ab/homelab
1
0
Fork 1
Code Pull Requests Actions Packages Wiki Activity

Added Outfleet VPN

Browse Source
This commit is contained in:
Ultradesu
2025-04-06 18:58:19 +01:00
parent ee56b3d4de
commit 507449f480
5 changed files with 483 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
k8s/apps/vpn/app.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vpn
namespace: argocd
spec:
project: homelab
destination:
namespace: vpn
server: https://kubernetes.default.svc
source:
repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
targetRevision: HEAD
path: k8s/apps/vpn
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- CreateNamespace=true

118
k8s/apps/vpn/external-secrets.yaml Normal file
View File

@ -0,0 +1,118 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outfleet-secrets
namespace: vpn
spec:
target:
name: outfleet-secrets
deletionPolicy: Delete
template:
type: Opaque
data:
TIMEZONE: Asia/Nicosia
POSTGRES_DB: outfleet
POSTGRES_HOST: psql.psql.svc
POSTGRES_PORT: "5432"
POSTGRES_USER: outfleet
CELERY_BROKER_URL: "redis://localhost:6379/0"
POSTGRES_PASSWORD: |-
{{ .pg_pass }}
SECRET_KEY: |-
{{ .secret_key }}
EXTERNAL_ADDRESS: |-
{{ .external_address }}
CSRF_TRUSTED_ORIGINS: |-
{{ .external_address }}
data:
- secretKey: external_address
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet
property: fields[1].value
- secretKey: secret_key
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet
property: fields[0].value
- secretKey: pg_pass
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 2a9deb39-ef22-433e-a1be-df1555625e22 # postgers-users
property: fields[1].value
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-config
namespace: vpn
spec:
target:
name: outline-config
deletionPolicy: Delete
template:
type: Opaque
data:
SB_API_PORT: "1285"
SB_CLIENT_PORT: "1257"
SB_API_PREFIX: |-
{{ .api_prefix }}
PROM_USER: |-
{{ .prom_user }}
PROM_PASS: |-
{{ .prom_token }}
shadowbox.crt: |-
{{ .cert }}
shadowbox.key: |-
{{ .key }}
data:
- secretKey: api_prefix
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet
property: fields[2].value
- secretKey: cert
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: c4549690-945d-4bf0-af09-a178c7711f87 # Outline cert
property: notes
- secretKey: key
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 353eae71-4828-431b-9c65-dc1a8fd61ef6 # Outline key
property: notes
- secretKey: prom_user
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds
property: login.username
- secretKey: prom_token
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds

9
k8s/apps/vpn/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- app.yaml
- external-secrets.yaml
- outfleet.yaml
- shadowsocks.yaml

88
k8s/apps/vpn/outfleet.yaml Normal file
View File

@ -0,0 +1,88 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: outfleet
namespace: vpn
labels:
app: outfleet
annotations:
reloader.stakater.com/auto: "true"
spec:
selector:
matchLabels:
app: outfleet
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: outfleet
spec:
hostname: outfleet
nodeSelector:
kubernetes.io/hostname: master.tail2fe2d.ts.net
containers:
- name: outfleet-web
image: 'ultradesu/outfleet:v2'
imagePullPolicy: Always
command: ["/bin/sh"]
args:
- "-c"
- |
python ./manage.py makemigrations vpn
python ./manage.py migrate
python ./manage.py create_admin
python ./manage.py runserver 0.0.0.0:8000
envFrom:
- secretRef:
name: outfleet-secrets
env:
# value: "true"
- name: ALLOWED_HOSTS
# - name: DEBUG
value: "*"
ports:
- name: http
containerPort: 8000
protocol: TCP
- name: outfleet-redis
image: 'redis:latest'
ports:
- name: redis
containerPort: 6379
protocol: TCP
- name: outfleet-celery-worker
image: 'ultradesu/outfleet:v2'
envFrom:
- secretRef:
name: outfleet-secrets
command:
- celery
- -A
- mysite
- worker
- --loglevel=INFO
- name: outfleet-celery-beat
image: 'ultradesu/outfleet:v2'
command:
- celery
- -A
- mysite
- beat
- --loglevel=INFO
---
apiVersion: v1
kind: Service
metadata:
name: outfleet
namespace: vpn
spec:
selector:
app: outfleet
ports:
- protocol: TCP
port: 80
targetPort: 8000

