From f5f3821f3a9449e6c2212311e74b44fd243298f9 Mon Sep 17 00:00:00 2001 From: Nikolai Rodionov Date: Mon, 14 Oct 2024 21:23:55 +0200 Subject: [PATCH] Add an edge xray installation --- .../applications/helmfile-badhouseplants.yaml | 9 + .../secrets.server-xray-public-edge.yaml | 37 +++ .../values.server-xray-public-edge.yaml | 259 ++++++++++++++++++ .../values.server-xray-public.yaml | 2 +- values/badhouseplants/values.traefik.yaml | 6 + 5 files changed, 312 insertions(+), 1 deletion(-) create mode 100644 values/badhouseplants/secrets.server-xray-public-edge.yaml create mode 100644 values/badhouseplants/values.server-xray-public-edge.yaml diff --git a/installations/applications/helmfile-badhouseplants.yaml b/installations/applications/helmfile-badhouseplants.yaml index abddc00..893567b 100644 --- a/installations/applications/helmfile-badhouseplants.yaml +++ b/installations/applications/helmfile-badhouseplants.yaml @@ -115,3 +115,12 @@ releases: - template: default-env-values - template: ext-tcp-routes - template: ext-cilium + - name: server-xray-public-edge + chart: allangers-charts/server-xray + namespace: public-xray + version: 0.1.0 + inherit: + - template: default-env-secrets + - template: default-env-values + - template: ext-tcp-routes + - template: ext-cilium diff --git a/values/badhouseplants/secrets.server-xray-public-edge.yaml b/values/badhouseplants/secrets.server-xray-public-edge.yaml new file mode 100644 index 0000000..8c3cf3c --- /dev/null +++ b/values/badhouseplants/secrets.server-xray-public-edge.yaml @@ -0,0 +1,37 @@ +files: + config: + enabled: ENC[AES256_GCM,data:p4721g==,iv:Zp+m3P6vawpAdXO59bPcdgHvExuoZI480+4eg1zuFU8=,tag:C/SF9jbfLIMhJFXPEEBEFA==,type:bool] + sensitive: ENC[AES256_GCM,data:TJmIDP8=,iv:6OjVWwCxQETvi7uJkme/PzBEvyZ4AXlN3E+1IG+Gaqs=,tag:+oBak+FpBozTKthhPEyD2w==,type:bool] + remove: [] + entries: + config.json: + data: ENC[AES256_GCM,data:WAVeNK7i3bMQzTbszWHntrCEywXRenVt5migaPY0llYgJcpiqlWKo+jf3kHE7nZxKSdSiTjPf5X63jaUa9ip1BsVbxSCzl7XnFoUN4G9Ob8va+2cdXSzqsNAH6BudLs1+SVWAcxuhj5PA+tePEezG3blAZFXXG6Hz7mbJk9OvwLB/sCGViu+Ghe1iLWX/tZi2EFdfJa9My47hoGVS26hxUUxshgyihT96qGsTli/e/hmUvOPlH70ZKZW+/62yXz2WdMPAZMEYcsXw4ah8yPsKwI3or/txuo1wgLh1DC+3TmdiUsyF+4dW9rH5xS1NOgcPB6irfJpEuYayMqLZVHM7pk/GfMGqjosvLR3RSIcIifZR8VGSs3bSeYWnT5GpTu5CT0RzLgr3uTkRa6D7WeqycRRybf+LUuhir0gMOSgg6570oTfGW4Mj3fU3rf5aLZV/OEu67KQmIyZEKtNHHo0OKN1eh2bXQ0VfRDCbgD8ExEP+5DujhdDN9auHUgZnUPQeDdIooAiKE7Q8dl4ynnpX9ggQiZIGMA30DcDR9H9bZFBe3h01TIiBIaJmCGja43uULVnBC4Wx9XK5GcdngKmLSPwqGWEY2QPbhK/PNIQVYkyG3WhH1VhOwivsXqrtTOu6urOEdkTrhzFxhr3yNVyDmkXBxQh9qJBYRU+HERFRXBkE9DDuojGFaBmyD+7QWf+29k7/O91WSyLpBMcOFbgRCsNriLxUDAXSyyzedkI/6KGvqXJ1NN3X9xwlOmNcupZR2CPCGoAQv75+iP8MvhI2A/QSjd/QJa2xP/TzqLNUmql5lfljk2ZrPtpU0kUpWH+iJRt47xOj0vLlxxWz/BHBKsIWBxpONhOzt/pVxjmTL1iE+TExsrJLc/oOpyHfAJA7MXm7yUVBDKlANHWehc3c5m1eLASERyMsjpfS7yZEuy21J4ihMhu1wcD5SPOnC6xF9EslRdsFj3imO5MSpk5mscGkNCkoYnvbW3ZjPPLeUmSFW0q+84a0ihEkGu1OJQ9jvCGmF2zERg80oZZv6f7MftSxop5PMbuLBKd+hhUIIe0cVoi4lRIE364CloTrYdzdp74RqD7xnidgI/gj7oF2YF+YorElda+mBgb3sY+6kxROknpwe1j51Up3gcu2R4M4Qg9YJjhR37O5+sdThWiVAvH/JwhEQ+ewadnpuSfRcKLyfERu5jnMDs8NT7ANB7erY/GtbqDDEDJtr4kHMPkqI55UYrAtzX8GDQeNplrEAOY7dZKziPepSoOFuN5u7beh+6gYFeqfjKqsCc2EauFocdfhjPDitgjjtYbSSUkuOAf4gKSb3zIf7Ij+Rh3G6j5AQcAJMqUdQNMQRoMDE63APl4S0X6jZUrq5P3QU5ZOhPHt2p/waMNZ4nrMhJCjzZ1qbzBajrFSFXmzMGmt5XPdrT9cmLGmSPJIOcBXwg0sRuksjxwbFJWR4UDQi5J0BXK+V7Q6dxFmW4XLTj7113VLaMq7uuh66REFafznVM/iGmUxl8t2d6ENJGFpvxc5tFmO5rdapwT3K2/iExKg8W7IrTX6X48qS/S68WJ7DXb5U/7RQD0jz4EQLCuAy6joi/EX9enh40rtoZUlpPPjLybmXbMzZpazQunuBK6mc95i2JDLM/wPV+Qfxrtt0L20UW0Sd45hsX0mhj2jK9UGmauZK6jiulPABSD0HTiFJKAmhXva1FDiRuAsw9A+GsDabMWU433tklk63nnpNTpNoh8NeGr47GIVgyXlsBcemvfoyoZ6hMevxpcVQbSTYRmGHH4Ja9oMl4QHuyD4zyWUGksc7SdsE8KUlNM7iEuD3/uSClXdue8+asC31/AKu/zmPj2S/C0OYrul17ZboVt7gPX22pIEtcB/9wA2xAzoG488Pn88p+Hs6LJf7YdZe76j0rT7bo4+baemOmt0YbCUtbzmaDUX6oDteV417NLAdzNW0QwpdkK+WlPPQmMSNvKNHgXVg6zGMIVRanThJdJUdfS/L/Q1JmBkMRi8syhHrO/uV9MebGHxXNrvas63ROki52QGqIlaYjlTyRU3Yjcjo6zDxbm/MyYsnWuh0KhfsCxoYoZcfJBCdq7wyJbgGtc21vmWwDpQo+4tYSxlAgLOPUfi0dykaOWF1JvM2oVWrnH1YFZAUkC9zspi8M/sDgIDHBGvuToT8RKjEf7O+U5KzhXPGA2nAGurhL9C8EmAZjy2fzfpKuaxvWv7B0QbGyeC/dnelFyEI+Inv7mVdz+qXbRKNfXfusEPyP1gBwYwkA05qzapHhKqZlGtF2CBYD8DZUJJpfPhQqULl5Yg8ikZTZStzWylh7gDeLkgWh+3SSncNmG+Faj/GR077CR5y5CvgFCw6+cvqS3j/h/nzjYzIeLmKUkctW93jXtxh4x1q5u0lIPKLK9oPivTxjoZQdkpTWmWHswNY/am9jEZ8Es+DvGp9PB3dfI1BeGF6ZolHmWoBLqmDiEMDIiCqbBp0+i6GnOk52sYMpy1HdlW3mfzRTEvnsICfTb9w8X+lu9My6Zmnh6+w9gJD1vzy0QOX3l8dWKVVXqMqoYJxvZ0HraQiBhBNnUnOlk9GCkuV51zTAFfsL2ri5X9WEJt8PijzPKhAmDJQMnAF70bLTBfzea4V8eaI/P6BEL3oxbpw9q2pjSKiQo42i9zYmN7noqM4Jhjq9ggTUsTdT7ar5KoYrNMAJwwYxEAHBMlikQlqRJR46YLDy99DpX6tUn73SBioox89f2t2ux256ZdLd58CZDLxVLH8jzIdXdGUm9uQLgTrRJeT1Ac+l27AYgtDqowJ7vy2sr7EiWIxJ3Qctt4mbjvwOhUgxFCjOs3vps9LKTlZ3NbEs/M4C5eBzMLNTV5hsQPg/IZvEboy8UNXRsYPIRmUgaOR2jm9fvWzCQzeyBLurJ24P2jetuB/wrUxoVSsWyr9SJ33RQWVxPG7wzjP57fMG7a+WQCDTEA/buTtcxXaQpFpKdFlraGyz3Nt6EJI4SNN0uiKwjXfoeN6LBsdjhWEhfovSids1HpWNIoIDjkVEGypEQ7uXHMyLCdBM+FLoXXWnReqa91ofbRlF8XKKh7rmOnu93Mu297RPa070lMeFwDjKq+M2Y2+u/kItxyQENG13CfvLUUs/14Yr4t8byoWHFns81R8I9K5B8X7yFMsUVKj3gLzwRyT70DiVy+kN/Qq1mfjUJV+Ct6Q/cKcGFZiWj/NWDnQyPigxVX3fWl9G6vK2edm/s8DtndzUIFO9qtd5bMD7SPYs5RoRdE6wV72tKJn9QJmHVsPubux6/k/NZzbmPDOr1nWgPaSkx5oT4FBxVwLpzmOvTHWISS5a/HzFjhtmg8jNXvqVeC0/XfhLTk2BA7Xw3muR2OLxZE9+kvqcuYYCyfUVvsSCjmDGK091pZ+dURvUXNWi0MDaY1QkfKcmfXD8d4znN1XAyv1OgdSfutQN4vNQd1CJVAKwf/Wmt7fIhxUONH7TiBGYpwVPipdp4ZMf1jfXTyZ3nhnjyqS8ySugOk3Dc99YRnjVVH+4gR4jMQr1pKV86AW4nGbKBGJ5qM8X8BhEK9rjkkStoHJM8BSo+PBOrG0OxEgto4R3itYCInf5gtK6EMQ1qxza8WjxaDEhTiH120Ud3lH8YBly4RDQmIkJVxgkAuE0NZUfwX+WvNzb463opwJtBef72+GoXW156lu+TNd4TcXomVv9rGK2OpUNMMQXqz8oQaWuy1e4R6hGKDENSAnIhR5TayyV51TFnxVT+JugIj8y4JH7drb49FAZBUYB+DshtqCBNf2sGGEEdlRdEXApj2cCJckLC/gxUT+rgw8AN0DOXnGz0Vlor7ZKs5eE3dMz/ierMKRfVNSeE1Eqfqrz45NoBDkHDegJU40rkWKXC34X1UENXIVunwwlseIdYrzGvhaDqoSHz7sHZJcRSyLqBcDrPpTMQ2pElFOwjb3jmR2lq1H4jyYDHI0fAL5UkezyZLg==,iv:vxGxZsEDNanMqIFjb7aPGnZryfcxPam/GxL+a6GF5vg=,tag:F/+BnrZsnvseYup2I5rOgg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbGxtdGhLdlUxWXFjL2oy + SEtwa09CMG1JN1M4ancrUHB1VFhzNURGYzNRCkhyWEszT04yeEdSeFFqdWNheVEy + U2lFcFJxRDNlZ092cXNqcFJISTlHTGcKLS0tIG9PYXJ6MnJLMkF6VC9pVU1kV09p + Z0hlQVE5YWVMTGVqenFlMENsVElWeDAKhr01CynUWRMGp1G1J4CGVnV6A8Sa/TWc + o6NZUQ1eJmEzewpQCTa9NBA3KSU2/72oLUb5bVqhnUZuwn1V+awfAw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17fyzv5mezck364lvyepp9pa3tnjn7jvsgcpykhhz2smnxyq6fdusvl7waf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzSllTdmZrZE1tZ1RZaThy + d2xSNUFubGExZnhCckF1d1pSaGFNMTZmZGxnCmFVNURzZ2c5U1ZXMFlQTkdXVER6 + RkpEeHcwUXA1OWlWV3Q1dWxGOGsvcEkKLS0tIGoxSld2dFdZS3YrTW5rYUJKeUQx + T0FxVS9NUnlHRkREMDlWU0FIaU41OW8KbC8FSQCD2kxviuClUY7gdlwQWmSJ8T/3 + pYh5CZGeAvBbB0jVWJutg9uR3H8KRxUPj3Ietn6342dUa//JV4lqVg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-14T12:38:17Z" + mac: