feat(qbittorrent): run gluetun as sidecar

jfroy · Aug 15, 2024 · 490d5ca · 490d5ca
1 parent f250ade
commit 490d5ca
Show file tree

Hide file tree

Showing 7 changed files with 167 additions and 26 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -13,6 +13,11 @@ creation_rules:
     key_groups:
       - age:
           - "age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t"
+  - path_regex: kubernetes/.*/networkpolicy\.sops\.ya?ml
+    encrypted_regex: "^(egress|ingress)$"
+    key_groups:
+      - age:
+          - "age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t"
   - path_regex: kubernetes/.*\.sops\.ya?ml
     encrypted_regex: "^(data|stringData|password)$"
     key_groups:

diff --git a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml
@@ -40,9 +40,9 @@ spec:
               QBT_BitTorrent__Session__AsyncIOThreadsCount: "4"
               QBT_BitTorrent__Session__DefaultSavePath: /media/qbittorrent/complete/default
               QBT_BitTorrent__Session__DisableAutoTMMByDefault: "false"
-              QBT_BitTorrent__Session__Interface: vxlan0
-              QBT_BitTorrent__Session__InterfaceAddress:  0.0.0.0
-              QBT_BitTorrent__Session__InterfaceName: vxlan0
+              QBT_BitTorrent__Session__Interface: wg0
+              QBT_BitTorrent__Session__InterfaceAddress: 0.0.0.0
+              QBT_BitTorrent__Session__InterfaceName: wg0
               QBT_BitTorrent__Session__LSDEnabled: "false"
               QBT_BitTorrent__Session__TempPath: /media/qbittorrent/incomplete
               QBT_BitTorrent__Session__TempPathEnabled: "true"
@@ -82,16 +82,68 @@ spec:
                 cpu: 4
                 memory: 50Gi
         initContainers:
+          gluetun:
+            image:
+              repository: ghcr.io/qdm12/gluetun
+              tag: v3.39.0@sha256:2f011a9aca767af62008d879eefcbc80a8645bd4fd4466ab312cc941cb658ad1
+            env:
+              BLOCK_MALICIOUS: "off"  # save 300MB of RAM; https://github.com/qdm12/gluetun/issues/2054
+              DOT_IPV6: "on"
+              FIREWALL_DEBUG: on
+              FIREWALL_INPUT_PORTS: "80,9999"
+              HEALTH_SERVER_ADDRESS: ":9999"
+              HEALTH_VPN_DURATION_INITIAL: 60s
+              LOG_LEVEL: debug
+              VPN_INTERFACE: wg0
+              VPN_TYPE: wireguard
+              TZ: America/Los_Angeles
+            envFrom:
+              - secretRef:
+                  name: qbittorrent-gluetun-secret
+            probes:
+              liveness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /
+                    port: 9999
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  failureThreshold: 3
+              startup:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /
+                    port: 9999
+                  initialDelaySeconds: 10
+                  periodSeconds: 10
+                  failureThreshold: 5
+            resources:
+              requests:
+                memory: 48Mi
+              limits:
+                memory: 96Mi
+            restartPolicy: Always
+            securityContext:
+              <<: *securityContext
+              readOnlyRootFilesystem: false