247
k8s/apps/vpn/shadowsocks.yaml Normal file
View File

@ -0,0 +1,247 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-config
namespace: vpn
spec:
target:
name: outline-config
deletionPolicy: Delete
template:
type: Opaque
data:
SB_API_PORT: "1285"
SB_CLIENT_PORT: "1257"
SB_API_PREFIX: |-
{{ .api_prefix }}
PROM_USER: |-
{{ .prom_user }}
PROM_PASS: |-
{{ .prom_token }}
shadowbox.crt: |-
{{ .cert }}
shadowbox.key: |-
{{ .key }}
data:
- secretKey: api_prefix
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet
property: fields[2].value
- secretKey: cert
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: c4549690-945d-4bf0-af09-a178c7711f87 # Outline cert
property: notes
- secretKey: key
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 353eae71-4828-431b-9c65-dc1a8fd61ef6 # Outline key
property: notes
- secretKey: prom_user
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds
property: login.username
- secretKey: prom_token
sourceRef:
storeRef:
name: vaultwarden-login
kind: ClusterSecretStore
remoteRef:
key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds
property: login.password
---
apiVersion: v1
kind: ConfigMap
metadata:
name: shadowbox-prometheus-config
namespace: vpn
data:
config.yml: |
global:
scrape_interval: 1m
remote_write:
- url: "https://prom.hexor.cy/api/v1/write"
basic_auth:
username: "_PROM_USER_"
password: "_PROM_PASS_"
scrape_configs:
- job_name: outline_vpn
static_configs:
- targets:
- '127.0.0.1:9092'
relabel_configs:
- source_labels: [__address__]
target_label: instance
replacement: "_HOSTNAME_"
- target_label: k8s_app
replacement: true
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: shadowbox
namespace: vpn
annotations:
reloader.stakater.com/auto: "true"
spec:
selector:
matchLabels:
app: shadowbox
template:
metadata:
labels:
app: shadowbox
spec:
hostNetwork: true
initContainers:
- name: cert-generator
image: finalgene/openssh:latest
command: ["/bin/sh", "-c"]
args:
- |
openssl x509 -noout -fingerprint -sha256 -inform pem -in /certs/shadowbox.crt | sed "s/://g" | sed 's/.*=//' > /cache/certSha256 ;
volumeMounts:
- name: cert-volume
mountPath: /certs
- name: server-config-volume
mountPath: /cache
- name: get-external-ip
image: curlimages/curl:latest
command: ["/bin/sh", "-c"]
args:
- |
IP=$(curl -s -4 ifconfig.io);
echo "External IP is: $IP";
echo $IP > /cache/external_ip;
volumeMounts:
- name: server-config-volume
mountPath: /cache
- name: manager-config-json
image: busybox
command: ["/bin/sh", "-c"]
env:
- name: SB_API_PREFIX
valueFrom:
secretKeyRef:
name: outline-config
key: SB_API_PREFIX
- name: SB_API_PORT
valueFrom:
secretKeyRef:
name: outline-config
key: SB_API_PORT
args:
- |
OUTLINE_HOSTNAME=$(cat /cache/external_ip);
CERT_SHA256=$(cat /cache/certSha256);
echo "{
\"apiUrl\": \"https://$OUTLINE_HOSTNAME:$SB_API_PORT/$SB_API_PREFIX\",
\"certSha256\": \"$CERT_SHA256\"
}"
volumeMounts:
- name: server-config-volume
mountPath: /cache
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: outline-server
operator: Exists
containers:
- name: prom
image: prom/prometheus
command: ["/bin/sh", "-c"]
env:
- name: PROM_USER
valueFrom:
secretKeyRef:
name: outline-config
key: PROM_USER
- name: PROM_PASS
valueFrom:
secretKeyRef:
name: outline-config
key: PROM_PASS
args:
- |
cat /prometheus/config.yml | sed -e "s/_HOSTNAME_/${HOSTNAME}/g" -e "s/_PROM_PASS_/${PROM_PASS}/g" -e "s/_PROM_USER_/${PROM_USER}/g" > /prometheus/real_config.yml &&
exec prometheus --config.file=/prometheus/real_config.yml --log.level=info --web.enable-lifecycle --web.enable-admin-api --web.listen-address=127.0.0.1:3478
volumeMounts:
- name: prometheus-config-volume
mountPath: /prometheus/config.yml
subPath: config.yml
- name: shadowbox
image: ultradesu/shadowbox:latest
ports:
- containerPort: 1257
protocol: TCP
- containerPort: 1285
protocol: TCP
env:
- name: SB_API_PREFIX
valueFrom:
secretKeyRef:
name: outline-config
key: SB_API_PREFIX
- name: SB_API_PORT
valueFrom:
secretKeyRef:
name: outline-config
key: SB_API_PORT
- name: SB_CLIENT_PORT
valueFrom:
secretKeyRef:
name: outline-config
key: SB_CLIENT_PORT
- name: SB_CERTIFICATE_FILE
value: /certs/shadowbox.crt
- name: SB_PRIVATE_KEY_FILE
value: /certs/shadowbox.key
lifecycle:
postStart:
exec:
command:
- /bin/sh
- "-c"
- >-
OUTLINE_HOSTNAME=$(cat /cache/external_ip); echo '{"rollouts":[{"id":"single-port","enabled":true}],"portForNewAccessKeys":1257,"hostname":"'"$OUTLINE_HOSTNAME"'"}' > /root/shadowbox/persisted-state/shadowbox_server_config.json;
volumeMounts:
- name: server-config-volume
mountPath: /opt/outline
- name: server-config-volume
mountPath: /root/shadowbox/persisted-state
- name: server-config-volume
mountPath: /cache
- name: cert-volume
mountPath: /certs/
volumes:
- name: server-config-volume
emptyDir: {}
- name: cert-volume
secret:
secretName: outline-config
items:
- key: shadowbox.crt
path: shadowbox.crt
- key: shadowbox.key
path: shadowbox.key
- name: prometheus-config-volume
configMap:
name: shadowbox-prometheus-config