From 48eee2161915fa4cf14af6715b38aa692653d27f Mon Sep 17 00:00:00 2001 From: Nikolai Rodionov Date: Wed, 22 Jan 2025 22:04:34 +0100 Subject: [PATCH] Add etersoft xray and increase gitea memory --- .pre-commit-config.yaml | 8 +- .../applications/helmfile-etersoft.yaml | 24 +- values/badhouseplants/values.gitea.yaml | 5 +- .../etersoft/secrets.server-xray-public.yaml | 37 +++ .../etersoft/values.server-xray-public.yaml | 271 ++++++++++++++++++ values/etersoft/values.traefik.yaml | 6 + 6 files changed, 338 insertions(+), 13 deletions(-) create mode 100644 values/etersoft/secrets.server-xray-public.yaml create mode 100644 values/etersoft/values.server-xray-public.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 767fc80..ecdf6b4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -11,10 +11,10 @@ repos: (?x)^( .*secrets.*yaml )$ - - repo: https://github.com/codespell-project/codespell - rev: v2.2.4 - hooks: - - id: codespell + # - repo: https://github.com/codespell-project/codespell + # rev: v2.2.4 + # hooks: + # - id: codespell - repo: local hooks: - id: check-sops-secrets diff --git a/installations/applications/helmfile-etersoft.yaml b/installations/applications/helmfile-etersoft.yaml index 08c07f1..d607c14 100644 --- a/installations/applications/helmfile-etersoft.yaml +++ b/installations/applications/helmfile-etersoft.yaml @@ -8,6 +8,8 @@ repositories: - name: gabe565 url: ghcr.io/gabe565/charts oci: true + - name: xray-docs + url: git+https://gitea.badhouseplants.net/badhouseplants/xray-docs.git@helm?ref=main releases: - name: openvpn chart: allangers-charts/openvpn @@ -32,12 +34,6 @@ releases: - template: default-env-values - template: default-env-secrets - template: ext-database - - name: tf-ocloud - chart: ../../charts/tf-ocloud - namespace: pipelines - installed: false - inherit: - - template: default-env-secrets - name: nrodionov chart: bitnami/wordpress @@ -52,3 +48,19 @@ releases: chart: ../../kustomizations/external-service-xray installed: true namespace: public-xray + + - name: server-xray-public + chart: allangers-charts/server-xray + namespace: public-xray + version: 0.5.0 + inherit: + - template: default-env-secrets + - template: default-env-values + - template: ext-tcp-routes + - template: ext-cilium + - template: ext-certificate + + - name: xray-docs + chart: xray-docs/xray-docs + installed: true + namespace: public-xray diff --git a/values/badhouseplants/values.gitea.yaml