|
|
@@ -35,9 +35,37 @@ spec:
|
|
|
name: http-web-svc
|
|
|
securityContext:
|
|
|
privileged: true
|
|
|
- envFrom:
|
|
|
- - secretRef:
|
|
|
- name: qbittorrentvpn-secret
|
|
|
+ env:
|
|
|
+ - name: DEBUG
|
|
|
+ value: "true"
|
|
|
+ - name: ENABLE_PRIVOXY
|
|
|
+ value: "no"
|
|
|
+ - name: LAN_NETWORK
|
|
|
+ value: "172.16.69.0/24,10.42.0.0/16"
|
|
|
+ - name: NAME_SERVERS
|
|
|
+ value: "209.244.0.3,209.244.0.4"
|
|
|
+ - name: PGID
|
|
|
+ value: "1000"
|
|
|
+ - name: PUID
|
|
|
+ value: "1000"
|
|
|
+ - name: STRICT_PORT_FORWARD
|
|
|
+ value: "yes"
|
|
|
+ - name: VPN_CLIENT
|
|
|
+ value: "wireguard"
|
|
|
+ - name: VPN_ENABLED
|
|
|
+ value: "yes"
|
|
|
+ - name: VPN_PROV
|
|
|
+ value: "airvpn"
|
|
|
+ - name: VPN_USER
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: qbittorrentvpn
|
|
|
+ key: VPN_USER
|
|
|
+ - name: VPN_PASS
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: qbittorrentvpn
|
|
|
+ key: VPN_PASS
|
|
|
livenessProbe:
|
|
|
exec:
|
|
|
command: ["curl", "--fail", "localhost:8080"]
|
|
|
@@ -70,6 +98,76 @@ spec:
|
|
|
path: /seedbox/torrents
|
|
|
type: Directory
|
|
|
---
|
|
|
+apiVersion: v1
|
|
|
+kind: Service
|
|
|
+metadata:
|
|
|
+ name: qbittorrentvpn-service
|
|
|
+ namespace: plex
|
|
|
+spec:
|
|
|
+ selector:
|
|
|
+ app: qbittorrentvpn
|
|
|
+ type: ClusterIP
|
|
|
+ ports:
|
|
|
+ - name: qbittorrentvpn-web-port
|
|
|
+ protocol: TCP
|
|
|
+ port: 8080
|
|
|
+ targetPort: http-web-svc
|
|
|
+---
|
|
|
+apiVersion: networking.k8s.io/v1
|
|
|
+kind: Ingress
|
|
|
+metadata:
|
|
|
+ name: qbittorrentvpn
|
|
|
+ namespace: plex
|
|
|
+ annotations:
|
|
|
+ traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
|
+ traefik.ingress.kubernetes.io/router.middlewares: kube-system-lanonly@kubernetescrd
|
|
|
+spec:
|
|
|
+ rules:
|
|
|
+ - host: qbittorrentvpn.lan.jibby.org
|
|
|
+ http:
|
|
|
+ paths:
|
|
|
+ - path: /
|
|
|
+ pathType: Prefix
|
|
|
+ backend:
|
|
|
+ service:
|
|
|
+ name: qbittorrentvpn-service
|
|
|
+ port:
|
|
|
+ number: 8080
|
|
|
+---
|
|
|
+apiVersion: external-secrets.io/v1
|
|
|
+kind: ExternalSecret
|
|
|
+metadata:
|
|
|
+ name: qbittorrentvpn
|
|
|
+ namespace: plex
|
|
|
+spec:
|
|
|
+ target:
|
|
|
+ name: qbittorrentvpn
|
|
|
+ deletionPolicy: Delete
|
|
|
+ template:
|
|
|
+ type: Opaque
|
|
|
+ data:
|
|
|
+ VPN_USER: |-
|
|
|
+ {{ .username }}
|
|
|
+ VPN_PASS: |-
|
|
|
+ {{ .password }}
|
|
|
+ data:
|
|
|
+ - secretKey: username
|
|
|
+ sourceRef:
|
|
|
+ storeRef:
|
|
|
+ name: bitwarden-login
|
|
|
+ kind: ClusterSecretStore
|
|
|
+ remoteRef:
|
|
|
