diff --git a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml index 780eee8ba..9a114ac60 100644 --- a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml +++ b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml @@ -61,7 +61,7 @@ spec: timeoutSeconds: 1 failureThreshold: 3 readiness: *probes - securityContext: + securityContext: &securityContext allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } @@ -72,6 +72,58 @@ spec: limits: cpu: 4 memory: 50Gi + initContainers: + gluetun: + image: + repository: ghcr.io/qdm12/gluetun + tag: v3.39.0@sha256:2f011a9aca767af62008d879eefcbc80a8645bd4fd4466ab312cc941cb658ad1 + env: + BLOCK_MALICIOUS: "off" # save 300MB of RAM; https://github.com/qdm12/gluetun/issues/2054 + DOT_IPV6: "on" + FIREWALL_DEBUG: on + FIREWALL_INPUT_PORTS: "80,9999" + HEALTH_SERVER_ADDRESS: ":9999" + HEALTH_VPN_DURATION_INITIAL: 60s + LOG_LEVEL: debug + VPN_INTERFACE: wg0 + VPN_TYPE: wireguard + TZ: America/Los_Angeles + envFrom: + - secretRef: + name: sabnzbd-gluetun-secret + probes: + liveness: + enabled: true + custom: true + spec: + httpGet: + path: / + port: 9999 + initialDelaySeconds: 0 + periodSeconds: 10 + failureThreshold: 3 + startup: + enabled: true + custom: true + spec: + httpGet: + path: / + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 10 + failureThreshold: 5 + resources: + requests: + memory: 48Mi + limits: + memory: 96Mi + restartPolicy: Always + securityContext: + <<: *securityContext + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + capabilities: { add: ["NET_ADMIN"] } pod: labels: stealth-gateway: "true" @@ -108,6 +160,14 @@ spec: persistence: config: existingClaim: sabnzbd + empty: + type: emptyDir + sizeLimit: 20Mi + globalMounts: + - path: /gluetun + subPath: gluetun + - path: /tmp + subPath: tmp media: type: nfs server: kaidame.flat @@ -119,5 +179,10 @@ spec: type: emptyDir globalMounts: - path: /config/logs - tmp: + run: type: emptyDir + medium: Memory + sizeLimit: 10Mi + globalMounts: + - path: /run + - path: /var/run diff --git a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml b/kubernetes/apps/default/sabnzbd/app/kustomization.yaml index 9ded3bbab..6b74121c6 100644 --- a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml +++ b/kubernetes/apps/default/sabnzbd/app/kustomization.yaml @@ -5,6 +5,7 @@ kind: Kustomization resources: - ./externalsecret.yaml - ./helmrelease.yaml - - ./networkpolicy.yaml + - ./networkpolicy.sops.yaml + - ./secret.sops.yaml - ../../../../templates/gatus/guarded - ../../../../templates/volsync diff --git a/kubernetes/apps/default/sabnzbd/app/networkpolicy.sops.yaml b/kubernetes/apps/default/sabnzbd/app/networkpolicy.sops.yaml new file mode 100644 index 000000000..4c4c3c64d --- /dev/null +++ b/kubernetes/apps/default/sabnzbd/app/networkpolicy.sops.yaml @@ -0,0 +1,46 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: sabnzbd-allow-gluetun + annotations: + future-me-why: allow ingress and egress to gluetun endpoints; also puts pod in deny-by-default mode for egress +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: sabnzbd + egress: + - toCIDR: + - ENC[AES256_GCM,data:mNT5z8Y3xn/7/jR5QxZtzw==,iv:wzNXRlt1epGSxlXJYUFhjhVglqXiDFLCEpl5byu8bAM=,tag:kIvGjcyyGpvrSRQlW+GPxA==,type:str] + - ENC[AES256_GCM,data:U6hf+lZE4/t8vtaK0O0ZLw==,iv:bqmORY2mWxGr9GDwsDTaw7eKTx4YJPmVHEZfuGWs+SQ=,tag:ej5CbkEj1+8r5nemp8lWNg==,type:str] + - ENC[AES256_GCM,data:1mq8eRXb/OxcbalLu55d7Jga,iv:PYsxTu140h1dN+D8x6thkW3HCfoNMe0+tzdFuB9EHfo=,tag:5JaXUTvTej5NKvMKgB5qUw==,type:str] + - ENC[AES256_GCM,data:amSC52gm3vbBWGqSlWtJF0p2tftSU3aRjTHKxGo1rNzMevgnqQ3q5Cs=,iv:w+UnCBLuZYCC5UAAuHscCpl5KIB9FTDDK+0FjGaauQQ=,tag:2QxF7NFOz3JVcN8NHTuL7Q==,type:str] + - ENC[AES256_GCM,data:DCxTc0I4Q5iufNtLw4HGSU/53gWkqnhAGTIZapgDjxLZOXMTXoU=,iv:xjjGzGubdluqvkWMgCu+iPZnVPTZwc3/R018fTidYcA=,tag:oktvHzFR06EYWQZOo4m11A==,type:str] + - ENC[AES256_GCM,data:OEvllsPoeuf993p8f8Vy9TtQYmTgfYAI24D5JmKRNfI8XT+FPZg=,iv:J70BhAUVkvUVYCzNVfutVb4VqKJB0o8oDCYr3oEGpWI=,tag:UmfIFBemDmhiCUBtn/zQHg==,type:str] + ingress: + - fromCIDR: + - ENC[AES256_GCM,data:Kg7ijWY9UqkiaSaxX2PFZw==,iv:359xnjjwZ3LF7IRRikFnlTTGQ3gib76j2pNkfmu1tDw=,tag:uqtE4ce7fg6ye9gc9uFzrA==,type:str] + - ENC[AES256_GCM,data:aCwlwwTe5CbLGIW0/vXQ/w==,iv:w754jDfiQjVX+TUPZFPXelZ6J4CqIth8PR6fRz/z53g=,tag:Xj8XCkjc7H6NiIMkjL+D5A==,type:str] + - ENC[AES256_GCM,data:9aOU2DDj0msdTXUdQpBPf8Rh,iv:62/j5DLwms1Beq+fxZ8VJuXs45D8XVkJ+8h4A/V444I=,tag:hDtIoOqho5Ht0FLGr72Fwg==,type:str] + - ENC[AES256_GCM,data:Oqp9pdPslT5tf6MrRWVofCmARQjQMSy3ZGs/u3juU+DBKQjhXoGO6IU=,iv:sKUIAghUZJ9E8KSVetYN5widrQmX8bOy1iGrgIA5vkU=,tag:7kZ7KzKjZbINAV6F8qXZ1w==,type:str] + - ENC[AES256_GCM,data:tJ4rsaw55a3KRd0E0NYMiHMBdE0ayf0xoUS8q177tlFp7VIFd+Q=,iv:RFY1WLLHQb5XLgI6+BSU6HKIMxsQzVnHm9EZmIk7jMU=,tag:FuLZzWAJUyyRS1lmDZdqeg==,type:str] + - ENC[AES256_GCM,data:4jF0dxldQtZK3BSnzC28r3L84EzE9gWzW3cRQBPaJ2EUVzsmyFQ=,iv:BRixMhRZRiIguSJmjC0n2pZXf3xMP/pOG2hud2ZRiqY=,tag:DPPJgU0mPMBEHshaqod51Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWWE2VDVVN0FDRnN6WTRq + WlkrMmxuTUI5Y0lQNkRSQUJ6VDlvR0ZPMERFCkhyLzFOQXE1OFBUNVBHN296S0U0 + Nm93dlNOWDg2Yk5qUHljN1FNdVZOdlkKLS0tIDlYNENJZURSbDYxSlZFWDNBaVBE + YXJ0N2FYU1BRREt3WUJ2Qm9jTEtTcEEKdDfqzQpKbtl9eiDgL4TFUvaCFklhfy3s + twR7fq2hW1E1uXWFxLQiuZz7Ut/8U+A4yTKsWSbTaI2JWg7gShU1CA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-15T16:00:57Z" + mac: ENC[AES256_GCM,data:EFc1B2yZxVgqfy08G9gJ+RxQdU9NbNpO31V3bwOMrjV1ykJJCTTKJel1EM8GNFCnDfg5jw+d8Nz9GeAKUqFcWkLHIDaL90BoT+EvFE7378HwJKDqQl9Q3wnnz5S29tHxNx85ZZ/0AKVrjCEQyHSqppGU05ErKZzoNtgnMfDVNdQ=,iv:g26tViBC+Z9cItN/KOCgC535IR0zYKMMGcBBQSw3RmU=,tag:JLeL7sTa8H758c6c7DmFmw==,type:str] + pgp: [] + encrypted_regex: ^(egress|ingress)$ + version: 3.9.0 diff --git a/kubernetes/apps/default/sabnzbd/app/networkpolicy.yaml b/kubernetes/apps/default/sabnzbd/app/networkpolicy.yaml deleted file mode 100644 index 82e67e907..000000000 --- a/kubernetes/apps/default/sabnzbd/app/networkpolicy.