ENC[AES256_GCM,data:+jU64zcEw5/WEgRzzJ+gfInkkV+QCtvy7OUbKS2OVE2wMHLxzpGPDOToE/A+kBGyjfFX3aMsbZktn1mE9AB+IjqzaoDGqWyZnP/sPaxqiW6tFLC1vNbgFnGHMa30+yuR2ClKsq8RlKZDxdStcTxtpT230XcKtQeVZGRL2OZoBHM=,iv:7sSepeSiriMkcNChdPjLkiEZaw43nVric4/UKylcJJs=,tag:gRF1QVQbRE5Q58G5qM4GHg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/values/badhouseplants/values.server-xray-public-edge.yaml b/values/badhouseplants/values.server-xray-public-edge.yaml new file mode 100644 index 0000000..10bb25a --- /dev/null +++ b/values/badhouseplants/values.server-xray-public-edge.yaml @@ -0,0 +1,259 @@ +traefik: + enabled: true + tcpRoutes: + - name: server-xray-public-edge + service: server-xray-public-xray-https + match: HostSNI(`*`) + entrypoint: xray-edge + port: 443 +shortcuts: + hostname: xray-public.badhouseplants.net +ingress: + main: + enabled: true + annotations: + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.class: traefik + kubernetes.io/ingress.global-static-ip-name: "" + kubernetes.io/tls-acme: "true" + meta.helm.sh/release-name: xray + meta.helm.sh/release-namespace: xray + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure +extraVolumes: + certs: + secret: + secretName: xray-public.badhouseplants.net +workload: + replicas: 1 +ext-cilium: + enabled: true + ciliumNetworkPolicies: + - name: xray-public + endpointSelectors: + app.kubernetes.io/instance: server-xray-public-edge + app.kubernetes.io/name: server-xray + egress: + - toEntities: + - cluster + - toPorts: + - ports: + - port: "53" + protocol: ANY + - toEntities: + - world + egressDeny: + - toCIDR: + - 93.158.213.92/32 + - 93.158.213.92/32 + - 185.243.218.213/32 + - 91.216.110.53/32 + - 23.157.120.14/32 + - 94.243.222.100/32 + - 208.83.20.20/32 + - 156.234.201.18/32 + - 209.141.59.16/32 + - 34.89.51.235/32 + - 109.201.134.183/32 + - 83.102.180.21/32 + - 185.230.4.150/32 + - 45.9.60.30/32 + - 5.181.156.41/32 + - 156.234.201.18/32 + - 34.89.51.235/32 + - 83.6.102.25/32 + - 51.222.82.36/32 + - 125.227.79.123/32 + - 193.42.111.57/32 + - 135.125.202.143/32 + - 176.56.7.44/32 + - 185.87.45.163/32 + - 181.214.58.63/32 + - 143.198.64.177/32 + - 5.255.124.190/32 + - 52.58.128.163/32 + - 15.204.57.168/32 + - 34.94.76.146/32 + - 211.23.142.127/32 + - 64.23.195.62/32 + - 23.153.248.83/32 + - 82.156.24.219/32 + - 37.235.176.37/32 + - 176.123.1.180/32 + - 35.227.59.57/32 + - 