Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Gitea Actions Bot
|
fdccd4599d |
@@ -42,6 +42,7 @@ ArgoCD homelab project
|
||||
|
||||
| Application | Status |
|
||||
| :--- | :---: |
|
||||
| **amnezia** | [](https://ag.hexor.cy/applications/argocd/amnezia) |
|
||||
| **comfyui** | [](https://ag.hexor.cy/applications/argocd/comfyui) |
|
||||
| **furumi** | [](https://ag.hexor.cy/applications/argocd/furumi) |
|
||||
| **gitea** | [](https://ag.hexor.cy/applications/argocd/gitea) |
|
||||
@@ -53,6 +54,7 @@ ArgoCD homelab project
|
||||
| **k8s-secrets** | [](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
|
||||
| **khm** | [](https://ag.hexor.cy/applications/argocd/khm) |
|
||||
| **lidarr** | [](https://ag.hexor.cy/applications/argocd/lidarr) |
|
||||
| **llamacpp** | [](https://ag.hexor.cy/applications/argocd/llamacpp) |
|
||||
| **matrix** | [](https://ag.hexor.cy/applications/argocd/matrix) |
|
||||
| **mtproxy** | [](https://ag.hexor.cy/applications/argocd/mtproxy) |
|
||||
| **n8n** | [](https://ag.hexor.cy/applications/argocd/n8n) |
|
||||
|
||||
@@ -126,11 +126,8 @@ data:
|
||||
set -euo pipefail
|
||||
|
||||
SERVER_CONFIG="/etc/amnezia/server/awg0.conf"
|
||||
CLIENTS_DIR="${AMNEZIAWG_CLIENTS_DIR:-/run/amnezia/clients}"
|
||||
CLIENTS_DIR="/etc/amnezia/clients"
|
||||
RUNTIME_CONFIG="/run/amnezia/awg0.conf"
|
||||
SYNC_CONFIG="/run/amnezia/awg0.sync.conf"
|
||||
STATUS_FILE="/run/amnezia/reload-status"
|
||||
RELOAD_INTERVAL="${AMNEZIAWG_RELOAD_INTERVAL:-10}"
|
||||
|
||||
cleanup() {
|
||||
if awg show awg0 >/dev/null 2>&1; then
|
||||
@@ -140,181 +137,32 @@ data:
|
||||
|
||||
render_config() {
|
||||
mkdir -p "$(dirname "${RUNTIME_CONFIG}")"
|
||||
local tmp_config="${RUNTIME_CONFIG}.tmp"
|
||||
cp "${SERVER_CONFIG}" "${tmp_config}"
|
||||
chmod 0600 "${tmp_config}"
|
||||
cp "${SERVER_CONFIG}" "${RUNTIME_CONFIG}"
|
||||
chmod 0600 "${RUNTIME_CONFIG}"
|
||||
|
||||
local clients_found=0
|
||||
for client_config in "${CLIENTS_DIR}"/*; do
|
||||
[ -f "${client_config}" ] || continue
|
||||
[ -s "${client_config}" ] || continue
|
||||
printf '\n' >> "${tmp_config}"
|
||||
cat "${client_config}" >> "${tmp_config}"
|
||||
printf '\n' >> "${RUNTIME_CONFIG}"
|
||||
cat "${client_config}" >> "${RUNTIME_CONFIG}"
|
||||
clients_found=1
|
||||
done
|
||||
|
||||
if [ "${clients_found}" = "0" ]; then
|
||||
echo "No client peer configs found in ${CLIENTS_DIR}; starting without peers"
|
||||
fi
|
||||
|
||||
mv "${tmp_config}" "${RUNTIME_CONFIG}"
|
||||
chmod 0600 "${RUNTIME_CONFIG}"
|
||||
}
|
||||
|
||||
client_config_hash() {
|
||||
{
|
||||
for client_config in "${CLIENTS_DIR}"/*; do
|
||||
[ -f "${client_config}" ] || continue
|
||||
sha256sum "${client_config}"
|
||||
done
|
||||
} | sha256sum | awk '{print $1}'
|
||||
}
|
||||
|
||||
write_reload_status() {
|
||||
local state="${1}"
|
||||
local hash="${2:-}"
|
||||
local applied_at_ms=""
|
||||
if [ "${state}" = "applied" ]; then
|
||||
applied_at_ms="$(($(date +%s) * 1000))"
|
||||
fi
|
||||
|
||||
mkdir -p "$(dirname "${STATUS_FILE}")"
|
||||
{
|
||||
printf 'state=%s\n' "${state}"
|
||||
printf 'hash=%s\n' "${hash}"
|
||||
printf 'applied_at_ms=%s\n' "${applied_at_ms}"
