wireguard

bootstrap/kustomizations/kustomization-wg-easy.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: wg-easy
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./wg-easy
+  prune: true # remove any elements later removed from the above path
+  timeout: 2m # if not set, this defaults to interval duration, which is 1h
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  healthChecks:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: wg-easy
+      namespace: wg-easy

bootstrap/namespaces/namespace-wg-easy.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: wg-easy

wg-easy/config.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: wg-easy-config
+  namespace: wg-easy
+data:
+  LANG: "en"
+  WG_HOST: "wireguard.michaelthomson.dev"

wg-easy/deployment.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wg-easy
+  namespace: wg-easy
+spec:
+  selector:
+    matchLabels:
+      app: wg-easy
+  template:
+    metadata:
+      labels:
+        app: wg-easy
+    spec:
+      containers:
+      - name: wg-easy
+        image: ghcr.io/wg-easy/wg-easy
+        imagePullPolicy: Always
+        envFrom:
+        - configMapRef:
+            name: wg-easy-config
+            optional: false
+        ports:
+        - containerPort: 51820
+          protocol: UDP
+        - containerPort: 51821
+        volumeMounts:
+        - name: config
+          mountPath: /etc/wireguard
+      restartPolicy: Always
+      volumes:
+      - name: config
+        persistentVolumeClaim: 
+          claimName: wg-easy-config

wg-easy/dns-endpoint.yaml

@@ -0,0 +1,15 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: wireguard.michaelthomson.dev
+  namespace: wg-easy
+spec:
+  endpoints:
+  - dnsName: wireguard.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+      - michaelthomson.ddns.net
+    providerSpecific:
+      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
+        value: "true"

wg-easy/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: wg-easy
+  namespace: wg-easy
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: wireguard.michaelthomson.dev
+    http:
+      paths:
+      - pathType: ImplementationSpecific
+        path: /
+        backend:
+          service:
+            name: wg-easy
+            port: 
+              name: http
+  tls:
+    - hosts:
+        - wireguard.michaelthomson.dev
+      secretName: letsencrypt-wildcard-cert-michaelthomson.dev

wg-easy/pvc-config.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: wg-easy-config
+  namespace: wg-easy
+spec:
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce

wg-easy/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: wg-easy
+  namespace: wg-easy
+spec:
+  selector:
+    app: wg-easy
+  ports:
+  - port: 80
+    targetPort: 51821
+    name: http
+  - port: 51820
+    targetPort: 51820
+    name: udp