Swap to using a sidecar container with qbittorrent

cluster/apps/download/kustomization.yaml

@@ -2,5 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./namespace.yaml
-- ./helm-repository.yaml
+- ./network_policy.yaml
-- ./helm-release.yaml
+- ./radarr
+- ./sonarr
+- ./vpn

cluster/apps/download/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: download
+  labels:
+    name: download

cluster/apps/download/network_policy.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-most-allow-some
+  namespace: download
+spec:
+  # Apply to all pods in this namespace
+  podSelector: {}
+  ingress:
+  - from:
+    # Allow all pods in this namespace
+    - namespaceSelector:
+        matchLabels:
+          name: "download"
+#    - podSelector: {}
+
+    # Allow traefik pods
+    - namespaceSelector:
+        matchLabels:
+          name: "traefik"
+
+    # Allow all pods with this label
+    - podSelector:
+        matchLabels:
+          needsDownload: "yes"

cluster/apps/download/radarr/deployment.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: radarr
-  namespace: media
+  namespace: download
 
   labels:
     app: radarr
@@ -31,12 +31,12 @@ spec:
         volumeMounts:
         - name: radarr
           mountPath: /config
-        - name: radarr-media-storage
+        - name: radarr-download-storage
           mountPath: /storage
       volumes:
       - name: radarr
         hostPath:
           path: /mnt/MainPool/Kubernetes/radarr
-      - name: radarr-media-storage
+      - name: radarr-download-storage
         hostPath:
           path: /mnt/MainPool/Media

cluster/apps/download/radarr/ingress.yaml

@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: radarr-ingress
-  namespace: media
+  namespace: download
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-production"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure

cluster/apps/download/radarr/service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: radarr
-  namespace: media
+  namespace: download
 
   labels:
     app: radarr

cluster/apps/download/sonarr/deployment.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: sonarr
-  namespace: media
+  namespace: download
 
   labels:
     app: sonarr
@@ -31,12 +31,12 @@ spec:
         volumeMounts:
         - name: sonarr
           mountPath: /config
-        - name: sonarr-media-storage
+        - name: sonarr-download-storage
           mountPath: /storage
       volumes:
       - name: sonarr
         hostPath:
           path: /mnt/MainPool/Kubernetes/sonarr
-      - name: sonarr-media-storage
+      - name: sonarr-download-storage
         hostPath:
           path: /mnt/MainPool/Media

cluster/apps/download/sonarr/ingress.yaml

@@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: sonarr-ingress
-  namespace: media
+  namespace: download
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-production"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure

cluster/apps/download/sonarr/service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: sonarr
-  namespace: media
+  namespace: download
 
   labels:
     app: sonarr

cluster/apps/download/vpn/deployment.yaml

@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vpn-pods
+  namespace: vpn
+
+  labels:
+    app: vpn-pods
+    kubernetes.io/name: "vpn-pods"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vpn-pods
+  template:
+    metadata:
+      labels:
+        app: vpn-pods
+    spec:
+      containers:
+      - name: qbittorrent
+        image: lscr.io/linuxserver/qbittorrent:latest
+        env:
+        - name: PGID
+          value: "1000"
+        - name: PUID
+          value: "1000"
+        - name: TZ
+          value: America/New_York
+        - name: WEBUI_PORT
+          value: "8080"
+        ports:
+        - name: http
+          containerPort: 8080
+        volumeMounts:
+        - name: qbittorrent-config
+          mountPath: /config
+        - name: qbit-download-storage
+          mountPath: /storage/Torrents
+      
+      - name: gluetun
+        image: qmcgaw/gluetun
+        env:
+          - name: FIREWALL
+            value: "off"
+          - name: DOT
+            value: "off"
+        envFrom:
+        - secretRef:
+            name: vpnconfig
+        securityContext:
+          capabilities:
+            add:
+              - NET_ADMIN
+        ports:
+        - name: http
+          containerPort: 8080
+
+      volumes:
+      - name: qbittorrent-config
+        hostPath:
+          path: /mnt/MainPool/Kubernetes/qbittorrent
+      - name: qbit-download-storage
+        hostPath:
+          path: /mnt/MainPool/Media/Torrents

cluster/apps/download/vpn/ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vpn-pods-ingress
+  namespace: vpn
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-production"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+spec:
+  rules:
+    - host: "k3sqbit.***REMOVED***"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: vpn-pods
+                port:
+                  number: 8080

cluster/apps/download/vpn/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./vpnconfig.sops.yaml
+- ./namespace.yaml
+- ./deployment.yaml
+- ./service.yaml
+- ./ingress.yaml
+#- ./network_policy.yaml

cluster/apps/download/vpn/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vpn
+  labels:
+    name: vpn