|
||||
} > "${STATUS_FILE}.tmp"
|
||||
mv "${STATUS_FILE}.tmp" "${STATUS_FILE}"
|
||||
}
|
||||
|
||||
apply_live_config() {
|
||||
render_config
|
||||
awg-quick strip "${RUNTIME_CONFIG}" > "${SYNC_CONFIG}"
|
||||
chmod 0600 "${SYNC_CONFIG}"
|
||||
awg syncconf awg0 "${SYNC_CONFIG}"
|
||||
}
|
||||
|
||||
watch_client_config() {
|
||||
local last_hash="${1}"
|
||||
while true; do
|
||||
sleep "${RELOAD_INTERVAL}" &
|
||||
wait "$!" || return 0
|
||||
|
||||
local current_hash
|
||||
current_hash="$(client_config_hash)"
|
||||
if [ "${current_hash}" = "${last_hash}" ]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
echo "Detected AmneziaWG client peer config change; applying with awg syncconf"
|
||||
if apply_live_config; then
|
||||
last_hash="${current_hash}"
|
||||
write_reload_status applied "${current_hash}"
|
||||
awg show awg0 || true
|
||||
else
|
||||
echo "ERROR: failed to hot-reload AmneziaWG client peer config" >&2
|
||||
write_reload_status error "${current_hash}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
trap cleanup EXIT
|
||||
trap 'exit 0' TERM INT
|
||||
|
||||
initial_hash="$(client_config_hash)"
|
||||
render_config
|
||||
cleanup
|
||||
awg-quick up "${RUNTIME_CONFIG}"
|
||||
awg show awg0 || true
|
||||
write_reload_status applied "${initial_hash}"
|
||||
watch_client_config "${initial_hash}"
|
||||
|
||||
client-secret-sync.sh: |
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
CLIENT_SECRET="${AMNEZIAWG_CLIENT_SECRET:-amneziawg-clients}"
|
||||
CLIENT_SECRET_KEY="${AMNEZIAWG_CLIENT_SECRET_KEY:-peers.conf}"
|
||||
CLIENTS_DIR="${AMNEZIAWG_CLIENTS_DIR:-/run/amnezia/clients}"
|
||||
PEERS_FILE="${CLIENTS_DIR}/peers.conf"
|
||||
SYNC_INTERVAL="${AMNEZIAWG_CLIENT_SECRET_SYNC_INTERVAL:-5}"
|
||||
NAMESPACE="${POD_NAMESPACE:-$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)}"
|
||||
|
||||
write_empty_once() {
|
||||
mkdir -p "${CLIENTS_DIR}"
|
||||
if [ ! -f "${PEERS_FILE}" ]; then
|
||||
: > "${PEERS_FILE}"
|
||||
chmod 0600 "${PEERS_FILE}"
|
||||
fi
|
||||
}
|
||||
|
||||
sync_once() {
|
||||
mkdir -p "${CLIENTS_DIR}"
|
||||
local tmp_file="${PEERS_FILE}.tmp"
|
||||
local encoded=""
|
||||
|
||||
if ! encoded="$(kubectl get secret "${CLIENT_SECRET}" -n "${NAMESPACE}" -o "go-template={{ index .data \"${CLIENT_SECRET_KEY}\" }}" 2>/dev/null)"; then
|
||||
echo "WARN: failed to read Secret ${NAMESPACE}/${CLIENT_SECRET}; keeping current peers" >&2
|
||||
write_empty_once
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [ -n "${encoded}" ]; then
|
||||
printf '%s' "${encoded}" | base64 -d > "${tmp_file}"
|
||||
else
|
||||
: > "${tmp_file}"
|
||||
fi
|
||||
chmod 0600 "${tmp_file}"
|
||||
|
||||
if [ -f "${PEERS_FILE}" ] && cmp -s "${tmp_file}" "${PEERS_FILE}"; then
|
||||
rm -f "${tmp_file}"
|
||||
return 0
|
||||
fi
|
||||
|
||||
mv "${tmp_file}" "${PEERS_FILE}"
|
||||
echo "Synced AmneziaWG client peers from Secret ${NAMESPACE}/${CLIENT_SECRET}:${CLIENT_SECRET_KEY}"
|
||||
}
|
||||
|
||||
if [ "${1:-}" = "once" ]; then
|
||||
sync_once
|
||||
exit 0
|
||||
fi
|
||||
|
||||
while true; do
|
||||
sync_once || true
|
||||
sleep "${SYNC_INTERVAL}"
|
||||
done
|
||||
|
||||
status-patch.sh: |
