From 03685456239970fa7f4dbf458ac007335ca4a8f6 Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Tue, 6 Feb 2024 16:18:12 +0100
Subject: [PATCH] vpn

---
 packages/apps/vpn/templates/deployment.yaml | 83 +++++++++++++++++++++
 packages/apps/vpn/templates/secret.yaml     | 55 ++++++++++++++
 packages/apps/vpn/templates/service.yaml    | 25 +++++++
 packages/apps/vpn/templates/tls.yaml        | 21 ++++++
 packages/apps/vpn/values.yaml               | 15 ++--
 5 files changed, 189 insertions(+), 10 deletions(-)
 create mode 100644 packages/apps/vpn/templates/deployment.yaml
 create mode 100644 packages/apps/vpn/templates/secret.yaml
 create mode 100644 packages/apps/vpn/templates/service.yaml
 create mode 100644 packages/apps/vpn/templates/tls.yaml

diff --git a/packages/apps/vpn/templates/deployment.yaml b/packages/apps/vpn/templates/deployment.yaml
new file mode 100644
index 00000000..745c5192
--- /dev/null
+++ b/packages/apps/vpn/templates/deployment.yaml
@@ -0,0 +1,83 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-vpn
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-vpn
+      name: {{ .Release.Name }}-vpn
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-vpn
+        name: {{ .Release.Name }}-vpn
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+    spec:
+      volumes:
+        - name: cache
+          emptyDir: {}
+        - name: shadowbox-config
+          emptyDir: {}
+        - name: tls
+          secret:
+            secretName: {{ .Release.Name }}-vpn-tls
+            items:
+              - key: tls.crt
+                path: shadowbox.crt
+              - key: tls.key
+                path: shadowbox.key
+            defaultMode: 420
+        - name: shadowbox-server-config
+          secret:
+            secretName: {{ .Release.Name }}-vpn
+            items:
+              - key: shadowbox_config.json
+                path: shadowbox_config.json
+              - key: shadowbox_server_config.json
+                path: shadowbox_server_config.json
+      containers:
+        - name: outline-vpn
+          image: quay.io/outline/shadowbox:stable
+          ports:
+            - containerPort: 40000
+              protocol: TCP
+            #- containerPort: 60000
+            #  protocol: TCP
+          env:
+            - name: SB_API_PORT
+              value: "60000"
+            #- name: SB_API_PREFIX
+            #  value: b782eecb-bb9e-58be-614a-d5de1431d6b3
+            - name: SB_CERTIFICATE_FILE
+              value: /tmp/shadowbox.crt
+            - name: SB_PRIVATE_KEY_FILE
+              value: /tmp/shadowbox.key
+          volumeMounts:
+            - name: cache
+              mountPath: /cache
+            - name: shadowbox-config
+              mountPath: /opt/outline
+            - name: shadowbox-config
+              mountPath: /root/shadowbox
+            - name: shadowbox-server-config
+              readOnly: true
+              mountPath: /root/shadowbox/persisted-state/shadowbox_server_config.json
+              subPath: shadowbox_server_config.json
+            - name: shadowbox-server-config
+              readOnly: true
+              mountPath: /root/shadowbox/persisted-state/shadowbox_config.json
+              subPath: shadowbox_config.json
+            - name: tls
+              readOnly: true
+              mountPath: /tmp/shadowbox.crt
+              subPath: shadowbox.crt
+            - name: tls
+              readOnly: true
+              mountPath: /tmp/shadowbox.key
+              subPath: shadowbox.key
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