cluster/apps/download/vpn/network_policy.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-most-allow-some
+  namespace: vpn
+spec:
+  # Apply to all pods in this namespace
+  podSelector: {}
+  ingress:
+  - from:
+    # Allow all pods in this namespace
+    - namespaceSelector:
+        matchLabels:
+          name: "vpn"
+#    - podSelector: {}
+
+    # Allow traefik pods
+    - namespaceSelector:
+        matchLabels:
+          name: "traefik"
+
+    # Allow all pods with this label
+    - podSelector:
+        matchLabels:
+          needsVPN: "yes"

cluster/apps/download/vpn/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vpn-pods
+  namespace: vpn
+
+  labels:
+    app: vpn-pods
+    kubernetes.io/name: "vpn-pods"
+spec:
+  selector:
+    app: vpn-pods
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080

cluster/apps/download/vpn/vpnconfig.sops.yaml

@@ -0,0 +1,65 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: vpnconfig
+    namespace: vpn
+stringData:
+    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:R8/w2f+rPQ==,iv:jy1iVRtJq9l/fYKjCdSrSneNZh8V9/LHVopGWdjtpNY=,tag:HkzAyAuflvqEcdHGF6jnfw==,type:str]
+    VPN_TYPE: ENC[AES256_GCM,data:Dff2qD9mAVX7,iv:jhLEkfAulvPxN/uRdSF3MR9GbxnRt2cSLqDOkXO7qPA=,tag:dMB6aEhwLssc3JPKdFULTQ==,type:str]
+    WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:NKEqINUpmt3rJqrUfXZtcE1vMSogtvF3B7lggI3rS48/akwEgJQRssxgfzk=,iv:wKoook7MN+CSvU8F2bi/GijAbUEoN61FUldh5nCKfXc=,tag:djUHCZtY1T5zMADqqm1DgQ==,type:str]
+    WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:hSuZoWk9Zih763suTpwK,iv:YkdOLnSqugkunUS66W/oVS5IScrElkRr6l4oCjt4gOE=,tag:XG8yKsobjyJkD98RiPpAjQ==,type:str]
+    SERVER_COUNTRIES: ENC[AES256_GCM,data:pyid,iv:gItcOstdlJ6t5uICxGHiEFjcz7pu+t62HBhja+mjaT8=,tag:4aNdJXDgyrWHa5LV0D5EfQ==,type:str]
+    SERVER_CITIES: ENC[AES256_GCM,data:XwiVflyqpQA=,iv:9ZAV0kS2WNKBezsAVROh3IEIBw4igkNLJqG44oboTq8=,tag:Z6KJUbiU5WL5QfJcWjFo4A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-06T15:52:45Z"
+    mac: ENC[AES256_GCM,data:tXyfA8DwqQCjcG+Iah7BiO5y/jGAqiuqOBKebJHABKEjr44HnEKT+LnZFRPRVlIuZZ545ZeyU2Bzhpr6WBz6NVjk2b+ab+bHDYYOGMOwLAvXtLsNqhDXsRtqj9jfr5tubfRmAcMcdgCZE+qOlJt/yjRevzvUgs+cAtrO4xAcldU=,iv:YRNS67GjORbBBj8Fyps3PWzugzsDP1kFrR6/TiCSYe0=,tag:h3kFZuuKygDKWMp1htW66A==,type:str]
+    pgp:
+        - created_at: "2023-04-06T03:41:51Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixARAAitrd38vQexWeELGnS0HrjWf4274iNDbC7UDOXkI3a5hA
+            HwkA+thkq7JvIE+UuNOeucJKii+8lLh8wGu5nVCizswckoz+wFvMATrDYrHQPO89
+            AB0PfWF32OVCKePp08o+UUlYiWb212HksTwqF78XMZFthcnql//uojXmyeiYarAf
+            j5wyPkh5RkfhZCqG2z1Rywk0XJOHRaOMQQ+8Qs/XuAlRuwyg9Ei+gYRo4FH/Wx1A
+            k0tCrViVlDVdd5OnIwlbR6w5eTgM7id31mCjCA7vPrupo2XKV6A6L+bPyA94aT7/
+            eWrcivQ6J1BaoRQafYQcbgNxdUdHqlb4B/0txkYipu8Yxc4I082+B4hWS0wm1hNF
+            ytrkuCvK29C9ViIREsWwPO5GaupMHQLnDo/2MAJa8r3ndi0QMz5hQsS7cckcAaVm
+            l1VZEvlY0M1CJeEXVhZ4v/Drt1fTFaV4sCuXqEEv8DuS6rBEMSFyQ0+YY0wxwGvG
+            o/qzU393s2r4DgQ8CzpoRgXxcGJJhcdgzrBAQGBB8UiKSembyJMiI6R0tfacSBtS
+            QpX5RuVVzeOnY5ftnuSePR24T5r0tlMpE8kYH5rZ19mwBNaMnwASOZeVu/4pM970
+            ko+1P9XWGXcTPXHYYacXiCFTpFAEjGQay7qCqepJJ/V1n5gSVuWa9SWsr7H40EHU
+            aAEJAhBw71YDGPfB/tJIT1agrtMW+VJr4m56jiK8lbCT56udmw5MDZTxAufCJA+C
+            slbO6oLgInBJLYlpiJB4aJ9WvvX0XGIfmDIho/EpbK8uUrUjfwgSvRwEdKIRZpZ3
+            DPRnKLFBYm/9
+            =DL6W
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-04-06T03:41:51Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4WLYkVpP8xtAQ//ctKJ4aFujay7DJNel2MgCg3wmKR+td5m+B3ELrDbAHcT
+            2agpyvb0rotjEAbczKHkkY0805y4lWvGXFyDMWdtWa6msUsM51lW5c2akAAG+cxr
+            N53XMASD+WS/5DrZ0FzGCYtKklBRv3IlBw85vAlMuFQkJqkqwB9aVzG46PAoQ9I2
+            bl4X/5PljoI78iW7lCM1LugyD6nxHB6umwUZ5XDs1L/QavCXb5UNckluH69tu0ec
+            hNsCHW9kfMO2dV15JCVchvuLntgtt+1+H1l8XNwjg1x2E7GMVkNMByZPF/PLTTrs
+            ZvpUcwTcbKO5Ha7BNh+hrUteNd6teTGUr9WAlGnDQECxhNGWMtau4707hxBXDL+W
+            cCGZToiGbsZ3173tQsFM54Rumcwa7E6UxIXX8YmIdU70u7UHGKQWFBkakyCNRp8h
+            X4JM+BPuD+pthY3Coucf3NXInw0Jd78m6TQrtJ1POm0p3Kx7eAWNJbxpwHQAg5fX
+            r6UCJflXu1M0VwAll6DkLL/MvBV6EUA9UctPi+F3E3yEjSC80KX9S34hiJcJzDge
+            LUJpCQqvB6FK80iFlaCNLg9qcyH3oqLcm8EpUcrHxFTmNwSXFzyRAjwq7aZ4UPjI
+            U8qSBiilmoz/UJnaTAwOcGkJ8lVfF41VzohqI2xxbKye8gtmMxSS6I161FCRbq3U
+            aAEJAhByOVF+gDjFQLssl9tlwNGsbT2xWwcDZ1OfibDGARgU5g6PQFkYMxj2SGZ7
+            J19BGBWSB2ucbsFcxmOijpgxnMhJHgIMdYUwCyv1Kut2DeXyfvZYgVw4ZRjAu2W7
+            EEVy24tMDoul
+            =HAIu
+            -----END PGP MESSAGE-----
+          fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

