SeanOMik
/
k3s-cluster
1
0
Fork 0
Code Issues 2 Pull Requests 32 Packages Projects Releases Wiki Activity

Swap to using a sidecar container with qbittorrent

This commit is contained in:
SeanOMik 2023-04-06 19:53:18 -04:00
parent ea3121fb3c
commit 60e8e0ff44
Signed by: SeanOMik
GPG Key ID: 568F326C7EB33ACB
24 changed files with 254 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cluster/core/networking/vpn-gateway/kustomization.yaml → cluster/apps/download/kustomization.yaml
View File

@ -2,5 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./helm-repository.yaml
- ./helm-release.yaml
- ./network_policy.yaml
- ./radarr
- ./sonarr
- ./vpn

6
cluster/apps/download/namespace.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: download
labels:
name: download

25
cluster/apps/download/network_policy.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-most-allow-some
namespace: download
spec:
# Apply to all pods in this namespace
podSelector: {}
ingress:
- from:
# Allow all pods in this namespace
- namespaceSelector:
matchLabels:
name: "download"
# - podSelector: {}
# Allow traefik pods
- namespaceSelector:
matchLabels:
name: "traefik"
# Allow all pods with this label
- podSelector:
matchLabels:
needsDownload: "yes"

6
cluster/apps/media/radarr/deployment.yaml → cluster/apps/download/radarr/deployment.yaml
View File

@ -2,7 +2,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: radarr
namespace: media
namespace: download
labels:
app: radarr
@ -31,12 +31,12 @@ spec:
volumeMounts:
- name: radarr
mountPath: /config
- name: radarr-media-storage
- name: radarr-download-storage
mountPath: /storage
volumes:
- name: radarr
hostPath:
path: /mnt/MainPool/Kubernetes/radarr
- name: radarr-media-storage
- name: radarr-download-storage
hostPath:
path: /mnt/MainPool/Media

2
cluster/apps/media/radarr/ingress.yaml → cluster/apps/download/radarr/ingress.yaml
View File

@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: radarr-ingress
namespace: media
namespace: download
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-production"
traefik.ingress.kubernetes.io/router.entrypoints: websecure

0
cluster/apps/media/radarr/kustomization.yaml → cluster/apps/download/radarr/kustomization.yaml
View File

2
cluster/apps/media/radarr/service.yaml → cluster/apps/download/radarr/service.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v1
kind: Service
metadata:
name: radarr
namespace: media
namespace: download
labels:
app: radarr

6
cluster/apps/media/sonarr/deployment.yaml → cluster/apps/download/sonarr/deployment.yaml
View File

@ -2,7 +2,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: sonarr
namespace: media
namespace: download
labels:
app: sonarr
@ -31,12 +31,12 @@ spec:
volumeMounts:
- name: sonarr
mountPath: /config
- name: sonarr-media-storage
- name: sonarr-download-storage
mountPath: /storage
volumes:
- name: sonarr
hostPath:
path: /mnt/MainPool/Kubernetes/sonarr
- name: sonarr-media-storage
- name: sonarr-download-storage
hostPath:
path: /mnt/MainPool/Media

2
cluster/apps/media/sonarr/ingress.yaml → cluster/apps/download/sonarr/ingress.yaml
View File

@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sonarr-ingress
namespace: media
namespace: download
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-production"
traefik.ingress.kubernetes.io/router.entrypoints: websecure

0
cluster/apps/media/sonarr/kustomization.yaml → cluster/apps/download/sonarr/kustomization.yaml
View File

2
cluster/apps/media/sonarr/service.yaml → cluster/apps/download/sonarr/service.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v1
kind: Service
metadata:
name: sonarr
namespace: media
namespace: download
labels:
app: sonarr

65
cluster/apps/download/vpn/deployment.yaml Normal file
View File

@ -0,0 +1,65 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: vpn-pods
namespace: vpn
labels:
app: vpn-pods
kubernetes.io/name: "vpn-pods"
spec:
replicas: 1
selector:
matchLabels:
app: vpn-pods
template:
metadata:
labels:
app: vpn-pods
spec:
containers:
- name: qbittorrent
image: lscr.io/linuxserver/qbittorrent:latest
env:
- name: PGID
value: "1000"
- name: PUID
value: "1000"
- name: TZ
value: America/New_York
- name: WEBUI_PORT
value: "8080"
ports:
- name: http
containerPort: 8080
volumeMounts:
- name: qbittorrent-config
mountPath: /config
- name: qbit-download-storage
mountPath: /storage/Torrents
- name: gluetun
image: qmcgaw/gluetun
env:
- name: FIREWALL
value: "off"
- name: DOT
value: "off"
envFrom:
- secretRef:
name: vpnconfig
securityContext:
capabilities:
add:
- NET_ADMIN
ports:
- name: http
containerPort: 8080
volumes:
- name: qbittorrent-config
hostPath:
path: /mnt/MainPool/Kubernetes/qbittorrent
- name: qbit-download-storage
hostPath:
path: /mnt/MainPool/Media/Torrents