+ key: 19b0020e-51d3-42eb-b78b-b1d7012d1a8a
|
|
|
+ property: username
|
|
|
+ - secretKey: password
|
|
|
+ sourceRef:
|
|
|
+ storeRef:
|
|
|
+ name: bitwarden-login
|
|
|
+ kind: ClusterSecretStore
|
|
|
+ remoteRef:
|
|
|
+ key: 19b0020e-51d3-42eb-b78b-b1d7012d1a8a
|
|
|
+ property: password
|
|
|
+---
|
|
|
apiVersion: apps/v1
|
|
|
kind: Deployment
|
|
|
metadata:
|
|
|
@@ -93,9 +191,24 @@ spec:
|
|
|
ports:
|
|
|
- containerPort: 8000
|
|
|
name: metrics
|
|
|
- envFrom:
|
|
|
- - secretRef:
|
|
|
- name: qbittorrentvpn-exporter-secret
|
|
|
+ env:
|
|
|
+
|
|
|
+ - name: QBITTORRENT_HOST
|
|
|
+ value: qbittorrentvpn.lan.jibby.org
|
|
|
+ - name: QBITTORRENT_PORT
|
|
|
+ value: "443"
|
|
|
+ - name: QBITTORRENT_SSL
|
|
|
+ value: "True"
|
|
|
+ - name: QBITTORRENT_USER
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: qbittorrentvpn-exporter
|
|
|
+ key: QBITTORRENT_USER
|
|
|
+ - name: QBITTORRENT_PASS
|
|
|
+ valueFrom:
|
|
|
+ secretKeyRef:
|
|
|
+ name: qbittorrentvpn-exporter
|
|
|
+ key: QBITTORRENT_PASS
|
|
|
livenessProbe:
|
|
|
exec:
|
|
|
command:
|
|
|
@@ -114,21 +227,6 @@ spec:
|
|
|
---
|
|
|
apiVersion: v1
|
|
|
kind: Service
|
|
|
-metadata:
|
|
|
- name: qbittorrentvpn-service
|
|
|
- namespace: plex
|
|
|
-spec:
|
|
|
- selector:
|
|
|
- app: qbittorrentvpn
|
|
|
- type: ClusterIP
|
|
|
- ports:
|
|
|
- - name: qbittorrentvpn-web-port
|
|
|
- protocol: TCP
|
|
|
- port: 8080
|
|
|
- targetPort: http-web-svc
|
|
|
----
|
|
|
-apiVersion: v1
|
|
|
-kind: Service
|
|
|
metadata:
|
|
|
name: qbittorrentvpn-exporter-service
|
|
|
namespace: plex
|
|
|
@@ -144,27 +242,6 @@ spec:
|
|
|
port: 8000
|
|
|
targetPort: metrics
|
|
|
---
|
|
|
-apiVersion: networking.k8s.io/v1
|
|
|
-kind: Ingress
|
|
|
-metadata:
|
|
|
- name: qbittorrentvpn
|
|
|
- namespace: plex
|
|
|
- annotations:
|
|
|
- traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
|
- traefik.ingress.kubernetes.io/router.middlewares: kube-system-lanonly@kubernetescrd
|
|
|
-spec:
|
|
|
- rules:
|
|
|
- - host: qbittorrentvpn.lan.jibby.org
|
|
|
- http:
|
|
|
- paths:
|
|
|
- - path: /
|
|
|
- pathType: Prefix
|
|
|
- backend:
|
|
|
- service:
|
|
|
- name: qbittorrentvpn-service
|
|
|
- port:
|
|
|
- number: 8080
|
|
|
----
|
|
|
apiVersion: monitoring.coreos.com/v1
|
|
|
kind: PrometheusRule
|
|
|
metadata:
|
|
|
@@ -179,120 +256,154 @@ spec:
|
|
|
rules:
|
|
|
- alert: QbittorrentErroredTorrents
|
|
|
expr: sum(qbittorrent_torrents_count{status="error"}) > 0
|
|
|
-
|
|
|
-# Restart the above deployment reguarly. Sometimes VPN throughput slows down & a restart helps.