diff --git a/packages/apps/vpn/templates/secret.yaml b/packages/apps/vpn/templates/secret.yaml
new file mode 100644
index 00000000..56abb96d
--- /dev/null
+++ b/packages/apps/vpn/templates/secret.yaml
@@ -0,0 +1,55 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-vpn
+type: Opaque
+stringData:
+  shadowbox_server_config.json: |
+    {
+      "rollouts": [
+        {
+          "id": "single-port",
+          "enabled": true
+        }
+      ],
+      "portForNewAccessKeys": 40000,
+      "hostname": "localhost"
+    }
+  shadowbox_config.json: |
+    {
+      "accessKeys": [
+        {
+          "id": "1",
+          "metricsId": "f33f7fbf-6750-485c-9ac0-2ec261b5aa03",
+          "name": "",
+          "password": "UhrU93bi2eBORvo4dwxsEw",
+          "port": 40000,
+          "encryptionMethod": "chacha20-ietf-poly1305"
+        },
+        {
+          "id": "2",
+          "metricsId": "aa72b1f0-f48c-49e2-b153-2fb8817e4b54",
+          "name": "sssss",
+          "password": "7IhWAD1GzaNjLCMyG0LVhK",
+          "port": 40000,
+          "encryptionMethod": "chacha20-ietf-poly1305"
+        },
+        {
+          "id": "3",
+          "metricsId": "aa72b1f0-f48c-49e2-b153-2fb8817e4b54",
+          "name": "foobar",
+          "password": "aaaaaaaaaaaaaaaaaaaaaa",
+          "port": 40000,
+          "encryptionMethod": "chacha20-ietf-poly1305"
+        },
+        {
+          "id": "4",
+          "metricsId": "703c05a9-e4cd-4af2-a7ec-41906525c512",
+          "name": "kvaps",
+          "password": "asdasdASD",
+          "port": 40000,
+          "encryptionMethod": "chacha20-ietf-poly1305"
+        }
+      ],
+      "nextId": 5
+    }
diff --git a/packages/apps/vpn/templates/service.yaml b/packages/apps/vpn/templates/service.yaml
new file mode 100644
index 00000000..9c7d305b
--- /dev/null
+++ b/packages/apps/vpn/templates/service.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-vpn
+  labels:
+    app: {{ .Release.Name }}-vpn
+spec:
+  ports:
+    #- name: apiport-tcp
+    #  protocol: TCP
+    #  port: 60000
+    #  targetPort: 60000
+    - name: accessport-tcp
+      protocol: TCP
+      port: 40000
+      targetPort: 40000
+    - name: accessport-udp
+      protocol: UDP
+      port: 40000
+      targetPort: 40000
+  selector:
+    app: {{ .Release.Name }}-vpn
+  type: LoadBalancer
+  internalTrafficPolicy: Cluster
diff --git a/packages/apps/vpn/templates/tls.yaml b/packages/apps/vpn/templates/tls.yaml
new file mode 100644
index 00000000..cc3fd9b6
--- /dev/null
+++ b/packages/apps/vpn/templates/tls.yaml
@@ -0,0 +1,21 @@
+{{- $cn := "outline" -}}
+{{- $ca := genCA "outline-ca" 3650 -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-vpn-tls
+type: kubernetes.io/tls
+data:
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-vpn-tls" .Release.Name) }}
+  {{- if $existingSecret }}
+  ca.crt: {{ index $existingSecret.data "ca.crt" }}
+  tls.crt: {{ index $existingSecret.data "tls.crt" }}
+  tls.key: {{ index $existingSecret.data "tls.key" }}
+  {{- else }}
+  {{- with genSignedCert $cn nil nil 3650 $ca }}
+  cacert: {{ b64enc $ca.Cert }}
+  tls.crt: {{ b64enc .Cert }}
+  tls.key: {{ b64enc .Key }}
+  {{- end }}
+  {{- end }}
diff --git a/packages/apps/vpn/values.yaml b/packages/apps/vpn/values.yaml
index 04e7f7aa..84579944 100644
--- a/packages/apps/vpn/values.yaml
+++ b/packages/apps/vpn/values.yaml
@@ -1,12 +1,7 @@
-# Default values for vpn.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
+external: false
 
 users:
-- name: user1
-- name: user2
-  limit: 5Gi
-- name: user3
-  limit: 5Gi
+  user1:
+    password: hackme
+  user2:
+    password: tttt