From 507449f480b0eab6369201f6ccd3cf772867a37e Mon Sep 17 00:00:00 2001 From: Ultradesu Date: Sun, 6 Apr 2025 18:58:19 +0100 Subject: [PATCH] Added Outfleet VPN --- k8s/apps/vpn/app.yaml | 21 +++ k8s/apps/vpn/external-secrets.yaml | 118 ++++++++++++++ k8s/apps/vpn/kustomization.yaml | 9 ++ k8s/apps/vpn/outfleet.yaml | 88 ++++++++++ k8s/apps/vpn/shadowsocks.yaml | 247 +++++++++++++++++++++++++++++ 5 files changed, 483 insertions(+) create mode 100644 k8s/apps/vpn/app.yaml create mode 100644 k8s/apps/vpn/external-secrets.yaml create mode 100644 k8s/apps/vpn/kustomization.yaml create mode 100644 k8s/apps/vpn/outfleet.yaml create mode 100644 k8s/apps/vpn/shadowsocks.yaml diff --git a/k8s/apps/vpn/app.yaml b/k8s/apps/vpn/app.yaml new file mode 100644 index 0000000..a47e271 --- /dev/null +++ b/k8s/apps/vpn/app.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vpn + namespace: argocd +spec: + project: homelab + destination: + namespace: vpn + server: https://kubernetes.default.svc + source: + repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git + targetRevision: HEAD + path: k8s/apps/vpn + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true + diff --git a/k8s/apps/vpn/external-secrets.yaml b/k8s/apps/vpn/external-secrets.yaml new file mode 100644 index 0000000..a97b6b5 --- /dev/null +++ b/k8s/apps/vpn/external-secrets.yaml @@ -0,0 +1,118 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: outfleet-secrets + namespace: vpn +spec: + target: + name: outfleet-secrets + deletionPolicy: Delete + template: + type: Opaque + data: + TIMEZONE: Asia/Nicosia + POSTGRES_DB: outfleet + POSTGRES_HOST: psql.psql.svc + POSTGRES_PORT: "5432" + POSTGRES_USER: outfleet + CELERY_BROKER_URL: "redis://localhost:6379/0" + POSTGRES_PASSWORD: |- + {{ .pg_pass }} + SECRET_KEY: |- + {{ .secret_key }} + EXTERNAL_ADDRESS: |- + {{ .external_address }} + CSRF_TRUSTED_ORIGINS: |- + {{ .external_address }} + data: + - secretKey: external_address + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet + property: fields[1].value + - secretKey: secret_key + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet + property: fields[0].value + - secretKey: pg_pass + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 2a9deb39-ef22-433e-a1be-df1555625e22 # postgers-users + property: fields[1].value + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: outline-config + namespace: vpn +spec: + target: + name: outline-config + deletionPolicy: Delete + template: + type: Opaque + data: + SB_API_PORT: "1285" + SB_CLIENT_PORT: "1257" + SB_API_PREFIX: |- + {{ .api_prefix }} + PROM_USER: |- + {{ .prom_user }} + PROM_PASS: |- + {{ .prom_token }} + shadowbox.crt: |- + {{ .cert }} + shadowbox.key: |- + {{ .key }} + data: + - secretKey: api_prefix + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet + property: fields[2].value + - secretKey: cert + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: c4549690-945d-4bf0-af09-a178c7711f87 # Outline cert + property: notes + - secretKey: key + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 353eae71-4828-431b-9c65-dc1a8fd61ef6 # Outline key + property: notes + - secretKey: prom_user + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds + property: login.username + - secretKey: prom_token + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds diff --git a/k8s/apps/vpn/kustomization.yaml b/k8s/apps/vpn/kustomization.yaml new file mode 100644 index 0000000..98c83ea --- /dev/null +++ b/k8s/apps/vpn/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - app.yaml + - external-secrets.yaml + - outfleet.yaml + - shadowsocks.yaml + diff --git a/k8s/apps/vpn/outfleet.yaml b/k8s/apps/vpn/outfleet.yaml new file mode 100644 index 0000000..8f638e2 --- /dev/null +++ b/k8s/apps/vpn/outfleet.yaml @@ -0,0 +1,88 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: outfleet + namespace: vpn + labels: + app: outfleet + annotations: + reloader.stakater.com/auto: "true" +spec: + selector: + matchLabels: + app: outfleet + replicas: 1 + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: outfleet + spec: + hostname: outfleet + nodeSelector: + kubernetes.io/hostname: master.tail2fe2d.ts.net + containers: + - name: outfleet-web + image: 'ultradesu/outfleet:v2' + imagePullPolicy: Always + command: ["/bin/sh"] + args: + - "-c" + - | + python ./manage.py makemigrations vpn + python ./manage.py migrate + python ./manage.py create_admin + python ./manage.py runserver 0.0.0.0:8000 + envFrom: + - secretRef: + name: outfleet-secrets + env: + # value: "true" + - name: ALLOWED_HOSTS + # - name: DEBUG + + value: "*" + ports: + - name: http + containerPort: 8000 + protocol: TCP + - name: outfleet-redis + image: 'redis:latest' + ports: + - name: redis + containerPort: 6379 + protocol: TCP + - name: outfleet-celery-worker + image: 'ultradesu/outfleet:v2' + envFrom: + - secretRef: + name: outfleet-secrets + command: + - celery + - -A + - mysite + - worker + - --loglevel=INFO + - name: outfleet-celery-beat + image: 'ultradesu/outfleet:v2' + command: + - celery + - -A + - mysite + - beat + - --loglevel=INFO +--- +apiVersion: v1 +kind: Service +metadata: + name: outfleet + namespace: vpn +spec: + selector: + app: outfleet + ports: + - protocol: TCP + port: 80 + targetPort: 8000 diff --git a/k8s/apps/vpn/shadowsocks.yaml b/k8s/apps/vpn/shadowsocks.yaml new file mode 100644 index 0000000..2d5e565 --- /dev/null +++ b/k8s/apps/vpn/shadowsocks.yaml @@ -0,0 +1,247 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: outline-config + namespace: vpn +spec: + target: + name: outline-config + deletionPolicy: Delete + template: + type: Opaque + data: + SB_API_PORT: "1285" + SB_CLIENT_PORT: "1257" + SB_API_PREFIX: |- + {{ .api_prefix }} + PROM_USER: |- + {{ .prom_user }} + PROM_PASS: |- + {{ .prom_token }} + shadowbox.crt: |- + {{ .cert }} + shadowbox.key: |- + {{ .key }} + data: + - secretKey: api_prefix + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet + property: fields[2].value + - secretKey: cert + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: c4549690-945d-4bf0-af09-a178c7711f87 # Outline cert + property: notes + - secretKey: key + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 353eae71-4828-431b-9c65-dc1a8fd61ef6 # Outline key + property: notes + - secretKey: prom_user + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds + property: login.username + - secretKey: prom_token + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds + property: login.password +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: shadowbox-prometheus-config + namespace: vpn +data: + config.yml: | + global: + scrape_interval: 1m + remote_write: + - url: "https://prom.hexor.cy/api/v1/write" + basic_auth: + username: "_PROM_USER_" + password: "_PROM_PASS_" + scrape_configs: + - job_name: outline_vpn + static_configs: + - targets: + - '127.0.0.1:9092' + relabel_configs: + - source_labels: [__address__] + target_label: instance + replacement: "_HOSTNAME_" + - target_label: k8s_app + replacement: true + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: shadowbox + namespace: vpn + annotations: + reloader.stakater.com/auto: "true" +spec: + selector: + matchLabels: + app: shadowbox + template: + metadata: + labels: + app: shadowbox + spec: + hostNetwork: true + initContainers: + - name: cert-generator + image: finalgene/openssh:latest + command: ["/bin/sh", "-c"] + args: + - | + openssl x509 -noout -fingerprint -sha256 -inform pem -in /certs/shadowbox.crt | sed "s/://g" | sed 's/.