From 18c1d96b0a95be304c6ee6b171544508c188a7c6 Mon Sep 17 00:00:00 2001
From: Iurii Tatishchev <itatishch@gmail.com>
Date: Sat, 4 Nov 2023 17:43:51 -0700
Subject: [PATCH] refactor: qbit custom wireguard config replaced with gluetun

---
 inventories/prod/group_vars/all.yml           | 14 ++---
 inventories/staging/group_vars/all.yml        | 14 ++---
 .../collections/apps/arrstack/app_config.yml  | 23 ++++----
 .../apps/arrstack/templates/.env.gluetun.j2   | 19 +++++++
 .../templates/custom-init/setup-wg.sh.j2      | 26 ---------
 .../arrstack/templates/docker-compose.yml.j2  | 53 ++++++++++++++-----
 .../arrstack/templates/wireguard/wg0.conf.j2  | 11 ----
 7 files changed, 84 insertions(+), 76 deletions(-)
 create mode 100644 roles/alpina/collections/apps/arrstack/templates/.env.gluetun.j2
 delete mode 100644 roles/alpina/collections/apps/arrstack/templates/custom-init/setup-wg.sh.j2
 delete mode 100644 roles/alpina/collections/apps/arrstack/templates/wireguard/wg0.conf.j2

diff --git a/inventories/prod/group_vars/all.yml b/inventories/prod/group_vars/all.yml
index e5ef8ff..c65bd85 100644
--- a/inventories/prod/group_vars/all.yml
+++ b/inventories/prod/group_vars/all.yml
@@ -1,13 +1,13 @@
 domain: cazzzer.com
 
 wg_privkey: !vault |
-          $ANSIBLE_VAULT;1.2;AES256;alpina
-          61346533346138643038616365373264333063626539316266326164353935666464346534643433
-          3634353332373937323464346634643639623039366163350a666161323932633866633264303034
-          32303833613236316463643066363565333536323833373562343832333435303732626264353337
-          3831353935663865390a383335333133613039386237653665653663346666626666616439323530
-          33626333383830383430313765386439323738336336333234303738383837356135353635366365
-          3066313962653537376430613963316132613663356665316238
+  $ANSIBLE_VAULT;1.2;AES256;alpina
+  61393332313539313434346432313864386536393330383137303765616661366462353863646461
+  3533323061306232316235623830373432343332396437640a343465623565303730363464616363
+  31376561363064353261313030626662653064313366656266393639323731373566323633366331
+  3964373763396665380a663930363232626165306434613835313436646565313266363432646265
+  36626264356332383663613731633333333539313133613365613738613339313134626463653131
+  3830353835306265333736373766326362363032383363633666
 
 github_consumer_key: 32d5cae58d744c56fcc9
 github_consumer_secret: !vault |
diff --git a/inventories/staging/group_vars/all.yml b/inventories/staging/group_vars/all.yml
index 3bf1eb1..11b4a27 100644
--- a/inventories/staging/group_vars/all.yml
+++ b/inventories/staging/group_vars/all.yml
@@ -1,13 +1,13 @@
 domain: lab.cazzzer.com
 
 wg_privkey: !vault |
-          $ANSIBLE_VAULT;1.2;AES256;alpina
-          66323965396438656630376232373462616536303233663163373933306261396634623164653536
-          3964323735386530303932616135346461353036393635350a353434303730633265343035623434
-          35323064373733373436383939386335306463316634363436396264313432363961353766633930
-          3662633131636332620a313334396161386230303936646566363162643831393965376563386432
-          37613538613466353266666566373836663037363139316463313335633335633536613232323062
-          3765366135356362326138313636646263646235656333386132
+  $ANSIBLE_VAULT;1.2;AES256;alpina
+  65323564393964323564366665663835383263313266306132313063353866336330666335363835
+  3537633434346631343266633964646362646263633961610a356664326330646338373336636536
+  37616631373936623732663462373437383032306362623431383832343238613331643233353262
+  6136343930636233310a323162396239316330616164313438303832636661666363363731366135
+  39383461633966396638356632656635346166363633613261333333346435336633366339316231
+  3262343033633438383538366135356239303939643262353137
 
