ab/homelab
1
0
Fork 1
Code Pull Requests Actions Packages Wiki Activity

Added Outfleet VPN

Browse Source
This commit is contained in:
Ultradesu
2025-04-06 18:58:19 +01:00
parent ee56b3d4de
commit 507449f480
5 changed files with 483 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

247
k8s/apps/vpn/shadowsocks.yaml Normal file
View File

@ -0,0 +1,247 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-config
namespace: vpn
spec:
target:
name: outline-config
deletionPolicy: Delete
template:
type: Opaque
data:
SB_API_PORT: "1285"
SB_CLIENT_PORT: "1257"
SB_API_PREFIX: |-
{{ .api_prefix }}
PROM_USER: |-
{{ .prom_user }}
PROM_PASS: |-
{{ .prom_token }}
shadowbox.crt: |-
{{ .cert }}
shadowbox.key: |-
{{ .key }}
data:
- secretKey: api_prefix
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet
property: fields[2].value
- secretKey: cert
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: c4549690-945d-4bf0-af09-a178c7711f87 # Outline cert
property: notes
- secretKey: key
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 353eae71-4828-431b-9c65-dc1a8fd61ef6 # Outline key
property: notes
- secretKey: prom_user
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds
property: login.username
- secretKey: prom_token
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds
property: login.password
---
apiVersion: v1
kind: ConfigMap
metadata:
name: shadowbox-prometheus-config
namespace: vpn
data:
config.yml: |
global:
scrape_interval: 1m
remote_write:
- url: "https://prom.hexor.cy/api/v1/write"
basic_auth:
username: "_PROM_USER_"
password: "_PROM_PASS_"
scrape_configs:
- job_name: outline_vpn
static_configs:
- targets:
- '127.0.0.1:9092'
relabel_configs:
- source_labels: [__address__]
target_label: instance
replacement: "_HOSTNAME_"
- target_label: k8s_app
replacement: true
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: shadowbox
namespace: vpn
annotations:
reloader.stakater.com/auto: "true"
spec:
selector:
matchLabels:
app: shadowbox
template:
metadata:
labels:
app: shadowbox
spec:
hostNetwork: true
initContainers:
- name: cert-generator
image: finalgene/openssh:latest
command: ["/bin/sh", "-c"]
args:
- |
openssl x509 -noout -fingerprint -sha256 -inform pem -in /certs/shadowbox.crt | sed "s/://g" | sed 's/.*=//' > /cache/certSha256 ;
volumeMounts:
- name: cert-volume
mountPath: /certs
- name: server-config-volume
mountPath: /cache
- name: get-external-ip
image: curlimages/curl:latest
command: ["/bin/sh", "-c"]
args:
- |
IP=$(curl -s -4 ifconfig.io);
echo "External IP is: $IP";
echo $IP > /cache/external_ip;
volumeMounts:
- name: server-config-volume
mountPath: /cache
- name: manager-config-json
image: busybox
command: ["/bin/sh", "-c"]
env:
- name: SB_API_PREFIX
valueFrom:
secretKeyRef:
name: outline-config
key: SB_API_PREFIX
- name: SB_API_PORT
valueFrom:
secretKeyRef:
name: outline-config
key: SB_API_PORT
args:
- |
OUTLINE_HOSTNAME=$(cat /cache/external_ip);
CERT_SHA256=$(cat /cache/certSha256);
echo "{
\"apiUrl\": \"https://$OUTLINE_HOSTNAME:$SB_API_PORT/$SB_API_PREFIX\",
\"certSha256\": \"$CERT_SHA256\"
}"
volumeMounts:
- name: server-config-volume
mountPath: /cache
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: outline-server
operator: Exists
containers:
- name: prom
image: prom/prometheus
command: ["/bin/sh", "-c"]
env:
- name: PROM_USER
valueFrom:
secretKeyRef:
name: outline-config
key: PROM_USER
- name: PROM_PASS
valueFrom:
secretKeyRef:
name: outline-config
key: PROM_PASS
args:
- |
cat /prometheus/config.yml | sed -e "s/_HOSTNAME_/${HOSTNAME}/g" -e "s/_PROM_PASS_/${PROM_PASS}/g" -e "s/_PROM_USER_/${PROM_USER}/g" > /prometheus/real_config.yml &&
exec prometheus --config.file=/prometheus/real_config.yml --log.level=info --web.enable-lifecycle --web.enable-admin-api --web.listen-address=127.0.0.1:3478
volumeMounts:
- name: prometheus-config-volume
mountPath: /prometheus/config.yml
subPath: config.yml
- name: shadowbox
image: ultradesu/shadowbox:latest
ports:
- containerPort: 1257
protocol: TCP
- containerPort: 1285
protocol: TCP
env:
- name: SB_API_PREFIX
valueFrom:
secretKeyRef:
name: outline-config
key: SB_API_PREFIX
- name: SB_API_PORT
valueFrom:
secretKeyRef:
name: outline-config
key: SB_API_PORT
- name: SB_CLIENT_PORT
valueFrom:
secretKeyRef:
name: outline-config
key: SB_CLIENT_PORT
- name: SB_CERTIFICATE_FILE
value: /certs/shadowbox.crt
- name: SB_PRIVATE_KEY_FILE
value: /certs/shadowbox.key
lifecycle:
postStart:
exec:
command:
- /bin/sh
- "-c"
- >-
OUTLINE_HOSTNAME=$(cat /cache/external_ip); echo '{"rollouts":[{"id":"single-port","enabled":true}],"portForNewAccessKeys":1257,"hostname":"'"$OUTLINE_HOSTNAME"'"}' > /root/shadowbox/persisted-state/shadowbox_server_config.json;
volumeMounts:
- name: server-config-volume
mountPath: /opt/outline
- name: server-config-volume
mountPath: /root/shadowbox/persisted-state
- name: server-config-volume
mountPath: /cache
- name: cert-volume
mountPath: /certs/
volumes:
- name: server-config-volume
emptyDir: {}
- name: cert-volume
secret:
secretName: outline-config
items:
- key: shadowbox.crt
path: shadowbox.crt
- key: shadowbox.key
path: shadowbox.key
- name: prometheus-config-volume
configMap:
name: shadowbox-prometheus-config