b/values/badhouseplants/values.gitea.yaml index a637901..566388e 100644 --- a/values/badhouseplants/values.gitea.yaml +++ b/values/badhouseplants/values.gitea.yaml @@ -40,16 +40,15 @@ replicaCount: 1 clusterDomain: cluster.local resources: limits: - cpu: 512m memory: 1024Mi requests: cpu: 512m - memory: 256Mi + memory: 1024Mi persistence: enabled: true size: 15Gi accessModes: - - ReadWriteMany + - ReadWriteOnce # ------------------------------------------ # -- Main Gitea settings # ------------------------------------------ diff --git a/values/etersoft/secrets.server-xray-public.yaml b/values/etersoft/secrets.server-xray-public.yaml new file mode 100644 index 0000000..20cdf9a --- /dev/null +++ b/values/etersoft/secrets.server-xray-public.yaml @@ -0,0 +1,37 @@ +files: + config: + enabled: ENC[AES256_GCM,data:V7XhqQ==,iv:6XHLD5LS04vMIBLAU+PImTq0e+2wIK9BDLrT7OSjqqM=,tag:6HuYNWDxpSWIY7F+VdUX3Q==,type:bool] + sensitive: ENC[AES256_GCM,data:e0gXBRA=,iv:5uYltAj9gpJs7qwZ0WDRfbioH9xKBVbGFgy1Pl04fJ0=,tag:kTnoKyJTWzc+FpS+49DnNQ==,type:bool] + remove: [] + entries: + config.json: + data: ENC[AES256_GCM,data:eZ/w9tvQIneRDjq7MNT/tQorIiY0/bU+zDEG9fTfEytkkpeKe4DjZouSn2YDi4R0zct/qd5tSTeiPcb45hTPTCJD3EImtUYYKYVyl1nnMzcDwS58TgUpsC/Wen9V2UZge6nN5Irrldje1IjlOr56GxmQUVFI9+wqkmMgBUMF0j0YP/YhXuR+Ji0dFYqyKzmGJU4ekrHOtBRve5np9D0AdXXLCvCxQLwvLYq2Ula67s3B3YeXxq7Zt0NclkdA868mCxIKh9lFXW/WSstZ1P2cyJXW1WaR/fn3O3VSHM8vBKdoiQLuJpRYII5ooa+KJ2wnE3DswI84ih2nxPg7hMQio7MqUI3bI/qPWiD2PeKx8zceG/fstPTijWfN5bnr32s3pT2s5xnd9D+P0TVCSxmZ1u0hrMJ6WUFlTrXtOoK7LkpTNrIH7/57uhfAYwJpx9ECqzIERsNpdbxYF/yEwfiHDA8IDY56NPfSLyRahlWCiTx90LoYDlw9T91+OMrK+4zm33C+CoZzMZCHmeSl8n94KdnO8tz+wKQZMCvTHeGKy97UEiLJLdkTRrR+QZ/K25YtywsBQJJrsFYllg5WDjqMUIq1bQCXxsAjeX4JhTNvuHdHB21K+q+gxdudjs4wEMWBsF7aKAh5jQkQnNFg05xA4Gn1INBsFkCRgssH8nxK0PFSSLI/6loaM4UhiT+j4sNWAUtqdyUXXSo7I9qsOFpv65bQWYkkl/aKPv9yK2K7tGi73eDmTGeHrQoCZrABCP9zIwLyXHAfkSsUx6wcYUaKOtezEljTIle8yAyfDBy76XBkvJWyK/SNXGy4+G7/t3zB2CrBq71vYJjvHzFxyiNya2sBaYOJfvbHX6UAnFm4RfVnESTrUagJM713YuBbJUhWAwHQ81DOOYFuT8QGcpkiKmfE+4KtseGuZjSdiZt4q9qIJoK1tA2zbgQ7EbTVKydHF+jxUCXt/FuXW5yGoNeKC6qg8hknAV4kAHtzP4gtukrwWrwyctGVXYplsXE6waaHQwtShE27zt+1/OSXpQcnIEIQ+mv8CJvvFLE6ifTMpuSH/ifgVTt3MgP9rPC/O84v7+LjPbhAVPi0E5jTYMsa+QEgi81tisXEn6V5OXmNoGeNVEyC+4+XwQCKAaE+6phM+gYthdZUZlnD4ffVkzEow+IYXczNugyzka29HJm4vaiLrUF6ws71gMx+Sye6xeGG2tegUGxrzZcHzRWyHPzPioepihhD/veiRexqqesjlFsgqWn2lNW0q5fuslKNFFrYkX0Xv5aReVfjOEpsNF0kQHg9/PZaEexzpfw0MBu62hJkrsbmkboK758ruV2DzaxRpQAMd2o3sowxAP+1IKBGuH/a1+NC7d1MalU/SjIFHmpFXxn7vC0s3YarjX997TLzNFcVYwdNV5IfIuvw+Z4L1WKgb+2RUFX5GHBTtnQMsS8Xvj/NYYZdo8pB8MBEleR52O2He1d3SdCQpwiVl05zC3+0eOnfCGWC/vu2Vc2lJDuOgaf+dAULH4LuL53Fs6/eDTGtuhB8B/99wsntdyA/dUXRM5Ytm48vSF3aG5kMGU6rM3JRx17AWsvAmStyEUQLzxoS61uljTyHnw8lnDnX3xwUBbc4VgggIk26ggxLK0OInIIIk2UnKl+L5kRBuwit2ZfZuP+7OkokAt314/gaVEM+ItIqo8VVLd2YU+7nTK2hk6RGw2MyZZNsmdAJitgb40xo2QLCBq42gYhcXjNVA1RGEGGGOwb9Q6uVorkQ+6iTngVZtnEavekgddZlV7GZZ2dLDj8PH1Z6fwmAY3Ivm0dM7OOYuQpng+mjsNxVXp73eIZ9lN3eLreCMgXVoCCITPcvljdwtVUuIT+xJdfqqbgM4rdrY/FqVQetNwJylciGKIGeKY85NljkWW28jhjxSgaqHt8BgsLmMcIMCMWQWQLfny8mFlR42EzxLa41zfLAsOJzhMsSuY0O3pDvpIPscZqMr4yffJxtTWKRqQCK9CBOPWAz7KO11xiPAy42uG4XtTEEYqErejqNiVGBEjqCdnz6ak+N15EiJ+PptUPKqPNQCO02wDP/lN095Ay1LBfVC+0p0n/+76qpkHTlGUEZ+CjKinbMTAY5g+k2pTBbkz0j0cpZg/nmURB+l8PZh//Z+BH0GsLTelhCXZjr5I6a5Kv60h0Syv8zXE7qtlNBsdU7sQDkUKOQTDa1Oq+DirUALMjNQ/h6aL1rC/3tr4aFH3uDqkTQZjDElwAUc6woqmhlqn8dlreQ4d5W4eega7g2vChD7gxB+7EMgDrLGwN1X4zuZ/ByNv1Vuu1qoJR5gfGTiNResguF7zs5oMAASvNFK+xL385iPY7STnQ+IHKU/bFNXdgDYNO9ze+b3FQzr2onI86HWeJQXuAhCH4zPKYqNEjYJXy6zCeGapjEPgL48k7zbSDMdAXgOO64IFL4JlqJJf5UgjSgnPN25MH7/UjniaqHykkb2S5R8mv9VseMCUrgBAZxFG7v3mMFWBlDgdLLxNgFgkHdSV9k6bVSPfbnj+iQi9Jl26pU6W3r1p2yjnJ31eIFuyu3mvVL+htpZT7TA4qpJ1cfHWP6qsZTOxzI2i+yt5jEmupnuZ9HviriEa3Yt32xw/jehx9Pkb7VtgplWriiq7QTnSGuRn4H1ChJOxGlB1VnObteLNnSJonekaJ4oS0oQsVSa6gn63KlS6rODYjQ7UQggwdIeCJ8iiP1g2Cp0i1bIBKkfzaNz0I41AqDi4mVvjcExHJqm7kRQphYTK/kzp7zeJfEI6tsNib6V7zvfz4vAQ/bhT+bPQm/wIboUZsY7Ra1daBuhjqnKcu321G/FcsEhnSR1SokxYnGKOwAJofAJmyD4Pd7yxMIxXB/oqPxQ5TCKrnOJQZ+Nwpm4Qa5cPWtk0rOGOLQsAtYrHgaC7CwtLYOL4AA+YGH2XYaezWHEw33uOcY1+jPQTB3FlUW84RDWWYxVoUCf4RSbZlflqX9GkRfBWT6UCes3Z2XVa3cUvw+BFMvwhmAqCtrGz8OSVXIgOZYfMXwMX85eQ2Gs1OtUFI4f47qfQJajQPR3G97bpDcvQRptJoO6vMwJKkq1Q5/vgcWWA2t/7NL/YqRyssoBwdOKtUjrYbUynJ9ojd5nwQU0TXpdL0BF06kB+gxfINrzTQO4l9c7AxVQHwVImx78ETB5a5dhKwS2d9+e/QqjNH8TjkeCUDoP+7tFVuutehL5FbrQ85gP+SFpli8b/KML/ZGSiyzwp0maxISFZCbfcEFKVoVCj2HgRfxJf8HPatmQPtTYzP4ukmxFYpmyuY=,iv:eZ5E3aVB4VqGxbZuKgj2HNCb7MKUXa6zEtJHoX1+i6o=,tag:Z/NTk69Mt3jOgjBQdjM3HA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArLzRrUVNzVXhhUmd6ZjAr + cnduVkF2T2JuRkt2aDd4UXBjVHJyTDlnaGhjCmtodlhLY1Z6L2ptbmZPOHQxTGhI + bnNTa050dzM2S0RYWWJBY0JUTk11bk0KLS0tIHNKemJubldtRmRQSjZJaHdsOGVF + aUZicmNkZUlFSEZwVUZQWno5akNTc2MK29Tem5YjN0TmmNZ7Ol29DcGBdJebwVNR + ncrp8W7aSmP3eLv4J/PhdpTEWlmGPof+kwvej5/SC5QwWQ0Qee8pyw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17fyzv5mezck364lvyepp9pa3tnjn7jvsgcpykhhz2smnxyq6fdusvl7waf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmeGZUMlh5UExuemZTRDlr + dk54WENSeWl5cDFJSmJVYXFHU0hncTdVbXpjCnhSZWlKa01JU1pVU3EyblhVVUVl + NUc2NmMrelJlM2VyWTZaRE0rS3gvcTAKLS0tIEV5WnVsMXBPN2dtR2pHd2FVOER1 + dklzSWVOQk5YVTgzVHFNQmZkeXcyU0UKvh0CaFhEsD0EAYmV0H3wYirPVG6OJnLp + /zDuJ5U2C5LHOYkFc+rq+wKUAHjQLtw93kQI4r3YQulSSLl9HQFV8Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-20T11:45:50Z" + mac: ENC[AES256_GCM,data:QBnJTY5u0P9gE6ptVO5MQHfn7PWlaSEdJ6gsRXpxsyH8qlyLMar4bNU7ws7XSX3ilqBRJNPrQL2tTnEYwPG/IIz3MT/drlb9KcEx/H0hFVefwsB8NmGOaWbfMuKKAc37KR8By1Dwjf36Y+AD/K7KLcF+e3B0+UtwQoOyTcI/PYY=,iv:e4lBFWt3CBMu1e9iY3W+MnTUio+pdKqSb5ecFeZAE3I=,tag:vtKiNLs/Ts+8p3RuaZ4ksg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.3 diff --git a/values/etersoft/values.server-xray-public.yaml b/values/etersoft/values.server-xray-public.yaml new file mode 100644 index 0000000..45ca41c --- /dev/null +++ b/values/etersoft/values.server-xray-public.yaml @@ -0,0 +1,271 @@ +certificate: + enabled: true + certificate: + - name: xray-public-e.badhouseplants.net + secretName: xray-public-e.badhouseplants.net + issuer: + kind: ClusterIssuer + name: badhouseplants-issuer-http01 + dnsNames: + - xray-public-e.badhouseplants.net + +traefik: + enabled: true + tcpRoutes: + - name: server-xray-public + service: server-xray-public-xray-https + match: HostSNI(`*`) + entrypoint: xray-internal + port: 443 +shortcuts: + hostname: xray-public-e.badhouseplants.net +ingress: + main: + enabled: true + annotations: + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.class: traefik + kubernetes.io/ingress.global-static-ip-name: "" + kubernetes.io/tls-acme: "true" + meta.helm.sh/release-name: xray + meta.helm.sh/release-namespace: xray + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure +extraVolumes: + certs: + secret: + secretName: xray-public-e.badhouseplants.net + +workload: + replicas: 2 + +ext-cilium: + enabled: true + ciliumNetworkPolicies: + - name: xray-public + endpointSelectors: + app.kubernetes.io/instance: server-xray-public + app.kubernetes.io/name: server-xray + egress: + - toEntities: + - cluster + - toPorts: + - ports: + - port: "53" + protocol: ANY + - toEntities: + - world + egressDeny: + - toCIDR: + - 93.158.213.92/32 + - 93.158.213.92/32 + - 185.243.218.213/32 + - 