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
STATUS_FILE="/run/amnezia/reload-status"
|
||||
PATCH_INTERVAL="${AMNEZIAWG_STATUS_PATCH_INTERVAL:-5}"
|
||||
NAMESPACE="${POD_NAMESPACE:-$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)}"
|
||||
: "${POD_NAME:?POD_NAME is required}"
|
||||
|
||||
last_file_hash=""
|
||||
|
||||
patch_status() {
|
||||
local state="unknown"
|
||||
local hash=""
|
||||
local applied_at_ms=""
|
||||
|
||||
# The file is generated by run.sh and contains only shell assignments.
|
||||
# shellcheck disable=SC1090
|
||||
source "${STATUS_FILE}"
|
||||
|
||||
kubectl patch pod "${POD_NAME}" -n "${NAMESPACE}" --type merge -p "{\"metadata\":{\"annotations\":{\"amnezia-fellow.hexor.cy/client-secret-reload-status\":\"${state}\",\"amnezia-fellow.hexor.cy/client-secret-applied-at-ms\":\"${applied_at_ms}\",\"amnezia-fellow.hexor.cy/client-secret-applied-hash\":\"${hash}\"}}}"
|
||||
}
|
||||
|
||||
while true; do
|
||||
if [ -f "${STATUS_FILE}" ]; then
|
||||
file_hash="$(sha256sum "${STATUS_FILE}" | awk '{print $1}')"
|
||||
if [ "${file_hash}" != "${last_file_hash}" ]; then
|
||||
patch_status || true
|
||||
last_file_hash="${file_hash}"
|
||||
fi
|
||||
fi
|
||||
sleep "${PATCH_INTERVAL}"
|
||||
sleep 3600 &
|
||||
wait "$!"
|
||||
done
|
||||
|
||||
+10
-147
@@ -6,9 +6,8 @@ metadata:
|
||||
labels:
|
||||
app: amneziawg
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "false"
|
||||
secret.reloader.stakater.com/reload: "amneziawg-server"
|
||||
configmap.reloader.stakater.com/reload: "amneziawg-scripts,amneziawg-exporter-redis"
|
||||
reloader.stakater.com/auto: "true"
|
||||
secret.reloader.stakater.com/reload: "amneziawg-server,amneziawg-clients"
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
@@ -28,21 +27,6 @@ spec:
|
||||
tolerations:
|
||||
- operator: Exists
|
||||
initContainers:
|
||||
- name: install-awg
|
||||
image: amneziavpn/amneziawg-go:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/bash
|
||||
- -lc
|
||||
- |
|
||||
set -euo pipefail
|
||||
cp /usr/bin/awg /shared-bin/awg
|
||||
cp /lib/ld-musl-x86_64.so.1 /shared-bin/ld-musl-x86_64.so.1
|
||||
cp /lib/ld-musl-x86_64.so.1 /shared-bin/libc.musl-x86_64.so.1
|
||||
chmod 0755 /shared-bin/awg /shared-bin/ld-musl-x86_64.so.1 /shared-bin/libc.musl-x86_64.so.1
|
||||
volumeMounts:
|
||||
- name: awg-bin
|
||||
mountPath: /shared-bin
|
||||
- name: register-endpoint
|
||||
image: bitnami/kubectl:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
@@ -81,26 +65,6 @@ spec:
|
||||
kubectl create secret generic amneziawg-endpoints -n "${NAMESPACE}" \
|
||||
--from-literal="${NODE_NAME}=${VALUE}"
|
||||
fi
|
||||
- name: sync-client-secret
|
||||
image: bitnami/kubectl:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/bash
|
||||
- /scripts/client-secret-sync.sh
|
||||
- once
|
||||
resources:
|
||||
requests:
|
||||
memory: "32Mi"
|
||||
cpu: "10m"
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
volumeMounts:
|
||||
- name: scripts
|
||||
mountPath: /scripts
|
||||
readOnly: true
|
||||
- name: runtime-config
|
||||
mountPath: /run/amnezia
|
||||
containers:
|
||||
- name: amneziawg
|
||||