|
|
|
---
|
|
|
-apiVersion: batch/v1
|
|
|
-kind: CronJob
|
|
|
+apiVersion: external-secrets.io/v1
|
|
|
+kind: ExternalSecret
|
|
|
metadata:
|
|
|
- name: qbittorrentvpn-restart
|
|
|
+ name: qbittorrentvpn-exporter
|
|
|
namespace: plex
|
|
|
spec:
|
|
|
- schedule: "*/30 * * * *"
|
|
|
- successfulJobsHistoryLimit: 1
|
|
|
- failedJobsHistoryLimit: 1
|
|
|
- concurrencyPolicy: Forbid
|
|
|
- jobTemplate:
|
|
|
- spec:
|
|
|
- template:
|
|
|
- metadata:
|
|
|
- labels:
|
|
|
- app: qbittorrentvpn-restart
|
|
|
- spec:
|
|
|
- serviceAccountName: qbittorrentvpn-restart-serviceaccount
|
|
|
- securityContext:
|
|
|
- runAsUser: 1000
|
|
|
- runAsGroup: 1000
|
|
|
- restartPolicy: OnFailure
|
|
|
- containers:
|
|
|
- - name: qbittorrentvpn-restart
|
|
|
- image: python:3.14
|
|
|
- command:
|
|
|
- - python3
|
|
|
- - -c
|
|
|
- - |
|
|
|
- import subprocess
|
|
|
- import json
|
|
|
- import pprint
|
|
|
- import urllib.parse
|
|
|
- import sys
|
|
|
- import datetime
|
|
|
+ target:
|
|
|
+ name: qbittorrentvpn-exporter
|
|
|
+ deletionPolicy: Delete
|
|
|
+ template:
|
|
|
+ type: Opaque
|
|
|
+ data:
|
|
|
+ QBITTORRENT_USER: |-
|
|
|
+ {{ .username }}
|
|
|
+ QBITTORRENT_PASS: |-
|
|
|
+ {{ .password }}
|
|
|
+ data:
|
|
|
+ - secretKey: username
|
|
|
+ sourceRef:
|
|
|
+ storeRef:
|
|
|
+ name: bitwarden-login
|
|
|
+ kind: ClusterSecretStore
|
|
|
+ remoteRef:
|
|
|
+ key: 8dd7dfc3-800d-4af5-8a45-b23f0132806c
|
|
|
+ property: username
|
|
|
+ - secretKey: password
|
|
|
+ sourceRef:
|
|
|
+ storeRef:
|
|
|
+ name: bitwarden-login
|
|
|
+ kind: ClusterSecretStore
|
|
|
+ remoteRef:
|
|
|
+ key: 8dd7dfc3-800d-4af5-8a45-b23f0132806c
|
|
|
+ property: password
|
|
|
|
|
|
- # Vars to configure
|
|
|
- namespace = 'plex'
|
|
|
- qparams = {'labelSelector': 'app=qbittorrentvpn'}
|
|
|
- max_runtime = datetime.timedelta(days=3)
|
|
|
-
|
|
|
- # serviceaccount/k8s specific vars. Likely don't need to edit these.