62.210.114.129/32 + - 185.216.179.62/32 + - 34.94.76.146/32 + - 121.199.16.229/32 + - 23.163.56.66/32 + - 176.99.7.59/32 + - 207.241.231.226/32 + - 207.241.226.111/32 + - 27.151.84.136/32 + - 104.244.77.14/32 + - 5.102.159.190/32 + - 184.61.17.58/32 + - 125.227.79.123/32 + - 181.214.58.63/32 + - 95.217.167.10/32 + - 159.148.57.222/32 + - 15.204.57.168/32 + - 211.23.142.127/32 + - 34.94.76.146/32 + - 187.56.163.73/32 + - 109.71.253.37/32 + - 5.182.86.242/32 + - 104.244.77.14/32 + - 190.146.242.81/32 + - 89.110.76.229/32 + - 138.124.183.78/32 + - 209.126.11.233/32 + - 167.99.185.219/32 + - 37.59.48.81/32 + - 27.151.84.136/32 + - 142.132.183.104/32 + - 193.53.126.151/32 + - 74.48.17.122/32 + - 93.158.213.92/32 + - 156.234.201.18/32 + - 35.227.59.57/32 + - 34.89.51.235/32 + - 34.94.76.146/32 + - 184.61.17.58/32 + - 125.227.79.123/32 + - 104.21.58.176/32 + - 172.67.162.102/32 + - 181.214.58.63/32 + - 93.185.165.29/32 + - 95.217.167.10/32 + - 159.148.57.222/32 + - 15.204.57.168/32 + - 211.75.210.220/32 + - 125.227.79.123/32 + - 211.23.142.127/32 + - 172.67.165.72/32 + - 104.21.57.182/32 + - 35.227.59.57/32 + - 34.89.51.235/32 + - 34.94.76.146/32 + - 187.56.163.73/32 + - 109.71.253.37/32 + - 5.182.86.242/32 + - 104.244.77.14/32 + - 193.53.126.151/32 + - 104.19.22.31/32 + - 104.19.22.22/32 + - 104.19.22.27/32 + - 104.19.22.23/32 + - 104.19.22.30/32 + - 104.19.22.24/32 + - 104.19.22.26/32 + - 104.19.22.29/32 + - 104.19.22.32/32 + - 104.19.22.28/32 + - 104.19.22.25/32 + - 74.48.17.122/32 + - 184.61.17.58/32 + - 104.21.62.230/32 + - 172.67.139.235/32 + - 172.67.135.244/32 + - 104.21.26.114/32 + - 104.21.72.244/32 + - 172.67.136.175/32 + - 172.67.183.130/32 + - 104.21.64.112/32 + - 104.26.10.105/32 + - 104.26.11.105/32 + - 172.67.70.119/32 + - 172.67.144.128/32 + - 104.21.71.114/32 + - 172.67.161.130/32 + - 104.21.65.89/32 + - 172.67.156.75/32 + - 104.21.40.186/32 + - 65.21.91.32/32 + - 184.61.17.58/32 + - 104.21.82.111/32 + - 172.67.200.173/32 + - 104.21.13.129/32 + - 172.67.200.14/32 + - 104.21.89.147/32 + - 172.67.160.224/32 + - 172.67.139.235/32 + - 104.21.62.230/32 + - 93.158.213.92/32 + - 185.243.218.213/32 + - 91.216.110.53/32 + - 23.157.120.14/32 + - 94.243.222.100/32 + - 208.83.20.20/32 + - 156.234.201.18/32 + - 209.141.59.16/32 + - 34.94.76.146/32 + - 35.227.59.57/32 + - 34.89.51.235/32 + - 109.201.134.183/32 + - 83.102.180.21/32 + - 185.230.4.150/32 + - 45.9.60.30/32 + - 5.181.156.41/32 + - 83.6.102.25/32 + - 54.39.48.3/32 + - 51.222.82.36/32 + - 125.227.79.123/32 + - 193.42.111.57/32 + - 135.125.202.143/32 + - 176.56.7.44/32 + - 185.87.45.163/32 + - 93.185.165.29/32 + - 181.214.58.63/32 + - 143.198.64.177/32 + - 5.255.124.190/32 + - 52.58.128.163/32 + - 15.204.57.168/32 + - 35.227.59.57/32 + - 34.89.51.235/32 + - 34.94.76.146/32 + - 211.23.142.127/32 + - 211.75.210.220/32 + - 125.227.79.123/32 + - 64.23.195.62/32 + - 51.81.222.188/32 + - 23.153.248.83/32 + - 82.156.24.219/32 + - 37.235.176.37/32 + - 51.15.41.46/32 + - 176.123.1.180/32 + - 104.244.77.87/32 + - 34.94.76.146/32 + - 34.89.51.235/32 + - 35.227.59.57/32 + - 62.210.114.129/32 + - 185.216.179.62/32 + - 34.94.76.146/32 + - 34.89.51.235/32 + - 35.227.59.57/32 + - 121.199.16.229/32 + - 35.227.59.57/32 + - 34.89.51.235/32 + - 34.94.76.146/32 + - 23.163.56.66/32 + - 176.99.7.59/32 + - 207.241.231.226/32 + - 207.241.226.111/32 + - 27.151.84.136/32 + - 51.159.54.68/32 + - 104.244.77.14/32 + - 5.102.159.190/32 + - 190.146.242.81/32 + - 89.110.76.229/32 + - 89.47.160.50/32 + - 138.124.183.78/32 + - 209.126.11.233/32 + - 167.99.185.219/32 + - 27.151.84.136/32 + - 37.59.48.81/32 + - 27.151.84.136/32 + - 142.132.183.104/32 + - 159.148.57.222/32 + - 159.148.57.222/32 diff --git a/values/badhouseplants/values.server-xray-public.yaml b/values/badhouseplants/values.server-xray-public.yaml index aa51ca5..9e69764 100644 --- a/values/badhouseplants/values.server-xray-public.yaml +++ b/values/badhouseplants/values.server-xray-public.yaml @@ -3,7 +3,7 @@ traefik: tcpRoutes: - name: server-xray-public service: server-xray-public-xray-https - match: HostSNI(`xray-public.badhouseplants.net`) + match: HostSNI(`*`) entrypoint: xray-public port: 443 shortcuts: diff --git a/values/badhouseplants/values.traefik.yaml b/values/badhouseplants/values.traefik.yaml index 0da23ec..d779286 100644 --- a/values/badhouseplants/values.traefik.yaml +++ b/values/badhouseplants/values.traefik.yaml @@ -34,6 +34,12 @@ ports: default: true exposedPort: 27015 protocol: TCP + xray-edge: + port: 27016 + expose: + default: true + exposedPort: 27016 + protocol: TCP # valve-server: # port: 27015 # expose: