespace.yaml new file mode 100644 index 0000000..58038f1 --- /dev/null +++ b/cluster/apps/download/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: download + labels: + name: download \ No newline at end of file diff --git a/cluster/apps/download/network_policy.yaml b/cluster/apps/download/network_policy.yaml new file mode 100644 index 0000000..4c34cf5 --- /dev/null +++ b/cluster/apps/download/network_policy.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-most-allow-some + namespace: download +spec: + # Apply to all pods in this namespace + podSelector: {} + ingress: + - from: + # Allow all pods in this namespace + - namespaceSelector: + matchLabels: + name: "download" +# - podSelector: {} + + # Allow traefik pods + - namespaceSelector: + matchLabels: + name: "traefik" + + # Allow all pods with this label + - podSelector: + matchLabels: + needsDownload: "yes" \ No newline at end of file diff --git a/cluster/apps/media/radarr/deployment.yaml b/cluster/apps/download/radarr/deployment.yaml similarity index 84% rename from cluster/apps/media/radarr/deployment.yaml rename to cluster/apps/download/radarr/deployment.yaml index e3ef55f..ea98977 100644 --- a/cluster/apps/media/radarr/deployment.yaml +++ b/cluster/apps/download/radarr/deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: radarr - namespace: media + namespace: download labels: app: radarr @@ -31,12 +31,12 @@ spec: volumeMounts: - name: radarr mountPath: /config - - name: radarr-media-storage + - name: radarr-download-storage mountPath: /storage volumes: - name: radarr hostPath: path: /mnt/MainPool/Kubernetes/radarr - - name: radarr-media-storage + - name: radarr-download-storage hostPath: path: /mnt/MainPool/Media \ No newline at end of file diff --git a/cluster/apps/media/radarr/ingress.yaml b/cluster/apps/download/radarr/ingress.yaml similarity index 89% rename from cluster/apps/media/radarr/ingress.yaml rename to cluster/apps/download/radarr/ingress.yaml index 7802da7..7b12b2a 100644 --- a/cluster/apps/media/radarr/ingress.yaml +++ b/cluster/apps/download/radarr/ingress.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: radarr-ingress - namespace: media + namespace: download annotations: cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure diff --git a/cluster/apps/media/radarr/kustomization.yaml b/cluster/apps/download/radarr/kustomization.yaml similarity index 100% rename from cluster/apps/media/radarr/kustomization.yaml rename to cluster/apps/download/radarr/kustomization.yaml diff --git a/cluster/apps/media/radarr/service.yaml b/cluster/apps/download/radarr/service.yaml similarity index 81% rename from cluster/apps/media/radarr/service.yaml rename to cluster/apps/download/radarr/service.yaml index 9811d24..14acde3 100644 --- a/cluster/apps/media/radarr/service.yaml +++ b/cluster/apps/download/radarr/service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: name: radarr - namespace: media + namespace: download labels: app: radarr diff --git a/cluster/apps/media/sonarr/deployment.yaml b/cluster/apps/download/sonarr/deployment.yaml similarity index 84% rename from cluster/apps/media/sonarr/deployment.yaml rename to cluster/apps/download/sonarr/deployment.yaml index 5d1b86c..63b51d7 100644 --- a/cluster/apps/media/sonarr/deployment.yaml +++ b/cluster/apps/download/sonarr/deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: sonarr - namespace: media + namespace: download labels: app: sonarr @@ -31,12 +31,12 @@ spec: volumeMounts: - name: sonarr mountPath: /config - - name: sonarr-media-storage + - name: sonarr-download-storage mountPath: /storage volumes: - name: sonarr hostPath: path: /mnt/MainPool/Kubernetes/sonarr - - name: sonarr-media-storage + - name: sonarr-download-storage hostPath: path: /mnt/MainPool/Media \ No newline at end of file diff --git a/cluster/apps/media/sonarr/ingress.yaml