image: amneziavpn/amneziawg-go:latest
|
||||
@@ -149,6 +113,9 @@ spec:
|
||||
- name: server-config
|
||||
mountPath: /etc/amnezia/server
|
||||
readOnly: true
|
||||
- name: client-config
|
||||
mountPath: /etc/amnezia/clients
|
||||
readOnly: true
|
||||
- name: scripts
|
||||
mountPath: /scripts
|
||||
readOnly: true
|
||||
@@ -156,108 +123,6 @@ spec:
|
||||
mountPath: /run/amnezia
|
||||
- name: dev-net-tun
|
||||
mountPath: /dev/net/tun
|
||||
- name: reload-status
|
||||
image: bitnami/kubectl:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
env:
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
command:
|
||||
- /bin/bash
|
||||
- /scripts/status-patch.sh
|
||||
resources:
|
||||
requests:
|
||||
memory: "32Mi"
|
||||
cpu: "10m"
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
volumeMounts:
|
||||
- name: scripts
|
||||
mountPath: /scripts
|
||||
readOnly: true
|
||||
- name: runtime-config
|
||||
mountPath: /run/amnezia
|
||||
- name: client-secret-sync
|
||||
image: bitnami/kubectl:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/bash
|
||||
- /scripts/client-secret-sync.sh
|
||||
resources:
|
||||
requests:
|
||||
memory: "32Mi"
|
||||
cpu: "10m"
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
volumeMounts:
|
||||
- name: scripts
|
||||
mountPath: /scripts
|
||||
readOnly: true
|
||||
- name: runtime-config
|
||||
mountPath: /run/amnezia
|
||||
- name: amneziawg-exporter-redis
|
||||
image: redis:alpine
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- redis-server
|
||||
- /etc/redis/redis.conf
|
||||
ports:
|
||||
- name: redis
|
||||
containerPort: 6379
|
||||
protocol: TCP
|
||||
resources:
|
||||
requests:
|
||||
memory: "32Mi"
|
||||
cpu: "10m"
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
volumeMounts:
|
||||
- name: exporter-redis-config
|
||||
mountPath: /etc/redis
|
||||
readOnly: true
|
||||
- name: exporter-redis-data
|
||||
mountPath: /data
|
||||
- name: amneziawg-exporter
|
||||
image: amneziavpn/amneziawg-exporter:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- NET_ADMIN
|
||||
env:
|
||||
- name: AWG_EXPORTER_REDIS_HOST
|
||||
value: "127.0.0.1"
|
||||
- name: AWG_EXPORTER_REDIS_PORT
|
||||
value: "6379"
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: 9351
|
||||
protocol: TCP
|
||||
resources:
|
||||
requests:
|
||||
memory: "64Mi"
|
||||
cpu: "25m"
|
||||
limits:
|
||||
memory: "256Mi"
|
||||
cpu: "200m"
|
||||
volumeMounts:
|
||||
- name: awg-bin
|
||||
mountPath: /usr/bin/awg
|
||||
subPath: awg
|
||||
readOnly: true
|
||||
- name: awg-bin
|
||||
mountPath: /lib/ld-musl-x86_64.so.1
|
||||
subPath: ld-musl-x86_64.so.1
|
||||
readOnly: true
|
||||
- name: awg-bin
|
||||
mountPath: /lib/libc.musl-x86_64.so.1
|
||||
subPath: libc.musl-x86_64.so.1
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: server-config
|
||||
secret:
|
||||
@@ -266,19 +131,17 @@ spec:
|
||||
items:
|
||||
- key: awg0.conf
|
||||
path: awg0.conf
|
||||
- name: client-config
|
||||
secret:
|
||||
secretName: amneziawg-clients
|
||||
optional: true
|
||||
defaultMode: 0600
|
||||
- name: scripts
|
||||
configMap:
|
||||
name: amneziawg-scripts
|
||||
defaultMode: 0755
|
||||
- name: runtime-config
|