+              runAsNonRoot: false
+              runAsUser: 0
+              capabilities: { add: ["NET_ADMIN"] }
           vuetorrent:
             image:
               repository: ghcr.io/jfroy/vuetorrent
               tag: 2.11.2@sha256:511bf724a11d5e515035992ff9bc9bed237feca08069f336edd12da143939513
             command:
-            - "/bin/sh"
-            - "-c"
-            - "ln -sf /proc/$$$$$$/root/vuetorrent /share/vuetorrent; touch /share/startup; sleep infinity"
+              - "/bin/sh"
+              - "-c"
+              - "ln -sf /proc/$$$$$$/root/vuetorrent /share/vuetorrent; touch /share/startup; sleep infinity"
             probes:
               startup:
+                enabled: true
                 custom: true
                 spec:
                   exec:
@@ -140,15 +192,30 @@ spec:
     persistence:
       config:
         existingClaim: qbittorrent
+      empty:
+        type: emptyDir
+        sizeLimit: 20Mi
+        globalMounts:
+          - path: /gluetun
+            subPath: gluetun
+          - path: /share
+            subPath: share
+          - path: /tmp
+            subPath: tmp
       media:
         type: nfs
         server: kaidame.flat
         path: /mnt/citerne/media
         globalMounts:
           - path: /media/qbittorrent
             subPath: qbittorrent
-      share:
+      run:
         type: emptyDir
+        medium: Memory
+        sizeLimit: 10Mi
+        globalMounts:
+          - path: /run
+          - path: /var/run
   postRenderers:
     - kustomize:
         patches:

diff --git a/kubernetes/apps/default/qbittorrent/app/kustomization.yaml b/kubernetes/apps/default/qbittorrent/app/kustomization.yaml
@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
-  - ./networkpolicy.yaml
+  - ./networkpolicy.sops.yaml
   - ./secret.sops.yaml
   - ../../../../templates/gatus/guarded
   - ../../../../templates/volsync
diff --git a/kubernetes/apps/default/qbittorrent/app/networkpolicy.sops.yaml b/kubernetes/apps/default/qbittorrent/app/networkpolicy.sops.yaml
@@ -0,0 +1,46 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+    name: qbittorrent-allow-gluetun
+    annotations:
+        future-me-why: allow ingress and egress to gluetun endpoints; also puts pod in deny-by-default mode for egress
+spec:
+    endpointSelector:
+        matchLabels:
+            app.kubernetes.io/instance: qbittorrent
+    egress:
+        - toCIDR:
+            - ENC[AES256_GCM,data:xsfsgKgQt/f3dsZqRI4ppw==,iv:oOYtzeNyKPdj8e9d8gF1Go+5VhHKqdW7zYlXCdW2WPU=,tag:/xxdKZwokEwOt71SUJ4pzA==,type:str]
+            - ENC[AES256_GCM,data:JBYdykm1hOxD4zDDvUUT/Q==,iv:+nl1azgwDmtjMLvNEtrqbpJRfH5aADGa0npJpY7JEf0=,tag:/0gInFQMU3OEDJfy7YXRAw==,type:str]
+            - ENC[AES256_GCM,data:Wr1ymdW7QutGfsgQwoFixflr,iv:svoG79R0egaw1gRdleANg2CrIWszxm+kOV/yR2Ps9aM=,tag:+PJlhn/7YfsdpRY3VZPopw==,type:str]
+            - ENC[AES256_GCM,data:j1yYnbPNjqlCmHHfVO28QUkad08nTYVYK66v+dyCUkaAx16y2E8Vt3M=,iv:1ViZc1WJ6ynwF5KK+K8qGzrmiOIRLFVrxpB2u78VPsQ=,tag:HR6kSkDDHiXFrPb/mBiLeg==,type:str]
+            - ENC[AES256_GCM,data:pwinIowkrDrS7BBwzdU5OCZtuTKun+zS4i1YX0f09tw8ZIZC4JU=,iv:i4tSQJ1saK51hSbwefWHwwxppi9U83qiu3RazOJMSdA=,tag:BjtaMoJYkH5KhLMOvm1jNw==,type:str]