|
|
|
- serviceaccount_dir = '/var/run/secrets/kubernetes.io/serviceaccount'
|
|
|
- apiserver = 'https://kubernetes.default.svc'
|
|
|
-
|
|
|
- token = open(f'{serviceaccount_dir}/token').read()
|
|
|
- result = subprocess.run([
|
|
|
- 'curl',
|
|
|
- '--cacert', f'{serviceaccount_dir}/ca.crt',
|
|
|
- '--header', f'Authorization: Bearer {token}',
|
|
|
- '-X', 'GET',
|
|
|
- f'{apiserver}/api/v1/namespaces/{namespace}/pods?{urllib.parse.urlencode(qparams)}'
|
|
|
- ],
|
|
|
- capture_output=True,
|
|
|
- check=True,
|
|
|
- )
|
|
|
-
|
|
|
- pod_list = json.loads(result.stdout)
|
|
|
- items = pod_list.get('items')
|
|
|
- if items is None or len(items) < 1:
|
|
|
- print(f'No pod found? Exiting. {pod_list=}')
|
|
|
- sys.exit(1)
|
|
|
- if len(items) > 1:
|
|
|
- print(f'>1 pod? Exiting. {items=}, {len(items)=}')
|
|
|
- sys.exit(1)
|
|
|
-
|
|
|
- pod = items[0]
|
|
|
- container_statuses = pod['status']['containerStatuses']
|
|
|
- if len(container_statuses) != 1:
|
|
|
- print(f'len(containerStatuses) != 1? Exiting. {container_statuses=}')
|
|
|
- sys.exit(1)
|
|
|
- running = container_statuses[0]['state'].get('running')
|
|
|
- if not running:
|
|
|
- print(f'Pod not running? Exiting. {container_statuses["state"]=}')
|
|
|
-
|
|
|
- started_at = datetime.datetime.fromisoformat(running["startedAt"])
|
|
|
- runtime = datetime.datetime.now(tz=datetime.UTC) - started_at
|
|
|
- print(f'{runtime=} > {max_runtime=} ? {runtime > max_runtime}')
|
|
|
- if runtime > max_runtime:
|
|
|
- pod_name = pod['metadata']['name']
|
|
|
- print(f'Deleting pod {pod_name}')
|
|
|
- result = subprocess.run([
|
|
|
- 'curl',
|
|
|
- '--cacert', f'{serviceaccount_dir}/ca.crt',
|
|
|
- '--header', f'Authorization: Bearer {token}',
|
|
|
- '-X', 'DELETE',
|
|
|
- f'{apiserver}/api/v1/namespaces/{namespace}/pods/{pod_name}'
|
|
|
- ],
|
|
|
- capture_output=True,
|
|
|
- check=True,
|
|
|
- )
|
|
|
----
|
|
|
-apiVersion: v1
|
|
|
-kind: ServiceAccount
|
|
|
-metadata:
|
|
|
- name: qbittorrentvpn-restart-serviceaccount
|
|
|
- namespace: plex
|
|
|
----
|
|
|
-apiVersion: rbac.authorization.k8s.io/v1
|
|
|
-kind: RoleBinding
|
|
|
-metadata:
|
|
|
- name: qbittorrentvpn-restart-serviceaccount-edit
|
|
|
- namespace: plex
|
|
|
-roleRef:
|
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
|
- kind: ClusterRole
|
|
|
- name: edit
|
|
|
-subjects:
|
|
|
-- kind: ServiceAccount
|
|
|
- name: qbittorrentvpn-restart-serviceaccount
|
|
|
- namespace: plex
|
|
|
+# Restart qbittorrentvpn reguarly. Sometimes VPN throughput slows down & a restart helps.
|
|
|
+#---
|
|
|
+#apiVersion: batch/v1
|
|
|
+#kind: CronJob
|
|
|
+#metadata:
|
|
|
+# name: qbittorrentvpn-restart
|
|
|
+# namespace: plex
|
|
|
+#spec:
|
|
|
+# schedule: "*/30 * * * *"
|
|
|
+# successfulJobsHistoryLimit: 1
|
|
|
+# failedJobsHistoryLimit: 1
|
|
|
+# concurrencyPolicy: Forbid
|
|
|
+# jobTemplate:
|
|
|
+# spec:
|
|
|
+# template:
|
|
|
+# metadata:
|
|
|
+# labels:
|
|
|
+# app: qbittorrentvpn-restart
|
|
|
+# spec:
|
|
|
+# serviceAccountName: qbittorrentvpn-restart-serviceaccount
|
|
|
+# securityContext:
|
|
|
+# runAsUser: 1000
|
|
|
+# runAsGroup: 1000
|
|
|
+# restartPolicy: OnFailure
|
|
|
+# containers:
|
|
|
+# - name: qbittorrentvpn-restart
|
|
|
+# image: python:3.14
|
|
|
+# command:
|
|
|
+# - python3
|
|
|
+# - -c
|
|
|
+# - |
|
|
|
+# import subprocess
|
|
|
+# import json
|
|
|
+# import pprint
|
|
|
+# import urllib.parse
|
|
|
+# import sys
|
|
|
+# import datetime
|
|
|
+#
|
|
|
+# # Vars to configure
|
|
|
+# namespace = 'plex'
|
|
|
+# qparams = {'labelSelector': 'app=qbittorrentvpn'}
|
|
|
+# max_runtime = datetime.timedelta(days=3)
|
|
|
+#
|
|
|
+# # serviceaccount/k8s specific vars. Likely don't need to edit these.