20
cluster/apps/download/vpn/ingress.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vpn-pods-ingress
namespace: vpn
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-production"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
rules:
- host: "k3sqbit.***REMOVED***"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vpn-pods
port:
number: 8080

9
cluster/apps/download/vpn/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./vpnconfig.sops.yaml
- ./namespace.yaml
- ./deployment.yaml
- ./service.yaml
- ./ingress.yaml
#- ./network_policy.yaml

6
cluster/apps/download/vpn/namespace.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: vpn
labels:
name: vpn

25
cluster/apps/download/vpn/network_policy.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-most-allow-some
namespace: vpn
spec:
# Apply to all pods in this namespace
podSelector: {}
ingress:
- from:
# Allow all pods in this namespace
- namespaceSelector:
matchLabels:
name: "vpn"
# - podSelector: {}
# Allow traefik pods
- namespaceSelector:
matchLabels:
name: "traefik"
# Allow all pods with this label
- podSelector:
matchLabels:
needsVPN: "yes"

16
cluster/apps/download/vpn/service.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: vpn-pods
namespace: vpn
labels:
app: vpn-pods
kubernetes.io/name: "vpn-pods"
spec:
selector:
app: vpn-pods
ports:
- name: http
port: 8080
targetPort: 8080

65
cluster/apps/download/vpn/vpnconfig.sops.yaml Normal file
View File

@ -0,0 +1,65 @@
apiVersion: v1
kind: Secret
metadata:
name: vpnconfig
namespace: vpn
stringData:
VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:R8/w2f+rPQ==,iv:jy1iVRtJq9l/fYKjCdSrSneNZh8V9/LHVopGWdjtpNY=,tag:HkzAyAuflvqEcdHGF6jnfw==,type:str]
VPN_TYPE: ENC[AES256_GCM,data:Dff2qD9mAVX7,iv:jhLEkfAulvPxN/uRdSF3MR9GbxnRt2cSLqDOkXO7qPA=,tag:dMB6aEhwLssc3JPKdFULTQ==,type:str]
WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:NKEqINUpmt3rJqrUfXZtcE1vMSogtvF3B7lggI3rS48/akwEgJQRssxgfzk=,iv:wKoook7MN+CSvU8F2bi/GijAbUEoN61FUldh5nCKfXc=,tag:djUHCZtY1T5zMADqqm1DgQ==,type:str]
WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:hSuZoWk9Zih763suTpwK,iv:YkdOLnSqugkunUS66W/oVS5IScrElkRr6l4oCjt4gOE=,tag:XG8yKsobjyJkD98RiPpAjQ==,type:str]
SERVER_COUNTRIES: ENC[AES256_GCM,data:pyid,iv:gItcOstdlJ6t5uICxGHiEFjcz7pu+t62HBhja+mjaT8=,tag:4aNdJXDgyrWHa5LV0D5EfQ==,type:str]
SERVER_CITIES: ENC[AES256_GCM,data:XwiVflyqpQA=,iv:9ZAV0kS2WNKBezsAVROh3IEIBw4igkNLJqG44oboTq8=,tag:Z6KJUbiU5WL5QfJcWjFo4A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-04-06T15:52:45Z"
mac: ENC[AES256_GCM,data:tXyfA8DwqQCjcG+Iah7BiO5y/jGAqiuqOBKebJHABKEjr44HnEKT+LnZFRPRVlIuZZ545ZeyU2Bzhpr6WBz6NVjk2b+ab+bHDYYOGMOwLAvXtLsNqhDXsRtqj9jfr5tubfRmAcMcdgCZE+qOlJt/yjRevzvUgs+cAtrO4xAcldU=,iv:YRNS67GjORbBBj8Fyps3PWzugzsDP1kFrR6/TiCSYe0=,tag:h3kFZuuKygDKWMp1htW66A==,type:str]
pgp:
- created_at: "2023-04-06T03:41:51Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixARAAitrd38vQexWeELGnS0HrjWf4274iNDbC7UDOXkI3a5hA
HwkA+thkq7JvIE+UuNOeucJKii+8lLh8wGu5nVCizswckoz+wFvMATrDYrHQPO89
AB0PfWF32OVCKePp08o+UUlYiWb212HksTwqF78XMZFthcnql//uojXmyeiYarAf
j5wyPkh5RkfhZCqG2z1Rywk0XJOHRaOMQQ+8Qs/XuAlRuwyg9Ei+gYRo4FH/Wx1A
k0tCrViVlDVdd5OnIwlbR6w5eTgM7id31mCjCA7vPrupo2XKV6A6L+bPyA94aT7/
eWrcivQ6J1BaoRQafYQcbgNxdUdHqlb4B/0txkYipu8Yxc4I082+B4hWS0wm1hNF
ytrkuCvK29C9ViIREsWwPO5GaupMHQLnDo/2MAJa8r3ndi0QMz5hQsS7cckcAaVm
l1VZEvlY0M1CJeEXVhZ4v/Drt1fTFaV4sCuXqEEv8DuS6rBEMSFyQ0+YY0wxwGvG
o/qzU393s2r4DgQ8CzpoRgXxcGJJhcdgzrBAQGBB8UiKSembyJMiI6R0tfacSBtS
QpX5RuVVzeOnY5ftnuSePR24T5r0tlMpE8kYH5rZ19mwBNaMnwASOZeVu/4pM970
ko+1P9XWGXcTPXHYYacXiCFTpFAEjGQay7qCqepJJ/V1n5gSVuWa9SWsr7H40EHU
aAEJAhBw71YDGPfB/tJIT1agrtMW+VJr4m56jiK8lbCT56udmw5MDZTxAufCJA+C
slbO6oLgInBJLYlpiJB4aJ9WvvX0XGIfmDIho/EpbK8uUrUjfwgSvRwEdKIRZpZ3
DPRnKLFBYm/9
=DL6W
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-04-06T03:41:51Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ//ctKJ4aFujay7DJNel2MgCg3wmKR+td5m+B3ELrDbAHcT
2agpyvb0rotjEAbczKHkkY0805y4lWvGXFyDMWdtWa6msUsM51lW5c2akAAG+cxr
N53XMASD+WS/5DrZ0FzGCYtKklBRv3IlBw85vAlMuFQkJqkqwB9aVzG46PAoQ9I2
bl4X/5PljoI78iW7lCM1LugyD6nxHB6umwUZ5XDs1L/QavCXb5UNckluH69tu0ec
hNsCHW9kfMO2dV15JCVchvuLntgtt+1+H1l8XNwjg1x2E7GMVkNMByZPF/PLTTrs
ZvpUcwTcbKO5Ha7BNh+hrUteNd6teTGUr9WAlGnDQECxhNGWMtau4707hxBXDL+W
cCGZToiGbsZ3173tQsFM54Rumcwa7E6UxIXX8YmIdU70u7UHGKQWFBkakyCNRp8h
X4JM+BPuD+pthY3Coucf3NXInw0Jd78m6TQrtJ1POm0p3Kx7eAWNJbxpwHQAg5fX
r6UCJflXu1M0VwAll6DkLL/MvBV6EUA9UctPi+F3E3yEjSC80KX9S34hiJcJzDge
LUJpCQqvB6FK80iFlaCNLg9qcyH3oqLcm8EpUcrHxFTmNwSXFzyRAjwq7aZ4UPjI
U8qSBiilmoz/UJnaTAwOcGkJ8lVfF41VzohqI2xxbKye8gtmMxSS6I161FCRbq3U
aAEJAhByOVF+gDjFQLssl9tlwNGsbT2xWwcDZ1OfibDGARgU5g6PQFkYMxj2SGZ7
J19BGBWSB2ucbsFcxmOijpgxnMhJHgIMdYUwCyv1Kut2DeXyfvZYgVw4ZRjAu2W7
EEVy24tMDoul
=HAIu
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