cluster/apps/kustomization.yaml

@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./media
+- ./media
+- ./download

cluster/apps/media/kustomization.yaml

@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./namespace.yaml
-- ./sonarr
-- ./radarr
 - ./network_policy.yaml

cluster/core/networking/kustomization.yaml

@@ -4,4 +4,4 @@ resources:
 - ./traefik
 - ./calico
 - ./metallb
-- ./vpn-gateway
+#- ./vpn-gateway

cluster/core/networking/vpn-gateway/helm-release.yaml

@@ -1,31 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: vpn-gateway
-  namespace: vpn-gateway
-  labels:
-spec:
-  interval: 5m
-  chart:
-    spec:
-      # renovate: registryUrl=https://geek-cookbook.github.io/charts/
-      chart: pod-gateway
-      version: 5.6.x
-      sourceRef:
-        kind: HelmRepository
-        name: geek-cookbook-charts
-        namespace: flux-system
-      interval: 5m
-
-  # See https://github.com/k8s-at-home/charts/blob/master/charts/pod-gateway/values.yaml
-  values:
-    routed_namespaces:
-      - vpn
-    settings:
-      # Route internal K8s and local home traffic in to the defaullt K8S gateway
-      NOT_ROUTED_TO_GATEWAY_CIDRS: "172.22.0.0/12 192.168.87.0/24"
-      VPN_LOCAL_CIDRS: "172.22.0.0/12 192.168.87.0/24"
-
-      # Use a different VXLAN network segment that does not conflict with the above
-      VXLAN_IP_NETWORK: "192.123.242.0/24"
-

cluster/core/networking/vpn-gateway/helm-repository.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: geek-cookbook-charts
-  namespace: flux-system
-spec:
-  interval: 1m
-  url: https://geek-cookbook.github.io/charts/

cluster/core/networking/vpn-gateway/namespace.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: vpn
-  labels:
-    routed-gateway: "true"
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: vpn-gateway