diff --git a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml index 780eee8b..9a114ac6 100644 --- a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml +++ b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml @@ -61,7 +61,7 @@ spec: timeoutSeconds: 1 failureThreshold: 3 readiness: *probes - securityContext: + securityContext: &securityContext allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } @@ -72,6 +72,58 @@ spec: limits: cpu: 4 memory: 50Gi + initContainers: + gluetun: + image: + repository: ghcr.io/qdm12/gluetun + tag: v3.39.0@sha256:2f011a9aca767af62008d879eefcbc80a8645bd4fd4466ab312cc941cb658ad1 + env: + BLOCK_MALICIOUS: "off" # save 300MB of RAM; https://github.com/qdm12/gluetun/issues/2054 + DOT_IPV6: "on" + FIREWALL_DEBUG: on + FIREWALL_INPUT_PORTS: "80,9999" + HEALTH_SERVER_ADDRESS: ":9999" + HEALTH_VPN_DURATION_INITIAL: 60s + LOG_LEVEL: debug + VPN_INTERFACE: wg0 + VPN_TYPE: wireguard + TZ: America/Los_Angeles + envFrom: + - secretRef: + name: sabnzbd-gluetun-secret + probes: + liveness: + enabled: true + custom: true + spec: + httpGet: + path: / + port: 9999 + initialDelaySeconds: 0 + periodSeconds: 10 + failureThreshold: 3 + startup: + enabled: true + custom: true + spec: + httpGet: + path: / + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 10 + failureThreshold: 5 + resources: + requests: + memory: 48Mi + limits: + memory: 96Mi + restartPolicy: Always + securityContext: + <<: *securityContext + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + capabilities: { add: ["NET_ADMIN"] } pod: labels: stealth-gateway: "true" @@ -108,6 +160,14 @@ spec: persistence: config: existingClaim: sabnzbd + empty: + type: emptyDir + sizeLimit: 20Mi + globalMounts: + - path: /gluetun + subPath: gluetun + - path: /tmp + subPath: tmp media: type: nfs server: kaidame.flat @@ -119,5 +179,10 @@ spec: type: emptyDir globalMounts: - path: /config/logs - tmp: + run: type: emptyDir + medium: Memory + sizeLimit: 10Mi + globalMounts: + - path: /run + - path: /var/run diff --git a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml b/kubernetes/apps/default/sabnzbd/app/kustomization.yaml index 9ded3bba..6b74121c 100644 --- a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml +++ b/kubernetes/apps/default/sabnzbd/app/kustomization.yaml @@ -5,6 +5,7 @@ kind: Kustomization resources: - ./externalsecret.yaml - ./helmrelease.yaml - - ./networkpolicy.yaml + - ./networkpolicy.sops.yaml + - ./secret.sops.yaml - ../../../../templates/gatus/guarded - ../../../../templates/volsync diff --git a/kubernetes/apps/default/sabnzbd/app/networkpolicy.sops.yaml b/kubernetes/apps/default/sabnzbd/app/networkpolicy.sops.yaml new file mode 100644 index 00000000..b840fd06 --- /dev/null +++ b/kubernetes/apps/default/sabnzbd/app/networkpolicy.sops.yaml @@ -0,0 +1,26 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: sabnzbd-allow-gluetun + annotations: + future-me-why: allow ingress and egress to gluetun endpoints; also puts pod in deny-by-default mode for egress +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: sabnzbd + egress: + - toCIDR: + - 37.120.132.82/32 + - 37.120.132.90/32 + - 217.138.217.106/32 + - 2a0d:5600:4f:8000:e97d:9761:c3d1:c92f/128 + - 2a0d:5600:8:3d:bf35:b49d:b2c1:8537/128 + - 2a0d:5600:8:3e:b389:fbfa:508a:1eca/128 + ingress: + - fromCIDR: + - 37.120.132.82/32 + - 37.120.132.90/32 + - 217.138.217.106/32 + - 2a0d:5600:4f:8000:e97d:9761:c3d1:c92f/128 + - 2a0d:5600:8:3d:bf35:b49d:b2c1:8537/128 + - 2a0d:5600:8:3e:b389:fbfa:508a:1eca/128 diff --git a/kubernetes/apps/default/sabnzbd/app/networkpolicy.yaml b/kubernetes/apps/default/sabnzbd/app/networkpolicy.yaml deleted file mode 100644 index 82e67e90..00000000 --- a/kubernetes/apps/default/sabnzbd/app/networkpolicy.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: "cilium.io/v2" -kind: CiliumNetworkPolicy -metadata: - name: "sabnzbd-allow-egress-cluster" - annotations: - future-me-why: "allow egress to cluster for all endpoints, which also puts pod in deny-by-default mode for egress; must use stealth-gateway" -spec: - endpointSelector: - matchLabels: - app.kubernetes.io/instance: sabnzbd - egress: - - toEntities: - - "cluster" diff --git a/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml b/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml new file mode 100644 index 00000000..03da7de6 --- /dev/null +++ b/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Secret +metadata: + name: sabnzbd-gluetun-secret +type: Opaque +stringData: + SERVER_CITIES: Los Angeles + SERVER_COUNTRIES: United States + VPN_SERVICE_PROVIDER: airvpn + WIREGUARD_ADDRESSES: 10.179.45.218/32,fd7d:76ee:e68f:a993:2e72:6388:a4b3:8103/128 + WIREGUARD_DNS: 10.128.0.1 + WIREGUARD_MTU: "1320" + WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL: 15s + WIREGUARD_PRESHARED_KEY: 7eDa23NIyjXF1INH3Hwvc6kWINj57Q5LPcJqQuJHptI= + WIREGUARD_PRIVATE_KEY: kMTK2v13xv/El1YGK49W5bPm78iGoC+vBGuta9ZtfEY= + WIREGUARD_PUBLIC_KEY: PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk= diff --git a/kubernetes/apps/default/sabnzbd/ks.yaml b/kubernetes/apps/default/sabnzbd/ks.yaml index 5dd297d5..5cf3cf01 100644 --- a/kubernetes/apps/default/sabnzbd/ks.yaml +++ b/kubernetes/apps/default/sabnzbd/ks.yaml @@ -12,7 +12,6 @@ spec: app.kubernetes.io/name: *app dependsOn: - name: external-secrets-stores - - name: stealth-gateway - name: volsync path: ./kubernetes/apps/default/sabnzbd/app prune: true