Added Outfleet VPN

k8s/apps/vpn/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vpn
+  namespace: argocd
+spec:
+  project: homelab
+  destination:
+    namespace: vpn
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/vpn
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+

k8s/apps/vpn/external-secrets.yaml

@@ -0,0 +1,118 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: outfleet-secrets
+  namespace: vpn
+spec:
+  target:
+    name: outfleet-secrets
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        TIMEZONE: Asia/Nicosia
+        POSTGRES_DB: outfleet
+        POSTGRES_HOST: psql.psql.svc
+        POSTGRES_PORT: "5432"
+        POSTGRES_USER: outfleet
+        CELERY_BROKER_URL: "redis://localhost:6379/0"
+        POSTGRES_PASSWORD: |-
+          {{ .pg_pass }}
+        SECRET_KEY: |-
+          {{ .secret_key }}
+        EXTERNAL_ADDRESS: |-
+          {{ .external_address }}
+        CSRF_TRUSTED_ORIGINS: |-
+          {{ .external_address }}
+  data:
+    - secretKey: external_address
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet
+        property: fields[1].value
+    - secretKey: secret_key
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet
+        property: fields[0].value
+    - secretKey: pg_pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22 # postgers-users
+        property: fields[1].value
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: outline-config
+  namespace: vpn
+spec:
+  target:
+    name: outline-config
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        SB_API_PORT: "1285"
+        SB_CLIENT_PORT: "1257"
+        SB_API_PREFIX: |-
+          {{ .api_prefix }}
+        PROM_USER: |-
+          {{ .prom_user }}
+        PROM_PASS: |-
+          {{ .prom_token }}
+        shadowbox.crt: |-
+          {{ .cert }}
+        shadowbox.key: |-
+          {{ .key }}
+  data:
+    - secretKey: api_prefix
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet
+        property: fields[2].value
+    - secretKey: cert
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: c4549690-945d-4bf0-af09-a178c7711f87 # Outline cert
+        property: notes
+    - secretKey: key
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 353eae71-4828-431b-9c65-dc1a8fd61ef6 # Outline key
+        property: notes
+    - secretKey: prom_user
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds
+        property: login.username
+    - secretKey: prom_token
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds

k8s/apps/vpn/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+  - outfleet.yaml
+  - shadowsocks.yaml
+

k8s/apps/vpn/outfleet.yaml

@@ -0,0 +1,88 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: outfleet
+  namespace: vpn
+  labels:
+    app: outfleet
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  selector:
+    matchLabels:
+      app: outfleet
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: outfleet
+    spec:
+      hostname: outfleet
+      nodeSelector:
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: outfleet-web
+          image: 'ultradesu/outfleet:v2'
+          imagePullPolicy: Always
+          command: ["/bin/sh"]
+          args:
+            - "-c"
+            - |
+              python ./manage.py makemigrations vpn
+              python ./manage.py migrate
+              python ./manage.py create_admin
+              python ./manage.py runserver 0.0.0.0:8000
+          envFrom:
+            - secretRef:
+                name: outfleet-secrets
+          env:
+            #             value: "true"
+            - name: ALLOWED_HOSTS
+              #           - name: DEBUG
+
+              value: "*"
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+        - name: outfleet-redis
+          image: 'redis:latest'
+          ports:
+            - name: redis
+              containerPort: 6379
+              protocol: TCP
+        - name: outfleet-celery-worker
+          image: 'ultradesu/outfleet:v2'
+          envFrom:
+            - secretRef:
+                name: outfleet-secrets
+          command:
+            - celery
+            - -A
+            - mysite
+            - worker
+            - --loglevel=INFO
+        - name: outfleet-celery-beat
+          image: 'ultradesu/outfleet:v2'
+          command:
+            - celery
+            - -A
+            - mysite
+            - beat
+            - --loglevel=INFO
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: outfleet
+  namespace: vpn
+spec:
+  selector:
+    app: outfleet
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8000