3
cluster/apps/kustomization.yaml
View File

@ -1,4 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./media
- ./media
- ./download

2
cluster/apps/media/kustomization.yaml
View File

@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./sonarr
- ./radarr
- ./network_policy.yaml

2
cluster/core/networking/kustomization.yaml
View File

@ -4,4 +4,4 @@ resources:
- ./traefik
- ./calico
- ./metallb
- ./vpn-gateway
#- ./vpn-gateway

31
cluster/core/networking/vpn-gateway/helm-release.yaml
View File

@ -1,31 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: vpn-gateway
namespace: vpn-gateway
labels:
spec:
interval: 5m
chart:
spec:
# renovate: registryUrl=https://geek-cookbook.github.io/charts/
chart: pod-gateway
version: 5.6.x
sourceRef:
kind: HelmRepository
name: geek-cookbook-charts
namespace: flux-system
interval: 5m
# See https://github.com/k8s-at-home/charts/blob/master/charts/pod-gateway/values.yaml
values:
routed_namespaces:
- vpn
settings:
# Route internal K8s and local home traffic in to the defaullt K8S gateway
NOT_ROUTED_TO_GATEWAY_CIDRS: "172.22.0.0/12 192.168.87.0/24"
VPN_LOCAL_CIDRS: "172.22.0.0/12 192.168.87.0/24"
# Use a different VXLAN network segment that does not conflict with the above
VXLAN_IP_NETWORK: "192.123.242.0/24"

8
cluster/core/networking/vpn-gateway/helm-repository.yaml
View File

@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: geek-cookbook-charts
namespace: flux-system
spec:
interval: 1m
url: https://geek-cookbook.github.io/charts/

11
cluster/core/networking/vpn-gateway/namespace.yaml
View File

@ -1,11 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: vpn
labels:
routed-gateway: "true"
---
apiVersion: v1
kind: Namespace
metadata:
name: vpn-gateway