diff --git a/.sops.yaml b/.sops.yaml index d016818bf..bae1cf487 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -13,6 +13,11 @@ creation_rules: key_groups: - age: - "age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t" + - path_regex: kubernetes/.*/networkpolicy\.sops\.ya?ml + encrypted_regex: "^(egress|ingress)$" + key_groups: + - age: + - "age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t" - path_regex: kubernetes/.*\.sops\.ya?ml encrypted_regex: "^(data|stringData|password)$" key_groups: diff --git a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml index 689e15120..3e284d458 100644 --- a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml +++ b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml @@ -40,9 +40,9 @@ spec: QBT_BitTorrent__Session__AsyncIOThreadsCount: "4" QBT_BitTorrent__Session__DefaultSavePath: /media/qbittorrent/complete/default QBT_BitTorrent__Session__DisableAutoTMMByDefault: "false" - QBT_BitTorrent__Session__Interface: vxlan0 + QBT_BitTorrent__Session__Interface: wg0 QBT_BitTorrent__Session__InterfaceAddress: 0.0.0.0 - QBT_BitTorrent__Session__InterfaceName: vxlan0 + QBT_BitTorrent__Session__InterfaceName: wg0 QBT_BitTorrent__Session__LSDEnabled: "false" QBT_BitTorrent__Session__TempPath: /media/qbittorrent/incomplete QBT_BitTorrent__Session__TempPathEnabled: "true" @@ -82,6 +82,46 @@ spec: cpu: 4 memory: 50Gi initContainers: + gluetun: + image: + repository: ghcr.io/qdm12/gluetun + tag: v3.39.0@sha256:2f011a9aca767af62008d879eefcbc80a8645bd4fd4466ab312cc941cb658ad1 + env: + FIREWALL_DEBUG: on + HEALTH_VPN_DURATION_INITIAL: 1m + LOG_LEVEL: debug + VPN_INTERFACE: wg0 + VPN_TYPE: wireguard + TZ: America/Los_Angeles + envFrom: + - secretRef: + name: qbittorrent-gluetun-secret + probes: + # liveness: + # custom: true + # spec: + # httpGet: + # path: / + # port: 9999 + # initialDelaySeconds: 0 + # periodSeconds: 10 + # failureThreshold: 3 + startup: + custom: true + spec: + httpGet: + path: / + port: 9999 + initialDelaySeconds: 60 + periodSeconds: 10 + failureThreshold: 6 + restartPolicy: Always + securityContext: + <<: *securityContext + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + capabilities: { add: ["NET_ADMIN"] } vuetorrent: image: repository: ghcr.io/jfroy/vuetorrent @@ -140,6 +180,16 @@ spec: persistence: config: existingClaim: qbittorrent + empty: + type: emptyDir + sizeLimit: 20Mi + globalMounts: + - path: /gluetun + subPath: gluetun + - path: /share + subPath: share + - path: /tmp + subPath: tmp media: type: nfs server: kaidame.flat @@ -147,8 +197,13 @@ spec: globalMounts: - path: /media/qbittorrent subPath: qbittorrent - share: + run: type: emptyDir + medium: Memory + sizeLimit: 10Mi + globalMounts: + - path: /run + - path: /var/run postRenderers: - kustomize: patches: diff --git a/kubernetes/apps/default/qbittorrent/app/kustomization.yaml b/kubernetes/apps/default/qbittorrent/app/kustomization.yaml index ae3c51676..3144b19a6 100644 --- a/kubernetes/apps/default/qbittorrent/app/kustomization.yaml +++ b/kubernetes/apps/default/qbittorrent/app/kustomization.