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: "cilium.io/v2" -kind: CiliumNetworkPolicy -metadata: - name: "sabnzbd-allow-egress-cluster" - annotations: - future-me-why: "allow egress to cluster for all endpoints, which also puts pod in deny-by-default mode for egress; must use stealth-gateway" -spec: - endpointSelector: - matchLabels: - app.kubernetes.io/instance: sabnzbd - egress: - - toEntities: - - "cluster" diff --git a/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml b/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml new file mode 100644 index 000000000..ff4806dda --- /dev/null +++ b/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Secret +metadata: + name: sabnzbd-gluetun-secret +type: Opaque +stringData: + SERVER_CITIES: ENC[AES256_GCM,data:23y/J81FMEK8pB8=,iv:bE9J8X4TpAz8Va3v6PuXF7D6QJO+4bmWZUNOn3Qf51M=,tag:qOKym05kNejgv+Qd/nEKDQ==,type:str] + SERVER_COUNTRIES: ENC[AES256_GCM,data:Spb9yCEOTYPA9oeuzQ==,iv:LAz5w9smVQJTjPGuZIx3bSt1YGkvg1ABubp2EGbeRsQ=,tag:ARxkFHY5DyGSwHPknyM04Q==,type:str] + VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:BBxwxXEq,iv:cSe3ANBS6q4qZLNZdra/PV1BCTNNl/OoJjUZRMZxbsA=,tag:2mNfU3rmMPOfNHMtIchVSg==,type:str] + WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:WJ4T1a4/9r74PEkc5M4WRzAg30UcMIx2eXzo7V4gz4K/XV8u4X/IBX6nMAdrCD8fnIAK9ZhVh083zzw=,iv:zhzNhaw1qNQ5qfEtk/pHlWWugSTEB3ag/1yhHuAOHWs=,tag:6buTTE6zP4omtDNF7zaiaA==,type:str] + WIREGUARD_DNS: ENC[AES256_GCM,data:Xz+WI/+T90ICoQ==,iv:2qnA70tcOmdC3NeaXoaGjQoGFRL7ZJJ6c+/E+3wMc8Q=,tag:kFaX2XX5Jao03kVtQ2SMjg==,type:str] + WIREGUARD_MTU: ENC[AES256_GCM,data:19spCA==,iv:xt09ktwkd+JoNDQLU7CqQ6OdA8Q+hQlgkgCqF1Mu2JM=,tag:yJ0mEKNTm9oRSqoP3+cMHA==,type:str] + WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL: ENC[AES256_GCM,data:b2Po,iv:ZcCq0EfM8Dt97iarKr3iPPO4CWLbgAoxQz9w2z1WqWU=,tag:QNSANNuIpKTQ5X0SUIltZg==,type:str] + WIREGUARD_PRESHARED_KEY: ENC[AES256_GCM,data:JpVtEnkLimIVRi4VjDLQdjiWA1X7JvOmn7lYgqUcTvtYerct70qPUjStcEo=,iv:AFPjQ7/IDNVB742t7eJi1S9/TnYZu//pHAIrNE3huaU=,tag:t+MteOo1wXXb5lYSV+xXSg==,type:str] + WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:hJAlIoxsjv7+9PaVzBxhlB/F+8CqlfseQuoApfGq6tvuIx2kUv3rutzn3Cw=,iv:0wOpV3cLzpcd75UsnoMwvTvP2nDPw9k6IX9N7N8PUtM=,tag:z5F8nLnWgZn6cTx3lWLvoQ==,type:str] + WIREGUARD_PUBLIC_KEY: ENC[AES256_GCM,data:d8Gf3x5iKmskaUoljbEdOyVA1RkNDPnmMArexp/Ia+4yntPpv3TfJy2TnMI=,iv:pbSyRSPm8jeubPkMhT1mxkAlFQL48uRSGT4EhHK0gwc=,tag:ji/bNE4O/DaZxxmCBpInhg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOUhUN09lTXA3YVloeEUx + WDJZcmxpVEpwU1J2WCtpSE52b2FvQ2VlRVN3CmpjV3p5M05EWlJTejMzelY4UU5j + eUxUa21DQXZhYjQvWE91ejNQcExFUFUKLS0tIGZOaGJzOC92M1o2N0x6Q1V0b28r + TnVKeHpQN1phYTE4WDlpa0s0S2FDZzAKPAamVca3n38HSE1cOvgFFIr9fhZY21Gm + PPeOc9udI87OVhsYiPMeoJn8A8vwRwp92mzubQcNnkiFohuWEg/VYA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-15T16:00:57Z" + mac: ENC[AES256_GCM,data:9EvzL4NQmAcbDUXdRuwuGrJ9cQo4/WT0DiT/3ptAoY6gM9T8YP5WHIFAcG2f3BGh55iRpfLYyrETulgr4J0ZyVAtc2ygczSCmVRRkJ8+165iKQ3InQOCY2fvlT29EJSt7TLPozuxvppDE18Xkjt/ZzODJbubyjKXsG7YFvvIYTY=,iv:OXaY/1SPV412e3FlZWpZddUZIRlBta9IxHOD0/tE30k=,tag:JgETvdDyFw3/P7QvtDG7QQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData|password)$ + version: 3.9.0 diff --git a/kubernetes/apps/default/sabnzbd/ks.yaml b/kubernetes/apps/default/sabnzbd/ks.yaml index 5dd297d51..5cf3cf013 100644 --- a/kubernetes/apps/default/sabnzbd/ks.yaml +++ b/kubernetes/apps/default/sabnzbd/ks.yaml @@ -12,7 +12,6 @@ spec: app.kubernetes.io/name: *app dependsOn: - name: external-secrets-stores - - name: stealth-gateway - name: volsync path: ./kubernetes/apps/default/sabnzbd/app prune: true