|
|
|
+# serviceaccount_dir = '/var/run/secrets/kubernetes.io/serviceaccount'
|
|
|
+# apiserver = 'https://kubernetes.default.svc'
|
|
|
+#
|
|
|
+# token = open(f'{serviceaccount_dir}/token').read()
|
|
|
+# result = subprocess.run([
|
|
|
+# 'curl',
|
|
|
+# '--cacert', f'{serviceaccount_dir}/ca.crt',
|
|
|
+# '--header', f'Authorization: Bearer {token}',
|
|
|
+# '-X', 'GET',
|
|
|
+# f'{apiserver}/api/v1/namespaces/{namespace}/pods?{urllib.parse.urlencode(qparams)}'
|
|
|
+# ],
|
|
|
+# capture_output=True,
|
|
|
+# check=True,
|
|
|
+# )
|
|
|
+#
|
|
|
+# pod_list = json.loads(result.stdout)
|
|
|
+# items = pod_list.get('items')
|
|
|
+# if items is None or len(items) < 1:
|
|
|
+# print(f'No pod found? Exiting. {pod_list=}')
|
|
|
+# sys.exit(1)
|
|
|
+# if len(items) > 1:
|
|
|
+# print(f'>1 pod? Exiting. {items=}, {len(items)=}')
|
|
|
+# sys.exit(1)
|
|
|
+#
|
|
|
+# pod = items[0]
|
|
|
+# container_statuses = pod['status']['containerStatuses']
|
|
|
+# if len(container_statuses) != 1:
|
|
|
+# print(f'len(containerStatuses) != 1? Exiting. {container_statuses=}')
|
|
|
+# sys.exit(1)
|
|
|
+# running = container_statuses[0]['state'].get('running')
|
|
|
+# if not running:
|
|
|
+# print(f'Pod not running? Exiting. {container_statuses["state"]=}')
|
|
|
+#
|
|
|
+# started_at = datetime.datetime.fromisoformat(running["startedAt"])
|
|
|
+# runtime = datetime.datetime.now(tz=datetime.UTC) - started_at
|
|
|
+# print(f'{runtime=} > {max_runtime=} ? {runtime > max_runtime}')
|
|
|
+# if runtime > max_runtime:
|
|
|
+# pod_name = pod['metadata']['name']
|
|
|
+# print(f'Deleting pod {pod_name}')
|
|
|
+# result = subprocess.run([
|
|
|
+# 'curl',
|
|
|
+# '--cacert', f'{serviceaccount_dir}/ca.crt',
|
|
|
+# '--header', f'Authorization: Bearer {token}',
|
|
|
+# '-X', 'DELETE',
|
|
|
+# f'{apiserver}/api/v1/namespaces/{namespace}/pods/{pod_name}'
|
|
|
+# ],
|
|
|
+# capture_output=True,
|
|
|
+# check=True,
|
|
|
+# )
|
|
|
+#---
|
|
|
+#apiVersion: v1
|
|
|
+#kind: ServiceAccount
|
|
|
+#metadata:
|
|
|
+# name: qbittorrentvpn-restart-serviceaccount
|
|
|
+# namespace: plex
|
|
|
+#---
|
|
|
+#apiVersion: rbac.authorization.k8s.io/v1
|
|
|
+#kind: RoleBinding
|
|
|
+#metadata:
|
|
|
+# name: qbittorrentvpn-restart-serviceaccount-edit
|
|
|
+# namespace: plex
|
|
|
+#roleRef:
|
|
|
+# apiGroup: rbac.authorization.k8s.io
|
|
|
+# kind: ClusterRole
|
|
|
+# name: edit
|
|
|
+#subjects:
|
|
|
+#- kind: ServiceAccount
|
|
|
+# name: qbittorrentvpn-restart-serviceaccount
|
|
|
+# namespace: plex
|
|
|
|
|
|
# qbit_manage to auto-tag by tracker URL
|
|
|
---
|