*=//' > /cache/certSha256 ; + volumeMounts: + - name: cert-volume + mountPath: /certs + - name: server-config-volume + mountPath: /cache + - name: get-external-ip + image: curlimages/curl:latest + command: ["/bin/sh", "-c"] + args: + - | + IP=$(curl -s -4 ifconfig.io); + echo "External IP is: $IP"; + echo $IP > /cache/external_ip; + volumeMounts: + - name: server-config-volume + mountPath: /cache + - name: manager-config-json + image: busybox + command: ["/bin/sh", "-c"] + env: + - name: SB_API_PREFIX + valueFrom: + secretKeyRef: + name: outline-config + key: SB_API_PREFIX + - name: SB_API_PORT + valueFrom: + secretKeyRef: + name: outline-config + key: SB_API_PORT + args: + - | + OUTLINE_HOSTNAME=$(cat /cache/external_ip); + CERT_SHA256=$(cat /cache/certSha256); + echo "{ + \"apiUrl\": \"https://$OUTLINE_HOSTNAME:$SB_API_PORT/$SB_API_PREFIX\", + \"certSha256\": \"$CERT_SHA256\" + }" + volumeMounts: + - name: server-config-volume + mountPath: /cache + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: outline-server + operator: Exists + containers: + - name: prom + image: prom/prometheus + command: ["/bin/sh", "-c"] + env: + - name: PROM_USER + valueFrom: + secretKeyRef: + name: outline-config + key: PROM_USER + - name: PROM_PASS + valueFrom: + secretKeyRef: + name: outline-config + key: PROM_PASS + args: + - | + cat /prometheus/config.yml | sed -e "s/_HOSTNAME_/${HOSTNAME}/g" -e "s/_PROM_PASS_/${PROM_PASS}/g" -e "s/_PROM_USER_/${PROM_USER}/g" > /prometheus/real_config.yml && + exec prometheus --config.file=/prometheus/real_config.yml --log.level=info --web.enable-lifecycle --web.enable-admin-api --web.listen-address=127.0.0.1:3478 + volumeMounts: + - name: prometheus-config-volume + mountPath: /prometheus/config.yml + subPath: config.yml + - name: shadowbox + image: ultradesu/shadowbox:latest + ports: + - containerPort: 1257 + protocol: TCP + - containerPort: 1285 + protocol: TCP + env: + - name: SB_API_PREFIX + valueFrom: + secretKeyRef: + name: outline-config + key: SB_API_PREFIX + - name: SB_API_PORT + valueFrom: + secretKeyRef: + name: outline-config + key: SB_API_PORT + - name: SB_CLIENT_PORT + valueFrom: + secretKeyRef: + name: outline-config + key: SB_CLIENT_PORT + - name: SB_CERTIFICATE_FILE + value: /certs/shadowbox.crt + - name: SB_PRIVATE_KEY_FILE + value: /certs/shadowbox.key + lifecycle: + postStart: + exec: + command: + - /bin/sh + - "-c" + - >- + OUTLINE_HOSTNAME=$(cat /cache/external_ip); echo '{"rollouts":[{"id":"single-port","enabled":true}],"portForNewAccessKeys":1257,"hostname":"'"$OUTLINE_HOSTNAME"'"}' > /root/shadowbox/persisted-state/shadowbox_server_config.json; + volumeMounts: + - name: server-config-volume + mountPath: /opt/outline + - name: server-config-volume + mountPath: /root/shadowbox/persisted-state + - name: server-config-volume + mountPath: /cache + - name: cert-volume + mountPath: /certs/ + volumes: + - name: server-config-volume + emptyDir: {} + - name: cert-volume + secret: + secretName: outline-config + items: + - key: shadowbox.crt + path: shadowbox.crt + - key: shadowbox.key + path: shadowbox.key + - name: prometheus-config-volume + configMap: + name: shadowbox-prometheus-config +