---
apiVersion: v1
kind: Namespace
metadata:
  name: wireguard
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: wireguard-data
  namespace: wireguard
spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 100Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: wg-easy
  namespace: wireguard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: wg-easy
  template:
    metadata:
      labels:
        app: wg-easy
    spec:
      containers:
      - name: wg-easy
        image: ghcr.io/wg-easy/wg-easy:latest
        env:
        - name: LANGUAGE
          value: it
        - name: WG_HOST
          value: "91.99.143.113"
        - name: WG_PORT
          value: "51820"
        - name: WG_DEFAULT_DNS
          value: "1.1.1.1, 8.8.8.8"
        - name: WG_ALLOWED_IPS
          value: "0.0.0.0/0, ::/0"
        - name: PASSWORD_HASH
          valueFrom:
            secretKeyRef:
              name: wireguard-ui-password
              key: PASSWORD_HASH
        ports:
        - name: vpn
          containerPort: 51820
          hostPort: 51820
          protocol: UDP
        - name: web
          containerPort: 51821
          protocol: TCP
        volumeMounts:
        - name: data
          mountPath: /etc/wireguard
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
            - SYS_MODULE
            - NET_RAW
        resources:
          requests:
            cpu: 10m
            memory: 32Mi
          limits:
            cpu: 200m
            memory: 64Mi
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: wireguard-data
---
apiVersion: v1
kind: Service
metadata:
  name: wg-easy
  namespace: wireguard
spec:
  selector:
    app: wg-easy
  ports:
  - name: web
    port: 51821
    targetPort: 51821
    protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wg-easy
  namespace: wireguard
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
  - secretName: wireguard-tls
    hosts:
    - vpn.davidepiu.xyz
  rules:
  - host: vpn.davidepiu.xyz
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: wg-easy
            port:
              number: 51821
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress
  namespace: wireguard
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
    ports:
    - port: 51821
      protocol: TCP
  - ports:
    - port: 51820
      protocol: UDP