+            - ENC[AES256_GCM,data:qkwuoc6g9caxChUpz+KYoU4a3LXDh4Fak8lMPDwtlI9X0PQndMs=,iv:UP1eJnZD/tq+4JKOMqHhiHNC/yHH0sLuS4plMTLrCEc=,tag:QJr9rzIMBg5VYvl69JHj1Q==,type:str]
+    ingress:
+        - fromCIDR:
+            - ENC[AES256_GCM,data:EV6+034utA4Y6wcFHupv8g==,iv:2x+3WTQMfDQDbJOhg94RUS+5CX/tT9xO3cTyilJrVDM=,tag:EObkMoGVfvcs0rgUvcX1wg==,type:str]
+            - ENC[AES256_GCM,data:cAlulRKfUSRS1gFdp+QCaQ==,iv:iRMt/olmy6Qkac2KvjYj1xS95D65zV/jm5nyFT2Yx80=,tag:R4WpGAbCqv0/BtE2X65+nw==,type:str]
+            - ENC[AES256_GCM,data:9TK+h2mrr3R7jKWp85jmXecc,iv:He0n4Y2BeG1UEYN/joZJVnRsGlq2QPnhEqgsr4jIDVI=,tag:VQF3BhEK330cKsTtSJp20A==,type:str]
+            - ENC[AES256_GCM,data:mFOJsPpHR+dNmUcGGZz3FmVSG+Dwo1V3SDxRzRwg8jd0VqvWLnSbL64=,iv:7Vm8/8osIDcrfyPp/e0WM00BkM9guhGhP95iecHAFzU=,tag:WWNwwn8wMQB+p5iC+Bhrhg==,type:str]
+            - ENC[AES256_GCM,data:DIAlcz03qmLhd0kb+XhJENr4QNM8bkIa12ojJMfMeHLUfYJcRQ0=,iv:yfIyiUkrUzJFGVYdMbmURUYidGIsXLrJdXLYoyq+GkU=,tag:bxj9Ts3JUa6fus1W2F/g3g==,type:str]
+            - ENC[AES256_GCM,data:VsBlsN94838c8KC2/ARqSHL3QdERZgfuZE9yDTqDMX2Cb8g0QdA=,iv:ShsbJQbGsuhBoSpQSY9SC3levIdp7LYhnvOg7tWq43U=,tag:WSOpMP+BAwJz05nBPWLVgg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRE9WbHB2WGhCaTNzYmVD
+            c2xhZmdyNUhYaWZVWVB6aC93K3Q3Wnl1Q3djCmhiQzdvTTNOaVVxWW9jeEZuc3d0
+            T2lteERMWCtUWmhHRk4yQWxaVGhqMTAKLS0tIFJtcldaZWlOTkxPMHQ0NEI4alB0
+            aFY2Y1IyeDVPL3hwMjFlM3RreW0yL3MKXViSZ6vOYKenQ48ONcD2ZOfIvoSpYJZW
+            FkKsPqZUcU4SaVMHSKGjYSQ9ky+KN40aRPdOGNLRBBtq2PRXCjwPgw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-15T05:20:17Z"
+    mac: ENC[AES256_GCM,data:4LDQEFVHOqUpq/5aIKnCJ30YlFWQApuX8Ysj1Kdowc4Z0S5z3R9I4sWe+2iahIB/osW6+ymvjBnCfJ/1k0fH/iGNUiHYDBTDgGeOMeUOy7dhBTUZjsxW76/WHIlJ/9Qe2n/rJbUoC6DmtHhytB9FWdEklDMz3DnuQYbkdO6waWs=,iv:DLt6coTTfTaeo501UBLehlrCn/WH14ZG/P0LpGAZSc0=,tag:97ChD9IOS6Vm7gSqS206Zw==,type:str]
+    pgp: []
+    encrypted_regex: ^(egress|ingress)$
+    version: 3.9.0
diff --git a/kubernetes/apps/default/qbittorrent/app/networkpolicy.yaml b/kubernetes/apps/default/qbittorrent/app/networkpolicy.yaml
diff --git a/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml b/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml
@@ -20,8 +20,46 @@ sops:
             VE1VVDE5dFVJQ0JUYUZKa2QyU1liRXcKbklvSiVER1PLfJ+Mq/UXaJHs3XugCB8F
             iZ6sFC2NIEF37MM2x7esY57eCAdRekQXXe3Vs3YPql5uNY79muesdQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-30T06:05:13Z"
-    mac: ENC[AES256_GCM,data:0DPazO1rL5pvdCT/45azTqMOP/AF+JNIvJfD9/c2wRYSTVbrcCeAtqad2RGgCcfAfK125Wy0C+9qzz27iqlZI9oozu93dgaCtLvkPdV9BqfqGe8oJA+gX89jR//9Q0v0+6Aq/78Rl7MB1YDz7cXamgml7EhGzj+MXJC2PI/NlbU=,iv:LV/ULhy1YDTuq6ZYW3I9YRWu4itJXr09c8us1wDckOU=,tag:RMrWMAx2Ex/Dy0ULhm9UhA==,type:str]
+    lastmodified: "2024-08-15T06:04:40Z"
+    mac: ENC[AES256_GCM,data:PNDEd13mDm3I3jwME7X1ILqs+zI9hAH2ng4c87ZFQ7tfu0eusu/3UyDsiSHr6vDRgrOa3MRCYPdECwgvpGiiK/wbsSf8eN3StQpu2SrKa+NwN+iTDPc7irwYKVQg67YudK0SMLvVJ7me4OF4tc2T9LRPkGV29zOHPHud7JF9PTg=,iv:GQFXFcQH7kg6+510AJbO6Ce6xD1EFKcCPHP1K3daXzE=,tag:JuJktbntWRvNW9TPWb52hg==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData|password)$