||||
emptyDir: {}
|
||||
- name: awg-bin
|
||||
emptyDir: {}
|
||||
- name: exporter-redis-config
|
||||
configMap:
|
||||
name: amneziawg-exporter-redis
|
||||
- name: exporter-redis-data
|
||||
emptyDir: {}
|
||||
- name: dev-net-tun
|
||||
hostPath:
|
||||
path: /dev/net/tun
|
||||
|
||||
@@ -1,32 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: amneziawg-exporter-redis
|
||||
labels:
|
||||
app: amneziawg
|
||||
component: exporter
|
||||
data:
|
||||
redis.conf: |
|
||||
bind 127.0.0.1
|
||||
protected-mode yes
|
||||
port 6379
|
||||
tcp-backlog 511
|
||||
timeout 0
|
||||
tcp-keepalive 300
|
||||
daemonize no
|
||||
pidfile /run/redis.pid
|
||||
loglevel warning
|
||||
logfile ""
|
||||
databases 16
|
||||
always-show-logo no
|
||||
set-proc-title no
|
||||
save ""
|
||||
appendonly no
|
||||
stop-writes-on-bgsave-error no
|
||||
rdbcompression yes
|
||||
rdbchecksum yes
|
||||
dir /data
|
||||
rename-command CONFIG ""
|
||||
rename-command SAVE ""
|
||||
rename-command BGSAVE ""
|
||||
@@ -1,17 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: amneziawg-exporter
|
||||
labels:
|
||||
app: amneziawg
|
||||
component: exporter
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: amneziawg
|
||||
ports:
|
||||
- name: metrics
|
||||
protocol: TCP
|
||||
port: 9351
|
||||
targetPort: 9351
|
||||
@@ -20,11 +20,14 @@ spec:
|
||||
serviceAccountName: amnezia-fellow
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
kubernetes.io/hostname: cy.tail2fe2d.ts.net
|
||||
kubernetes.io/hostname: master.tail2fe2d.ts.net
|
||||
containers:
|
||||
- name: amnezia-fellow
|
||||
image: ultradesu/amnezia-fellow:latest
|
||||
imagePullPolicy: Always
|
||||
args:
|
||||
- "--listen"
|
||||
- "0.0.0.0:8000"
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8000
|
||||
|
||||
@@ -12,7 +12,4 @@ resources:
|
||||
- fellow-service.yaml
|
||||
- fellow-ingress.yaml
|
||||
- fellow-deployment.yaml
|
||||
- exporter-redis-configmap.yaml
|
||||
- exporter-service.yaml
|
||||
- servicemonitor.yaml
|
||||
- daemonset.yaml
|
||||
|
||||
@@ -42,9 +42,6 @@ rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "create", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["get", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
|
||||
@@ -1,23 +0,0 @@
|
||||
---
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: amneziawg-exporter
|
||||
labels:
|
||||
app: amneziawg
|
||||
component: exporter
|
||||
release: prometheus
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: amneziawg
|
||||
component: exporter
|
||||
endpoints:
|
||||
- port: metrics
|
||||
path: /metrics
|
||||
interval: 30s
|
||||
scrapeTimeout: 10s
|
||||
honorLabels: true
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- amnezia
|
||||
@@ -95,9 +95,4 @@ oauth2_applications = {
|
||||
web_origins = ["https://auth.matrix.hexor.cy"]
|
||||
post_logout_redirect_uris = ["https://auth.matrix.hexor.cy/*"]
|
||||
}
|
||||
Amnezia-Fellow = {
|
||||
redirect_uris = ["https://awg.hexor.cy/auth/oidc/callback"]
|
||||
web_origins = ["https://awg.hexor.cy"]
|
||||
post_logout_redirect_uris = ["https://awg.hexor.cy/*"]
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user