k8s/apps/vpn/shadowsocks.yaml

@@ -0,0 +1,247 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: outline-config
+  namespace: vpn
+spec:
+  target:
+    name: outline-config
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        SB_API_PORT: "1285"
+        SB_CLIENT_PORT: "1257"
+        SB_API_PREFIX: |-
+          {{ .api_prefix }}
+        PROM_USER: |-
+          {{ .prom_user }}
+        PROM_PASS: |-
+          {{ .prom_token }}
+        shadowbox.crt: |-
+          {{ .cert }}
+        shadowbox.key: |-
+          {{ .key }}
+  data:
+    - secretKey: api_prefix
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 760ed4c1-8441-4f11-ac88-aa3717d4b092 # Outfleet
+        property: fields[2].value
+    - secretKey: cert
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: c4549690-945d-4bf0-af09-a178c7711f87 # Outline cert
+        property: notes
+    - secretKey: key
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 353eae71-4828-431b-9c65-dc1a8fd61ef6 # Outline key
+        property: notes
+    - secretKey: prom_user
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds
+        property: login.username
+    - secretKey: prom_token
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 7cec6228-7dca-45a9-9eff-6b27a47cdfd3 # Outline prom creds
+        property: login.password
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: shadowbox-prometheus-config
+  namespace: vpn
+data:
+  config.yml: |
+    global:
+      scrape_interval: 1m
+    remote_write:
+      - url: "https://prom.hexor.cy/api/v1/write"
+        basic_auth:
+          username: "_PROM_USER_"
+          password: "_PROM_PASS_"
+    scrape_configs:
+      - job_name: outline_vpn
+        static_configs:
+          - targets:
+              - '127.0.0.1:9092'
+        relabel_configs:
+          - source_labels: [__address__]
+            target_label: instance
+            replacement: "_HOSTNAME_"
+          - target_label: k8s_app
+            replacement: true
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: shadowbox
+  namespace: vpn
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  selector:
+    matchLabels:
+      app: shadowbox
+  template:
+    metadata:
+      labels:
+        app: shadowbox
+    spec:
+      hostNetwork: true
+      initContainers:
+        - name: cert-generator
+          image: finalgene/openssh:latest
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              openssl x509 -noout -fingerprint -sha256 -inform pem -in /certs/shadowbox.crt | sed "s/://g" | sed 's/.*=//' > /cache/certSha256 ;
+          volumeMounts:
+            - name: cert-volume
+              mountPath: /certs
+            - name: server-config-volume
+              mountPath: /cache
+        - name: get-external-ip
+          image: curlimages/curl:latest
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              IP=$(curl -s -4 ifconfig.io);
+              echo "External IP is: $IP";
+              echo $IP > /cache/external_ip;
+          volumeMounts:
+            - name: server-config-volume
+              mountPath: /cache
+        - name: manager-config-json
+          image: busybox
+          command: ["/bin/sh", "-c"]
+          env:
+            - name: SB_API_PREFIX
+              valueFrom:
+                secretKeyRef:
+                  name: outline-config
+                  key: SB_API_PREFIX
+            - name: SB_API_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: outline-config
+                  key: SB_API_PORT
+          args:
+            - |
+              OUTLINE_HOSTNAME=$(cat /cache/external_ip);
+              CERT_SHA256=$(cat /cache/certSha256);
+              echo "{
+                \"apiUrl\": \"https://$OUTLINE_HOSTNAME:$SB_API_PORT/$SB_API_PREFIX\",
+                \"certSha256\": \"$CERT_SHA256\"
+              }"
+          volumeMounts:
+            - name: server-config-volume
+              mountPath: /cache
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: outline-server
+                    operator: Exists
+      containers:
+        - name: prom
+          image: prom/prometheus
+          command: ["/bin/sh", "-c"]
+          env:
+            - name: PROM_USER
+              valueFrom:
+                secretKeyRef:
+                  name: outline-config
+                  key: PROM_USER
+            - name: PROM_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: outline-config
+                  key: PROM_PASS
+          args:
+            - |
+              cat /prometheus/config.yml | sed -e "s/_HOSTNAME_/${HOSTNAME}/g" -e "s/_PROM_PASS_/${PROM_PASS}/g" -e "s/_PROM_USER_/${PROM_USER}/g" > /prometheus/real_config.yml &&
+              exec prometheus --config.file=/prometheus/real_config.yml --log.level=info --web.enable-lifecycle --web.enable-admin-api --web.listen-address=127.0.0.1:3478
+          volumeMounts:
+            - name: prometheus-config-volume
+              mountPath: /prometheus/config.yml
+              subPath: config.yml
+        - name: shadowbox
+          image: ultradesu/shadowbox:latest
+          ports:
+            - containerPort: 1257
+              protocol: TCP
+            - containerPort: 1285
+              protocol: TCP
+          env:
+            - name: SB_API_PREFIX
+              valueFrom:
+                secretKeyRef:
+                  name: outline-config
+                  key: SB_API_PREFIX
+            - name: SB_API_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: outline-config
+                  key: SB_API_PORT
+            - name: SB_CLIENT_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: outline-config
+                  key: SB_CLIENT_PORT
+            - name: SB_CERTIFICATE_FILE
+              value: /certs/shadowbox.crt
+            - name: SB_PRIVATE_KEY_FILE
+              value: /certs/shadowbox.key
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  - /bin/sh
+                  - "-c"
+                  - >-
+                    OUTLINE_HOSTNAME=$(cat /cache/external_ip); echo '{"rollouts":[{"id":"single-port","enabled":true}],"portForNewAccessKeys":1257,"hostname":"'"$OUTLINE_HOSTNAME"'"}' > /root/shadowbox/persisted-state/shadowbox_server_config.json;
+          volumeMounts:
+            - name: server-config-volume
+              mountPath: /opt/outline
+            - name: server-config-volume
+              mountPath: /root/shadowbox/persisted-state
+            - name: server-config-volume
+              mountPath: /cache
+            - name: cert-volume
+              mountPath: /certs/
+      volumes:
+        - name: server-config-volume
+          emptyDir: {}
+        - name: cert-volume
+          secret:
+            secretName: outline-config
+            items:
+              - key: shadowbox.crt
+                path: shadowbox.crt
+              - key: shadowbox.key
+                path: shadowbox.key
+        - name: prometheus-config-volume
+          configMap:
+            name: shadowbox-prometheus-config
+