-    version: 3.8.1
+    version: 3.9.0
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: qbittorrent-gluetun-secret
+type: Opaque
+stringData:
+    FIREWALL_VPN_INPUT_PORTS: ENC[AES256_GCM,data:4TNsEN8=,iv:n78Oc3mEldzM7jPcoW/BByF4hEuVHFIMMoI2YCX4Zmw=,tag:SFRzOWvEPXjn1/pq7R1PGA==,type:str]
+    SERVER_CITIES: ENC[AES256_GCM,data:ZKP3QBQo0GEkNXc=,iv:qkEcBLEVZ/e0qctJYuMBMNvJWO+F61xlZ0KBKhX4auU=,tag:hRXCdoPog2MaO3ip8Wj+ng==,type:str]
+    SERVER_COUNTRIES: ENC[AES256_GCM,data:m1CSyYtHHpPQW6/mDw==,iv:TVoRB+UJNawyielU+g9o/+UFIEgMwPR2OwIM/RVZh9Q=,tag:pRuId64OoDC+n3wtx2skYg==,type:str]
+    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:IL6MAzXc,iv:jXS5qpwsOJ4I+u8u+bhKSAbJgEhDeKyCmOgDUiS2Nqc=,tag:rZXjKxgnhz+7v9rnCETraA==,type:str]
+    WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:ZfmT5VDXUMDhxTm2pCGtbHIsEqdY/ZRyrlsKAmYdUPeQv3sN9ELodd7Q+Ubkoj2IAx26NJmImBnP5Vap,iv:rHMS98AOSc4OE/7J/DZoMnd5aOrAKLSvgiJ/8uwOZ6s=,tag:uwo6Po08x7UVuaXhndnIUw==,type:str]
+    WIREGUARD_DNS: ENC[AES256_GCM,data:p7L7YOlEWsbA/w==,iv:9l8Nb4JwD0B4RXBzAAYJZyI+AxmMEEg1p0nb3v4LCN8=,tag:JjiVyL4fbCPXdD+A3ob2LQ==,type:str]
+    WIREGUARD_MTU: ENC[AES256_GCM,data:W6UQjQ==,iv:I/Su+wC7vzC2vjijEObAXNqzi0MB8AWhQVtXPGIOh04=,tag:5FnkWoXXmHLwJ3dpsB7I3w==,type:str]
+    WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL: ENC[AES256_GCM,data:Y2Iy,iv:JHuxPM01UBOo+8p/HcVkR25t5xLZf0CEg3TiXpZRPwc=,tag:yoEtoWXwfyriMaWuEFK9Jg==,type:str]
+    WIREGUARD_PRESHARED_KEY: ENC[AES256_GCM,data:fKO+l3yyNjuWBTmVI+HcasUpTuGwCO9+73j0u5PYguZp/QPBNLKECz040P4=,iv:04LosdND2rytuX5mqV6TnoYsUEMDs9bOYd2IhLQnquk=,tag:ubMD9EaY/4ErJpsAHuzyYQ==,type:str]
+    WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:vKrajwrpo8G6UL8UFTCmK2hhnVbvQw5OTVr+l1gCrwwSQioCFjY0NcCJOF4=,iv:T7DlJ82+V2+9ywV9oZ79t2wVyJFYEJuetnEg2Wwu1Lc=,tag:Xd5DVwApllcUTaSgXJ+nCg==,type:str]
+    WIREGUARD_PUBLIC_KEY: ENC[AES256_GCM,data:LlSeS3w3BG9DuD7ez57VpWPcoVABdVK83ZllXwuGMSV9amGE4SVIr5hVfnI=,iv:zQQ3A5ca00sLqAD172k41miMk3unBUrTe33j+jQZd7c=,tag:oe7BFu9FJGV3KOFh4raAPQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzT1A5UElsOFNOZFhveFFJ
+            aG5MWmpiS1JPanNrdWp2aEREaXZyWjJXUTJRCmcvcXNZNmZ1ZGs3SU1hN2NRRmNB
+            NTRLbFZVSW5OYlRhemZaWGNpRkRGajQKLS0tIDJ1bGljT1FUWjVBaXg4d2I2a2Za
+            VE1VVDE5dFVJQ0JUYUZKa2QyU1liRXcKbklvSiVER1PLfJ+Mq/UXaJHs3XugCB8F
+            iZ6sFC2NIEF37MM2x7esY57eCAdRekQXXe3Vs3YPql5uNY79muesdQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-15T06:04:40Z"
+    mac: ENC[AES256_GCM,data:PNDEd13mDm3I3jwME7X1ILqs+zI9hAH2ng4c87ZFQ7tfu0eusu/3UyDsiSHr6vDRgrOa3MRCYPdECwgvpGiiK/wbsSf8eN3StQpu2SrKa+NwN+iTDPc7irwYKVQg67YudK0SMLvVJ7me4OF4tc2T9LRPkGV29zOHPHud7JF9PTg=,iv:GQFXFcQH7kg6+510AJbO6Ce6xD1EFKcCPHP1K3daXzE=,tag:JuJktbntWRvNW9TPWb52hg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData|password)$
+    version: 3.9.0
diff --git a/kubernetes/apps/default/qbittorrent/ks.yaml b/kubernetes/apps/default/qbittorrent/ks.yaml
@@ -12,7 +12,6 @@ spec:
       app.kubernetes.io/name: *app
   dependsOn:
     - name: external-secrets-stores
-    - name: stealth-gateway
     - name: volsync
   path: ./kubernetes/apps/default/qbittorrent/app
   prune: true