apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: outline-config namespace: vpn spec: target: name: outline-config deletionPolicy: Delete template: type: Opaque data: SB_API_PORT: "1285" SB_CLIENT_PORT: "1257" SB_API_PREFIX: |- {{ .api_prefix }} PROM_USER: |- {{ .prom_user }} PROM_PASS: |- {{ .prom_token }} shadowbox.crt: |- {{ .cert }} shadowbox.key: |- {{ .key }} data: - secretKey: api_prefix sourceRef: storeRef: name: vaultwarden-login kind: ClusterSecretStore remoteRef: key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet property: fields[2].value - secretKey: cert sourceRef: storeRef: name: vaultwarden-login kind: ClusterSecretStore remoteRef: key: c4549690-945d-4bf0-af09-a178c7711f87 # Outline cert property: notes - secretKey: key sourceRef: storeRef: name: vaultwarden-login kind: ClusterSecretStore remoteRef: key: 353eae71-4828-431b-9c65-dc1a8fd61ef6 # Outline key property: notes - secretKey: prom_user sourceRef: storeRef: name: vaultwarden-login kind: ClusterSecretStore remoteRef: key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds property: login.username - secretKey: prom_token sourceRef: storeRef: name: vaultwarden-login kind: ClusterSecretStore remoteRef: key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds property: login.password --- apiVersion: v1 kind: ConfigMap metadata: name: shadowbox-prometheus-config namespace: vpn data: config.yml: | global: scrape_interval: 1m remote_write: - url: "https://prom.hexor.cy/api/v1/write" basic_auth: username: "_PROM_USER_" password: "_PROM_PASS_" scrape_configs: - job_name: outline_vpn static_configs: - targets: - '127.0.0.1:9092' relabel_configs: - source_labels: [__address__] target_label: instance replacement: "_HOSTNAME_" - target_label: k8s_app replacement: true --- apiVersion: apps/v1 kind: DaemonSet metadata: name: shadowbox namespace: vpn annotations: reloader.stakater.com/auto: "true" spec: selector: matchLabels: app: shadowbox template: metadata: labels: app: shadowbox spec: hostNetwork: true initContainers: - name: cert-generator image: finalgene/openssh:latest command: ["/bin/sh", "-c"] args: - | openssl x509 -noout -fingerprint -sha256 -inform pem -in /certs/shadowbox.crt | sed "s/://g" | sed 's/.*=//' > /cache/certSha256 ; volumeMounts: - name: cert-volume mountPath: /certs - name: server-config-volume mountPath: /cache - name: get-external-ip image: curlimages/curl:latest command: ["/bin/sh", "-c"] args: - | IP=$(curl -s -4 ifconfig.io); echo "External IP is: $IP"; echo $IP > /cache/external_ip; volumeMounts: - name: server-config-volume mountPath: /cache - name: manager-config-json image: busybox command: ["/bin/sh", "-c"] env: - name: SB_API_PREFIX valueFrom: secretKeyRef: name: outline-config key: SB_API_PREFIX - name: SB_API_PORT valueFrom: secretKeyRef: name: outline-config key: SB_API_PORT args: - | OUTLINE_HOSTNAME=$(cat /cache/external_ip); CERT_SHA256=$(cat /cache/certSha256); echo "{ \"apiUrl\": \"https://$OUTLINE_HOSTNAME:$SB_API_PORT/$SB_API_PREFIX\", \"certSha256\": \"$CERT_SHA256\" }" volumeMounts: - name: server-config-volume mountPath: /cache affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: outline-server operator: Exists containers: - name: prom image: prom/prometheus command: ["/bin/sh", "-c"] env: - name: PROM_USER valueFrom: secretKeyRef: name: outline-config key: PROM_USER - name: PROM_PASS valueFrom: secretKeyRef: name: outline-config key: PROM_PASS args: - | cat /prometheus/config.yml | sed -e "s/_HOSTNAME_/${HOSTNAME}/g" -e "s/_PROM_PASS_/${PROM_PASS}/g" -e "s/_PROM_USER_/${PROM_USER}/g" > /prometheus/real_config.yml && exec prometheus --config.file=/prometheus/real_config.yml --log.level=info --web.enable-lifecycle --web.enable-admin-api --web.listen-address=127.0.0.1:3478 volumeMounts: - name: prometheus-config-volume mountPath: /prometheus/config.yml subPath: config.yml - name: shadowbox image: ultradesu/shadowbox:latest ports: - containerPort: 1257 protocol: TCP - containerPort: 1285 protocol: TCP env: - name: SB_API_PREFIX valueFrom: secretKeyRef: name: outline-config key: SB_API_PREFIX - name: SB_API_PORT valueFrom: secretKeyRef: name: outline-config key: SB_API_PORT - name: SB_CLIENT_PORT valueFrom: secretKeyRef: name: outline-config key: SB_CLIENT_PORT - name: SB_CERTIFICATE_FILE value: /certs/shadowbox.crt - name: SB_PRIVATE_KEY_FILE value: /certs/shadowbox.key lifecycle: postStart: exec: command: - /bin/sh - "-c" - >- OUTLINE_HOSTNAME=$(cat /cache/external_ip); echo '{"rollouts":[{"id":"single-port","enabled":true}],"portForNewAccessKeys":1257,"hostname":"'"$OUTLINE_HOSTNAME"'"}' > /root/shadowbox/persisted-state/shadowbox_server_config.json; volumeMounts: - name: server-config-volume mountPath: /opt/outline - name: server-config-volume mountPath: /root/shadowbox/persisted-state - name: server-config-volume mountPath: /cache - name: cert-volume mountPath: /certs/ volumes: - name: server-config-volume emptyDir: {} - name: cert-volume secret: secretName: outline-config items: - key: shadowbox.crt path: shadowbox.crt - key: shadowbox.key path: shadowbox.key - name: prometheus-config-volume configMap: name: shadowbox-prometheus-config