91.216.110.53/32 + - 23.157.120.14/32 + - 94.243.222.100/32 + - 208.83.20.20/32 + - 156.234.201.18/32 + - 209.141.59.16/32 + - 34.89.51.235/32 + - 109.201.134.183/32 + - 83.102.180.21/32 + - 185.230.4.150/32 + - 45.9.60.30/32 + - 5.181.156.41/32 + - 156.234.201.18/32 + - 34.89.51.235/32 + - 83.6.102.25/32 + - 51.222.82.36/32 + - 125.227.79.123/32 + - 193.42.111.57/32 + - 135.125.202.143/32 + - 176.56.7.44/32 + - 185.87.45.163/32 + - 181.214.58.63/32 + - 143.198.64.177/32 + - 5.255.124.190/32 + - 52.58.128.163/32 + - 15.204.57.168/32 + - 34.94.76.146/32 + - 211.23.142.127/32 + - 64.23.195.62/32 + - 23.153.248.83/32 + - 82.156.24.219/32 + - 37.235.176.37/32 + - 176.123.1.180/32 + - 35.227.59.57/32 + - 62.210.114.129/32 + - 185.216.179.62/32 + - 34.94.76.146/32 + - 121.199.16.229/32 + - 23.163.56.66/32 + - 176.99.7.59/32 + - 207.241.231.226/32 + - 207.241.226.111/32 + - 27.151.84.136/32 + - 104.244.77.14/32 + - 5.102.159.190/32 + - 184.61.17.58/32 + - 125.227.79.123/32 + - 181.214.58.63/32 + - 95.217.167.10/32 + - 159.148.57.222/32 + - 15.204.57.168/32 + - 211.23.142.127/32 + - 34.94.76.146/32 + - 187.56.163.73/32 + - 109.71.253.37/32 + - 5.182.86.242/32 + - 104.244.77.14/32 + - 190.146.242.81/32 + - 89.110.76.229/32 + - 138.124.183.78/32 + - 209.126.11.233/32 + - 167.99.185.219/32 + - 37.59.48.81/32 + - 27.151.84.136/32 + - 142.132.183.104/32 + - 193.53.126.151/32 + - 74.48.17.122/32 + - 93.158.213.92/32 + - 156.234.201.18/32 + - 35.227.59.57/32 + - 34.89.51.235/32 + - 34.94.76.146/32 + - 184.61.17.58/32 + - 125.227.79.123/32 + - 104.21.58.176/32 + - 172.67.162.102/32 + - 181.214.58.63/32 + - 93.185.165.29/32 + - 95.217.167.10/32 + - 159.148.57.222/32 + - 15.204.57.168/32 + - 211.75.210.220/32 + - 125.227.79.123/32 + - 211.23.142.127/32 + - 172.67.165.72/32 + - 104.21.57.182/32 + - 35.227.59.57/32 + - 34.89.51.235/32 + - 34.94.76.146/32 + - 187.56.163.73/32 + - 109.71.253.37/32 + - 5.182.86.242/32 + - 104.244.77.14/32 + - 193.53.126.151/32 + - 104.19.22.31/32 + - 104.19.22.22/32 + - 104.19.22.27/32 + - 104.19.22.23/32 + - 104.19.22.30/32 + - 104.19.22.24/32 + - 104.19.22.26/32 + - 104.19.22.29/32 + - 104.19.22.32/32 + - 104.19.22.28/32 + - 104.19.22.25/32 + - 74.48.17.122/32 + - 184.61.17.58/32 + - 104.21.62.230/32 + - 172.67.139.235/32 + - 172.67.135.244/32 + - 104.21.26.114/32 + - 104.21.72.244/32 + - 172.67.136.175/32 + - 172.67.183.130/32 + - 104.21.64.112/32 + - 104.26.10.105/32 + - 104.26.11.105/32 + - 172.67.70.119/32 + - 172.67.144.128/32 + - 104.21.71.114/32 + - 172.67.161.130/32 + - 104.21.65.89/32 + - 172.67.156.75/32 + - 104.21.40.186/32 + - 65.21.91.32/32 + - 184.61.17.58/32 + - 104.21.82.111/32 + - 172.67.200.173/32 + - 104.21.13.129/32 + - 172.67.200.14/32 + - 104.21.89.147/32 + - 172.67.160.224/32 + - 172.67.139.235/32 + - 104.21.62.230/32 + - 93.158.213.92/32 + - 185.243.218.213/32 + - 91.216.110.53/32 + - 23.157.120.14/32 + - 94.243.222.100/32 + - 208.83.20.20/32 + - 156.234.201.18/32 + - 209.141.59.16/32 + - 34.94.76.146/32 + - 35.227.59.57/32 + - 34.89.51.235/32 + - 109.201.134.183/32 + - 83.102.180.21/32 + - 185.230.4.150/32 + - 45.9.60.30/32 + - 5.181.156.41/32 + - 83.6.102.25/32 + - 54.39.48.3/32 + - 51.222.82.36/32 + - 125.227.79.123/32 + - 193.42.111.57/32 + - 135.125.202.143/32 + - 176.56.7.44/32 + - 185.87.45.163/32 + - 93.185.165.29/32 + - 181.214.58.63/32 + - 143.198.64.177/32 + - 5.255.124.190/32 + - 52.58.128.163/32 + - 15.204.57.168/32 + - 35.227.59.57/32 + - 34.89.51.235/32 + - 34.94.76.146/32 + - 211.23.142.127/32 + - 211.75.210.220/32 + - 125.227.79.123/32 + - 64.23.195.62/32 + - 51.81.222.188/32 + - 23.153.248.83/32 + - 82.156.24.219/32 + - 37.235.176.37/32 + - 51.15.41.46/32 + - 176.123.1.180/32 + - 104.244.77.87/32 + - 34.94.76.146/32 + - 34.89.51.235/32 + - 35.227.59.57/32 + - 62.210.114.129/32 + - 185.216.179.62/32 + - 34.94.76.146/32 + - 34.89.51.235/32 + - 35.227.59.57/32 + - 121.199.16.229/32 + - 35.227.59.57/32 + - 34.89.51.235/32 + - 34.94.76.146/32 + - 23.163.56.66/32 + - 176.99.7.59/32 + - 207.241.231.226/32 + - 207.241.226.111/32 + - 27.151.84.136/32 + - 51.159.54.68/32 + - 104.244.77.14/32 + - 5.102.159.190/32 + - 190.146.242.81/32 + - 89.110.76.229/32 + - 89.47.160.50/32 + - 138.124.183.78/32 + - 209.126.11.233/32 + - 167.99.185.219/32 + - 27.151.84.136/32 + - 37.59.48.81/32 + - 27.151.84.136/32 + - 142.132.183.104/32 + - 159.148.57.222/32 + - 159.148.57.222/32 diff --git a/values/etersoft/values.traefik.yaml b/values/etersoft/values.traefik.yaml index 7ec3b1c..dcd0a09 100644 --- a/values/etersoft/values.traefik.yaml +++ b/values/etersoft/values.traefik.yaml @@ -11,6 +11,12 @@ ports: default: true exposedPort: 27015 protocol: TCP + xray-internal: + port: 27016 + expose: + default: true + exposedPort: 27016 + protocol: TCP providers: # @schema additionalProperties: false kubernetesCRD: enabled: true