diff --git a/clusters/lab/apps/wireguard.yaml b/clusters/lab/apps/wireguard.yaml new file mode 100644 index 0000000..3ce86bc --- /dev/null +++ b/clusters/lab/apps/wireguard.yaml @@ -0,0 +1,142 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: wireguard +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: wireguard-data + namespace: wireguard +spec: + accessModes: + - ReadWriteOnce + storageClassName: local-path + resources: + requests: + storage: 100Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: wg-easy + namespace: wireguard +spec: + replicas: 1 + selector: + matchLabels: + app: wg-easy + template: + metadata: + labels: + app: wg-easy + spec: + containers: + - name: wg-easy + image: ghcr.io/wg-easy/wg-easy:latest + env: + - name: LANGUAGE + value: it + - name: WG_HOST + value: "91.99.143.113" + - name: WG_PORT + value: "51820" + - name: WG_DEFAULT_DNS + value: "1.1.1.1, 8.8.8.8" + - name: WG_ALLOWED_IPS + value: "0.0.0.0/0, ::/0" + - name: PASSWORD_HASH + valueFrom: + secretKeyRef: + name: wireguard-ui-password + key: PASSWORD_HASH + ports: + - name: vpn + containerPort: 51820 + hostPort: 51820 + protocol: UDP + - name: web + containerPort: 51821 + protocol: TCP + volumeMounts: + - name: data + mountPath: /etc/wireguard + securityContext: + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - NET_RAW + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 200m + memory: 64Mi + volumes: + - name: data + persistentVolumeClaim: + claimName: wireguard-data +--- +apiVersion: v1 +kind: Service +metadata: + name: wg-easy + namespace: wireguard +spec: + selector: + app: wg-easy + ports: + - name: web + port: 51821 + targetPort: 51821 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: wg-easy + namespace: wireguard + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd +spec: + ingressClassName: traefik + tls: + - secretName: wireguard-tls + hosts: + - vpn.davidepiu.xyz + rules: + - host: vpn.davidepiu.xyz + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: wg-easy + port: + number: 51821 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ingress + namespace: wireguard +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - port: 51821 + protocol: TCP + - ports: + - port: 51820 + protocol: UDP diff --git a/clusters/lab/security/trivy-operator.yaml b/clusters/lab/security/trivy-operator.yaml deleted file mode 100644 index 5fa26c7..0000000 --- a/clusters/lab/security/trivy-operator.yaml +++ /dev/null @@ -1,42 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: aquasecurity - namespace: flux-system -spec: - interval: 1h - url: https://aquasecurity.github.io/helm-charts/ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: trivy-operator - namespace: flux-system -spec: - interval: 1h - targetNamespace: trivy-system - install: - createNamespace: true - chart: - spec: - chart: trivy-operator - sourceRef: - kind: HelmRepository - name: aquasecurity - interval: 1h - values: - trivy: - resources: - requests: - cpu: 10m - memory: 64Mi - limits: - cpu: 500m - memory: 512Mi - operator: - scanJobsConcurrentLimit: 1 - vulnerabilityScannerScanOnlyCurrentRevisions: true - clusterComplianceEnabled: false - serviceMonitor: - enabled: false