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml - - ./networkpolicy.yaml + - ./networkpolicy.sops.yaml - ./secret.sops.yaml - ../../../../templates/gatus/guarded - ../../../../templates/volsync diff --git a/kubernetes/apps/default/qbittorrent/app/networkpolicy.sops.yaml b/kubernetes/apps/default/qbittorrent/app/networkpolicy.sops.yaml new file mode 100644 index 000000000..8f13bb6e4 --- /dev/null +++ b/kubernetes/apps/default/qbittorrent/app/networkpolicy.sops.yaml @@ -0,0 +1,46 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: qbittorrent-allow-gluetun + annotations: + future-me-why: allow ingress and egress to gluetun endpoints, which also puts pod in deny-by-default mode for egress +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: qbittorrent + egress: + - toCIDR: + - ENC[AES256_GCM,data:xsfsgKgQt/f3dsZqRI4ppw==,iv:oOYtzeNyKPdj8e9d8gF1Go+5VhHKqdW7zYlXCdW2WPU=,tag:/xxdKZwokEwOt71SUJ4pzA==,type:str] + - ENC[AES256_GCM,data:JBYdykm1hOxD4zDDvUUT/Q==,iv:+nl1azgwDmtjMLvNEtrqbpJRfH5aADGa0npJpY7JEf0=,tag:/0gInFQMU3OEDJfy7YXRAw==,type:str] + - ENC[AES256_GCM,data:Wr1ymdW7QutGfsgQwoFixflr,iv:svoG79R0egaw1gRdleANg2CrIWszxm+kOV/yR2Ps9aM=,tag:+PJlhn/7YfsdpRY3VZPopw==,type:str] + - ENC[AES256_GCM,data:j1yYnbPNjqlCmHHfVO28QUkad08nTYVYK66v+dyCUkaAx16y2E8Vt3M=,iv:1ViZc1WJ6ynwF5KK+K8qGzrmiOIRLFVrxpB2u78VPsQ=,tag:HR6kSkDDHiXFrPb/mBiLeg==,type:str] + - ENC[AES256_GCM,data:pwinIowkrDrS7BBwzdU5OCZtuTKun+zS4i1YX0f09tw8ZIZC4JU=,iv:i4tSQJ1saK51hSbwefWHwwxppi9U83qiu3RazOJMSdA=,tag:BjtaMoJYkH5KhLMOvm1jNw==,type:str] + - ENC[AES256_GCM,data:qkwuoc6g9caxChUpz+KYoU4a3LXDh4Fak8lMPDwtlI9X0PQndMs=,iv:UP1eJnZD/tq+4JKOMqHhiHNC/yHH0sLuS4plMTLrCEc=,tag:QJr9rzIMBg5VYvl69JHj1Q==,type:str] + ingress: + - fromCIDR: + - ENC[AES256_GCM,data:EV6+034utA4Y6wcFHupv8g==,iv:2x+3WTQMfDQDbJOhg94RUS+5CX/tT9xO3cTyilJrVDM=,tag:EObkMoGVfvcs0rgUvcX1wg==,type:str] + - ENC[AES256_GCM,data:cAlulRKfUSRS1gFdp+QCaQ==,iv:iRMt/olmy6Qkac2KvjYj1xS95D65zV/jm5nyFT2Yx80=,tag:R4WpGAbCqv0/BtE2X65+nw==,type:str] + - ENC[AES256_GCM,data:9TK+h2mrr3R7jKWp85jmXecc,iv:He0n4Y2BeG1UEYN/joZJVnRsGlq2QPnhEqgsr4jIDVI=,tag:VQF3BhEK330cKsTtSJp20A==,type:str] + - ENC[AES256_GCM,data:mFOJsPpHR+dNmUcGGZz3FmVSG+Dwo1V3SDxRzRwg8jd0VqvWLnSbL64=,iv:7Vm8/8osIDcrfyPp/e0WM00BkM9guhGhP95iecHAFzU=,tag:WWNwwn8wMQB+p5iC+Bhrhg==,type:str] + - ENC[AES256_GCM,data:DIAlcz03qmLhd0kb+XhJENr4QNM8bkIa12ojJMfMeHLUfYJcRQ0=,iv:yfIyiUkrUzJFGVYdMbmURUYidGIsXLrJdXLYoyq+GkU=,tag:bxj9Ts3JUa6fus1W2F/g3g==,type:str] + - ENC[AES256_GCM,data:VsBlsN94838c8KC2/ARqSHL3QdERZgfuZE9yDTqDMX2Cb8g0QdA=,iv:ShsbJQbGsuhBoSpQSY9SC3levIdp7LYhnvOg7tWq43U=,tag:WSOpMP+BAwJz05nBPWLVgg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRE9WbHB2WGhCaTNzYmVD + c2xhZmdyNUhYaWZVWVB6aC93K3Q3Wnl1Q3djCmhiQzdvTTNOaVVxWW9jeEZuc3d0 + T2lteERMWCtUWmhHRk4yQWxaVGhqMTAKLS0tIFJtcldaZWlOTkxPMHQ0NEI4alB0 + aFY2Y1IyeDVPL3hwMjFlM3RreW0yL3MKXViSZ6vOYKenQ48ONcD2ZOfIvoSpYJZW + FkKsPqZUcU4SaVMHSKGjYSQ9ky+KN40aRPdOGNLRBBtq2PRXCjwPgw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-14T21:26:58Z" + mac: ENC[AES256_GCM,data:EqXO1Qzzl0DKtcaHh3NO9ZqcD7Oqj/6F42C+41p3GM6egYBW25Dh28a0j0Fvm6+sGZP9ZEu4zhYJSW1Rdfa6ImgfPp9D/dk3MhbHD3kxVW9lPdt9pX4LSiODfU/ht04OFDS+ovmUPC+adkPgqHCfgDDRG7Ief1lBXC4Xleq9MaU=,iv:gyTqxzlkSHp6wlDjqDGX59sws/YByi9nedi2rg7ua3g=,tag:sMqVSxThCi+NbnDhR3x89A==,type:str] + pgp: [] + encrypted_regex: ^(egress|ingress)$ + version: 3.9.0 diff --git a/kubernetes/apps/default/qbittorrent/app/networkpolicy.yaml b/kubernetes/apps/default/qbittorrent/app/networkpolicy.yaml deleted file mode 100644 index a1dd95384..000000000 --- a/kubernetes/apps/default/qbittorrent/app/networkpolicy.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: "cilium.io/v2" -kind: CiliumNetworkPolicy -metadata: - name: "qbittorrent-allow-egress-cluster" - annotations: - future-me-why: "allow egress to cluster for all endpoints, which also puts pod in deny-by-default mode for egress; must use stealth-gateway" -spec: - endpointSelector: - matchLabels: - app.kubernetes.io/instance: qbittorrent - egress: - - toEntities: - - "cluster" diff --git a/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml b/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml index 92ab0992e..80740cf7f 100644 --- a/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml +++ b/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml @@ -20,8 +20,45 @@ sops: VE1VVDE5dFVJQ0JUYUZKa2QyU1liRXcKbklvSiVER1PLfJ+Mq/UXaJHs3XugCB8F iZ6sFC2NIEF37MM2x7esY57eCAdRekQXXe3Vs3YPql5uNY79muesdQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-30T06:05:13Z" - mac: ENC[AES256_GCM,data:0DPazO1rL5pvdCT/45azTqMOP/AF+JNIvJfD9/c2wRYSTVbrcCeAtqad2RGgCcfAfK125Wy0C+9qzz27iqlZI9oozu93dgaCtLvkPdV9BqfqGe8oJA+gX89jR//9Q0v0+6Aq/78Rl7MB1YDz7cXamgml7EhGzj+MXJC2PI/NlbU=,iv:LV/ULhy1YDTuq6ZYW3I9YRWu4itJXr09c8us1wDckOU=,tag:RMrWMAx2Ex/Dy0ULhm9UhA==,type:str] + lastmodified: "2024-08-15T04:02:26Z" + mac: ENC[AES256_GCM,data:P9OOw40HFEn9nrJgG9eiDckOygFvhijlRZYq65zOR2oMgty8xZ+wa5VKALSh1JrLjOKZm5RHbhIHWJX81qKW7SrU7HGPPKkmW4P17trdSboPuBi+vixU8aOUEAxQ1RkXBcATIIJ4UH0RR7PekgYg5vHL/E9gQZz2rKoR+tgsdU8=,iv:PPsW08Wm4qmjOM+k8pp2JOrWweblP0HiSU7BH6ixZbM=,tag:sE5JjFQSFH88gMXFRCD3uQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData|password)$ - version: 3.8.1 + version: 3.9.0 +--- +apiVersion: v1 +kind: Secret +metadata: + name: qbittorrent-gluetun-secret +type: Opaque +stringData: + FIREWALL_VPN_INPUT_PORTS: ENC[AES256_GCM,data:4TNsEN8=,iv:n78Oc3mEldzM7jPcoW/BByF4hEuVHFIMMoI2YCX4Zmw=,tag:SFRzOWvEPXjn1/pq7R1PGA==,type:str] + SERVER_CITIES: ENC[AES256_GCM,data:ZKP3QBQo0GEkNXc=,iv:qkEcBLEVZ/e0qctJYuMBMNvJWO+F61xlZ0KBKhX4auU=,tag:hRXCdoPog2MaO3ip8Wj+ng==,type:str] + SERVER_COUNTRIES: ENC[AES256_GCM,data:m1CSyYtHHpPQW6/mDw==,iv:TVoRB+UJNawyielU+g9o/+UFIEgMwPR2OwIM/RVZh9Q=,tag:pRuId64OoDC+n3wtx2skYg==,type:str] + VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:IL6MAzXc,iv:jXS5qpwsOJ4I+u8u+bhKSAbJgEhDeKyCmOgDUiS2Nqc=,tag:rZXjKxgnhz+7v9rnCETraA==,type:str] + WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:ZfmT5VDXUMDhxTm2pCGtbHIsEqdY/ZRyrlsKAmYdUPeQv3sN9ELodd7Q+Ubkoj2IAx26NJmImBnP5Vap,iv:rHMS98AOSc4OE/7J/DZoMnd5aOrAKLSvgiJ/8uwOZ6s=,tag:uwo6Po08x7UVuaXhndnIUw==,type:str] + WIREGUARD_DNS: ENC[AES256_GCM,data:p7L7YOlEWsbA/w==,iv:9l8Nb4JwD0B4RXBzAAYJZyI+AxmMEEg1p0nb3v4LCN8=,tag:JjiVyL4fbCPXdD+A3ob2LQ==,type:str] + WIREGUARD_MTU: ENC[AES256_GCM,data:W6UQjQ==,iv:I/Su+wC7vzC2vjijEObAXNqzi0MB8AWhQVtXPGIOh04=,tag:5FnkWoXXmHLwJ3dpsB7I3w==,type:str] + WIREGUARD_PRESHARED_KEY: ENC[AES256_GCM,data:fKO+l3yyNjuWBTmVI+HcasUpTuGwCO9+73j0u5PYguZp/QPBNLKECz040P4=,iv:04LosdND2rytuX5mqV6TnoYsUEMDs9bOYd2IhLQnquk=,tag:ubMD9EaY/4ErJpsAHuzyYQ==,type:str] + WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:vKrajwrpo8G6UL8UFTCmK2hhnVbvQw5OTVr+l1gCrwwSQioCFjY0NcCJOF4=,iv:T7DlJ82+V2+9ywV9oZ79t2wVyJFYEJuetnEg2Wwu1Lc=,tag:Xd5DVwApllcUTaSgXJ+nCg==,type:str] + WIREGUARD_PUBLIC_KEY: ENC[AES256_GCM,data:LlSeS3w3BG9DuD7ez57VpWPcoVABdVK83ZllXwuGMSV9amGE4SVIr5hVfnI=,iv:zQQ3A5ca00sLqAD172k41miMk3unBUrTe33j+jQZd7c=,tag:oe7BFu9FJGV3KOFh4raAPQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzT1A5UElsOFNOZFhveFFJ + aG5MWmpiS1JPanNrdWp2aEREaXZyWjJXUTJRCmcvcXNZNmZ1ZGs3SU1hN2NRRmNB + NTRLbFZVSW5OYlRhemZaWGNpRkRGajQKLS0tIDJ1bGljT1FUWjVBaXg4d2I2a2Za + VE1VVDE5dFVJQ0JUYUZKa2QyU1liRXcKbklvSiVER1PLfJ+Mq/UXaJHs3XugCB8F + iZ6sFC2NIEF37MM2x7esY57eCAdRekQXXe3Vs3YPql5uNY79muesdQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-15T04:02:26Z" + mac: ENC[AES256_GCM,data:P9OOw40HFEn9nrJgG9eiDckOygFvhijlRZYq65zOR2oMgty8xZ+wa5VKALSh1JrLjOKZm5RHbhIHWJX81qKW7SrU7HGPPKkmW4P17trdSboPuBi+vixU8aOUEAxQ1RkXBcATIIJ4UH0RR7PekgYg5vHL/E9gQZz2rKoR+tgsdU8=,iv:PPsW08Wm4qmjOM+k8pp2JOrWweblP0HiSU7BH6ixZbM=,tag:sE5JjFQSFH88gMXFRCD3uQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData|password)$ + version: 3.9.0 diff --git a/kubernetes/apps/default/qbittorrent/ks.yaml b/kubernetes/apps/default/qbittorrent/ks.yaml index 381b1995a..aba3dcecc 100644 --- a/kubernetes/apps/default/qbittorrent/ks.yaml +++ b/kubernetes/apps/default/qbittorrent/ks.yaml @@ -12,7 +12,6 @@ spec: app.kubernetes.io/name: *app dependsOn: - name: external-secrets-stores - - name: stealth-gateway - name: volsync path: ./kubernetes/apps/default/qbittorrent/app prune: true