b/cluster/apps/download/sonarr/ingress.yaml similarity index 89% rename from cluster/apps/media/sonarr/ingress.yaml rename to cluster/apps/download/sonarr/ingress.yaml index d95ede1..1d311bf 100644 --- a/cluster/apps/media/sonarr/ingress.yaml +++ b/cluster/apps/download/sonarr/ingress.yaml @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: sonarr-ingress - namespace: media + namespace: download annotations: cert-manager.io/cluster-issuer: "letsencrypt-production" traefik.ingress.kubernetes.io/router.entrypoints: websecure diff --git a/cluster/apps/media/sonarr/kustomization.yaml b/cluster/apps/download/sonarr/kustomization.yaml similarity index 100% rename from cluster/apps/media/sonarr/kustomization.yaml rename to cluster/apps/download/sonarr/kustomization.yaml diff --git a/cluster/apps/media/sonarr/service.yaml b/cluster/apps/download/sonarr/service.yaml similarity index 81% rename from cluster/apps/media/sonarr/service.yaml rename to cluster/apps/download/sonarr/service.yaml index c4fac51..1c2525d 100644 --- a/cluster/apps/media/sonarr/service.yaml +++ b/cluster/apps/download/sonarr/service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: name: sonarr - namespace: media + namespace: download labels: app: sonarr diff --git a/cluster/apps/download/vpn/deployment.yaml b/cluster/apps/download/vpn/deployment.yaml new file mode 100644 index 0000000..8ee56a7 --- /dev/null +++ b/cluster/apps/download/vpn/deployment.yaml @@ -0,0 +1,65 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vpn-pods + namespace: vpn + + labels: + app: vpn-pods + kubernetes.io/name: "vpn-pods" +spec: + replicas: 1 + selector: + matchLabels: + app: vpn-pods + template: + metadata: + labels: + app: vpn-pods + spec: + containers: + - name: qbittorrent + image: lscr.io/linuxserver/qbittorrent:latest + env: + - name: PGID + value: "1000" + - name: PUID + value: "1000" + - name: TZ + value: America/New_York + - name: WEBUI_PORT + value: "8080" + ports: + - name: http + containerPort: 8080 + volumeMounts: + - name: qbittorrent-config + mountPath: /config + - name: qbit-download-storage + mountPath: /storage/Torrents + + - name: gluetun + image: qmcgaw/gluetun + env: + - name: FIREWALL + value: "off" + - name: DOT + value: "off" + envFrom: + - secretRef: + name: vpnconfig + securityContext: + capabilities: + add: + - NET_ADMIN + ports: + - name: http + containerPort: 8080 + + volumes: + - name: qbittorrent-config + hostPath: + path: /mnt/MainPool/Kubernetes/qbittorrent + - name: qbit-download-storage + hostPath: + path: /mnt/MainPool/Media/Torrents \ No newline at end of file diff --git a/cluster/apps/download/vpn/ingress.yaml b/cluster/apps/download/vpn/ingress.yaml new file mode 100644 index 0000000..726261b --- /dev/null +++ b/cluster/apps/download/vpn/ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: vpn-pods-ingress + namespace: vpn + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" + traefik.ingress.kubernetes.io/router.entrypoints: websecure +spec: + rules: + - host: "k3sqbit.***REMOVED***" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: vpn-pods + port: + number: 8080 \ No newline at end of file diff --git a/cluster/apps/download/vpn/kustomization.yaml b/cluster/apps/download/vpn/kustomization.yaml new file mode 100644 index 0000000..23fcc12 --- /dev/null +++ b/cluster/apps/download/vpn/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./vpnconfig.sops.yaml +- ./namespace.yaml +- ./deployment.yaml +- ./service.yaml +- ./ingress.yaml +#- ./network_policy.yaml \ No newline at end of file diff --git a/cluster/apps/download/vpn/namespace.yaml b/cluster/apps/download/vpn/namespace.yaml new file mode 100644 index 0000000..fb11e17 --- /dev/null +++ b/cluster/apps/download/vpn/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vpn + labels: + name: vpn \ No newline at end of file diff --git a/cluster/apps/download/vpn/network_policy.yaml b/cluster/apps/download/vpn/network_policy.yaml new file mode 100644 index 0000000..2f746cc --- /dev/null +++ b/cluster/apps/download/vpn/network_policy.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-most-allow-some + namespace: vpn +spec: + # Apply to all pods in this namespace + podSelector: {} + ingress: + - from: + # Allow all pods in this namespace + - namespaceSelector: + matchLabels: + name: "vpn" +# - podSelector: {} + + # Allow traefik pods + - namespaceSelector: + matchLabels: + name: "traefik" + + # Allow all pods with this label + - podSelector: + matchLabels: + needsVPN: "yes" \ No newline at end of file diff --git a/cluster/apps/download/vpn/service.yaml b/cluster/apps/download/vpn/service.yaml new file mode 100644 index 0000000..23cbab1 --- /dev/null +++ b/cluster/apps/download/vpn/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: vpn-pods + namespace: vpn + + labels: + app: vpn-pods + kubernetes.io/name: "vpn-pods" +spec: + selector: + app: vpn-pods + ports: + - name: http + port: 8080 + targetPort: 8080 \ No newline at end of file diff --git a/cluster/apps/download/vpn/vpnconfig.sops.yaml b/cluster/apps/download/vpn/vpnconfig.sops.yaml new file mode 100644 index 0000000..05a396d --- /dev/null +++ b/cluster/apps/download/vpn/vpnconfig.sops.yaml @@ -0,0 +1,65 @@ +apiVersion: v1 +kind: Secret +metadata: + name: vpnconfig + namespace: vpn +stringData: + VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:R8/w2f+rPQ==,iv:jy1iVRtJq9l/fYKjCdSrSneNZh8V9/LHVopGWdjtpNY=,tag:HkzAyAuflvqEcdHGF6jnfw==,type:str] + VPN_TYPE: ENC[AES256_GCM,data:Dff2qD9mAVX7,iv:jhLEkfAulvPxN/uRdSF3MR9GbxnRt2cSLqDOkXO7qPA=,tag:dMB6aEhwLssc3JPKdFULTQ==,type:str] + WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:NKEqINUpmt3rJqrUfXZtcE1vMSogtvF3B7lggI3rS48/akwEgJQRssxgfzk=,iv:wKoook7MN+CSvU8F2bi/GijAbUEoN61FUldh5nCKfXc=,tag:djUHCZtY1T5zMADqqm1DgQ==,type:str] + WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:hSuZoWk9Zih763suTpwK,iv:YkdOLnSqugkunUS66W/oVS5IScrElkRr6l4oCjt4gOE=,tag:XG8yKsobjyJkD98RiPpAjQ==,type:str] + SERVER_COUNTRIES: ENC[AES256_GCM,data:pyid,iv:gItcOstdlJ6t5uICxGHiEFjcz7pu+t62HBhja+mjaT8=,tag:4aNdJXDgyrWHa5LV0D5EfQ==,type:str] + SERVER_CITIES: ENC[AES256_GCM,data:XwiVflyqpQA=,iv:9ZAV0kS2WNKBezsAVROh3IEIBw4igkNLJqG44oboTq8=,tag:Z6KJUbiU5WL5QfJcWjFo4A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-04-06T15:52:45Z" + mac: ENC[AES256_GCM,data:tXyfA8DwqQCjcG+Iah7BiO5y/jGAqiuqOBKebJHABKEjr44HnEKT+LnZFRPRVlIuZZ545ZeyU2Bzhpr6WBz6NVjk2b+ab+bHDYYOGMOwLAvXtLsNqhDXsRtqj9jfr5tubfRmAcMcdgCZE+qOlJt/yjRevzvUgs+cAtrO4xAcldU=,iv:YRNS67GjORbBBj8Fyps3PWzugzsDP1kFrR6/TiCSYe0=,tag:h3kFZuuKygDKWMp1htW66A==,type:str] + pgp: + - created_at: "2023-04-06T03:41:51Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzKleRwoSoixARAAitrd38vQexWeELGnS0HrjWf4274iNDbC7UDOXkI3a5hA + HwkA+thkq7JvIE+UuNOeucJKii+8lLh8wGu5nVCizswckoz+wFvMATrDYrHQPO89 + AB0PfWF32OVCKePp08o+UUlYiWb212HksTwqF78XMZFthcnql//uojXmyeiYarAf + j5wyPkh5RkfhZCqG2z1Rywk0XJOHRaOMQQ+8Qs/XuAlRuwyg9Ei+gYRo4FH/Wx1A + k0tCrViVlDVdd5OnIwlbR6w5eTgM7id31mCjCA7vPrupo2XKV6A6L+bPyA94aT7/ + eWrcivQ6J1BaoRQafYQcbgNxdUdHqlb4B/0txkYipu8Yxc4I082+B4hWS0wm1hNF + ytrkuCvK29C9ViIREsWwPO5GaupMHQLnDo/2MAJa8r3ndi0QMz5hQsS7cckcAaVm + l1VZEvlY0M1CJeEXVhZ4v/Drt1fTFaV4sCuXqEEv8DuS6rBEMSFyQ0+YY0wxwGvG + o/qzU393s2r4DgQ8CzpoRgXxcGJJhcdgzrBAQGBB8UiKSembyJMiI6R0tfacSBtS + QpX5RuVVzeOnY5ftnuSePR24T5r0tlMpE8kYH5rZ19mwBNaMnwASOZeVu/4pM970 + ko+1P9XWGXcTPXHYYacXiCFTpFAEjGQay7qCqepJJ/V1n5gSVuWa9SWsr7H40EHU + aAEJAhBw71YDGPfB/tJIT1agrtMW+VJr4m56jiK8lbCT56udmw5MDZTxAufCJA+C + slbO6oLgInBJLYlpiJB4aJ9WvvX0XGIfmDIho/EpbK8uUrUjfwgSvRwEdKIRZpZ3 + DPRnKLFBYm/9 + =DL6W + -----END PGP MESSAGE----- + fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5 + - created_at: "2023-04-06T03:41:51Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4WLYkVpP8xtAQ//ctKJ4aFujay7DJNel2MgCg3wmKR+td5m+B3ELrDbAHcT + 2agpyvb0rotjEAbczKHkkY0805y4lWvGXFyDMWdtWa6msUsM51lW5c2akAAG+cxr + N53XMASD+WS/5DrZ0FzGCYtKklBRv3IlBw85vAlMuFQkJqkqwB9aVzG46PAoQ9I2 + bl4X/5PljoI78iW7lCM1LugyD6nxHB6umwUZ5XDs1L/QavCXb5UNckluH69tu0ec + hNsCHW9kfMO2dV15JCVchvuLntgtt+1+H1l8XNwjg1x2E7GMVkNMByZPF/PLTTrs + ZvpUcwTcbKO5Ha7BNh+hrUteNd6teTGUr9WAlGnDQECxhNGWMtau4707hxBXDL+W + cCGZToiGbsZ3173tQsFM54Rumcwa7E6UxIXX8YmIdU70u7UHGKQWFBkakyCNRp8h + X4JM+BPuD+pthY3Coucf3NXInw0Jd78m6TQrtJ1POm0p3Kx7eAWNJbxpwHQAg5fX + r6UCJflXu1M0VwAll6DkLL/MvBV6EUA9UctPi+F3E3yEjSC80KX9S34hiJcJzDge + LUJpCQqvB6FK80iFlaCNLg9qcyH3oqLcm8EpUcrHxFTmNwSXFzyRAjwq7aZ4UPjI + U8qSBiilmoz/UJnaTAwOcGkJ8lVfF41VzohqI2xxbKye8gtmMxSS6I161FCRbq3U + aAEJAhByOVF+gDjFQLssl9tlwNGsbT2xWwcDZ1OfibDGARgU5g6PQFkYMxj2SGZ7 + J19BGBWSB2ucbsFcxmOijpgxnMhJHgIMdYUwCyv1Kut2DeXyfvZYgVw4ZRjAu2W7 + EEVy24tMDoul + =HAIu + -----END PGP MESSAGE----- + fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95 + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml index b49ce52..d3ae82e 100644 --- a/cluster/apps/kustomization.yaml +++ b/cluster/apps/kustomization.yaml @@ -1,4 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./media \ No newline at end of file +- ./media +- ./download \ No newline at end of file diff --git a/cluster/apps/media/kustomization.yaml b/cluster/apps/media/kustomization.yaml index 9ce2937..8dc8ea3 100644 --- a/cluster/apps/media/kustomization.yaml +++ b/cluster/apps/media/kustomization.yaml @@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml -- ./sonarr -- ./radarr - ./network_policy.yaml \ No newline at end of file diff --git a/cluster/core/networking/kustomization.yaml b/cluster/core/networking/kustomization.yaml index cad1d52..7a8a32d 100644 --- a/cluster/core/networking/kustomization.yaml +++ b/cluster/core/networking/kustomization.yaml @@ -4,4 +4,4 @@ resources: - ./traefik - ./calico - ./metallb -- ./vpn-gateway \ No newline at end of file +#- ./vpn-gateway \ No newline at end of file diff --git a/cluster/core/networking/vpn-gateway/helm-release.yaml b/cluster/core/networking/vpn-gateway/helm-release.yaml deleted file mode 100644 index 754bddf..0000000 --- a/cluster/core/networking/vpn-gateway/helm-release.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: vpn-gateway - namespace: vpn-gateway - labels: -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://geek-cookbook.github.io/charts/ - chart: pod-gateway - version: 5.6.x - sourceRef: - kind: HelmRepository - name: geek-cookbook-charts - namespace: flux-system - interval: 5m - - # See https://github.com/k8s-at-home/charts/blob/master/charts/pod-gateway/values.yaml - values: - routed_namespaces: - - vpn - settings: - # Route internal K8s and local home traffic in to the defaullt K8S gateway - NOT_ROUTED_TO_GATEWAY_CIDRS: "172.22.0.0/12 192.168.87.0/24" - VPN_LOCAL_CIDRS: "172.22.0.0/12 192.168.87.0/24" - - # Use a different VXLAN network segment that does not conflict with the above - VXLAN_IP_NETWORK: "192.123.242.0/24" - diff --git a/cluster/core/networking/vpn-gateway/helm-repository.yaml b/cluster/core/networking/vpn-gateway/helm-repository.yaml deleted file mode 100644 index 0cd99bf..0000000 --- a/cluster/core/networking/vpn-gateway/helm-repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: geek-cookbook-charts - namespace: flux-system -spec: - interval: 1m - url: https://geek-cookbook.github.io/charts/ diff --git a/cluster/core/networking/vpn-gateway/namespace.yaml b/cluster/core/networking/vpn-gateway/namespace.yaml deleted file mode 100644 index 8ee65a9..0000000 --- a/cluster/core/networking/vpn-gateway/namespace.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: vpn - labels: - routed-gateway: "true" ---- -apiVersion: v1 -kind: Namespace -metadata: - name: vpn-gateway \ No newline at end of file