 github_consumer_key: dbacb8621c37320eb745
 github_consumer_secret: !vault |
diff --git a/roles/alpina/collections/apps/arrstack/app_config.yml b/roles/alpina/collections/apps/arrstack/app_config.yml
index 6491f2c..5e7b5e2 100644
--- a/roles/alpina/collections/apps/arrstack/app_config.yml
+++ b/roles/alpina/collections/apps/arrstack/app_config.yml
@@ -1,12 +1,13 @@
 $ANSIBLE_VAULT;1.2;AES256;alpina
-37653839366635373530306432303538626233356164633761316231623732316138643532383735
-3132613432333636383363383162643434626638613234320a343337333435393461323735646338
-34353764366561633738383933626261643734343266333364353162366161313738663064656530
-6666313731343663650a343761646664356238373763383136366431383337313065613663303233
-36613233653666306338373839623130323833393932386161353933613338613836326632653262
-31646131646637646237373964376365336337386639396266393731623761393038396233663663
-32393964313361326463356435343064643964343731386238643263653738356534383536353330
-32376162376235663636626562646436613265656461656133643762396137313238383533653831
-31396632656630626138326335363462383131343431336264656236346665366236353863326237
-66653064653166373838653631653563303834303334633830383064323965393563663563636361
-653139663339346331336435313263343936
\ No newline at end of file
+63346463363535316637363430646637633164656432643064663166636233343766623539343466
+3362346266633930313332353836663633616366646135340a343461663237363031343563323630
+32373734383739376437373836613465636462313262356666616264383137643734373032326236
+6564393337346263660a663331303334653165383930653938356539663861646638343536383637
+33343962663965623131306365323265336564633866653639393930346132613664306631356237
+31323132383737383462386237343866303231396137383139316536373537373937616339333130
+39656332633730333462663931643366333131393466303031633439323234343234393062336262
+35383939343037393266333736396563666238633163316631326432353430616430663665313765
+35623064366632336635323236353837636562663161633837663564376266336433333733663533
+65656532663739613033653662386366616432333032303336663733346439616561626532303237
+61613231383435353532383232356434663735373463666430396336646637303964643563646532
+31613163633538653432
\ No newline at end of file
diff --git a/roles/alpina/collections/apps/arrstack/templates/.env.gluetun.j2 b/roles/alpina/collections/apps/arrstack/templates/.env.gluetun.j2
new file mode 100644
index 0000000..5df57bb
--- /dev/null
+++ b/roles/alpina/collections/apps/arrstack/templates/.env.gluetun.j2
@@ -0,0 +1,19 @@
+#VPN_SERVICE_PROVIDER=protonvpn
+#OPENVPN_USER=+pmp
+#OPENVPN_PASSWORD=
+#SERVER_HOSTNAMES=node-us-160.protonvpn.net,node-us-161.protonvpn.net
+#VPN_PORT_FORWARDING=on
+
+VPN_SERVICE_PROVIDER=custom
+VPN_TYPE=wireguard
+VPN_ENDPOINT_IP={{ wg_peer_ip }}
+VPN_ENDPOINT_PORT={{ wg_peer_port }}
+WIREGUARD_PUBLIC_KEY={{ wg_peer_pubkey }}
+WIREGUARD_PRIVATE_KEY={{ wg_privkey }}
+WIREGUARD_PRESHARED_KEY=
+WIREGUARD_ADDRESSES={{ wg_address }}
+VPN_DNS_ADDRESS={{ wg_dns }}
+VPN_PORT_FORWARDING=on
+VPN_PORT_FORWARDING_PROVIDER=protonvpn
+
+#FIREWALL_OUTBOUND_SUBNETS=192.168.144.0/24
diff --git a/roles/alpina/collections/apps/arrstack/templates/custom-init/setup-wg.sh.j2 b/roles/alpina/collections/apps/arrstack/templates/custom-init/setup-wg.sh.j2
deleted file mode 100644
index 0177ce3..0000000
--- a/roles/alpina/collections/apps/arrstack/templates/custom-init/setup-wg.sh.j2
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-set -x
-
-local_gateway=$(ip route | grep default | awk '{print $3}')
-# This used as the gateway address for NAT-PMP to work properly
-wg_gateway="{{ wg_dns }}"
-wg_peer_address=$(echo "{{ wg_peer_endpoint }}" | cut -d: -f1)
-
-ip route add "$wg_peer_address" via "$local_gateway"
-ip link add wg0 type wireguard
-wg setconf wg0 /etc/wireguard/wg0.conf
-ip address add dev wg0 "{{ wg_address }}"
-ip link set wg0 up
-ip route add "$wg_gateway" dev wg0
-ip route del default
-ip route add default via "$wg_gateway"
-
-# Note that the DNS isn't changed, so there's actually a leak there
-# That's on purpose, just in case I want to access local jackett from qbit
-
-# Still need to figure out how to make this work with IPv6
-# Prevent IPv6 leaks
-# ip -6 route del default
-
-# Finally, optionally allow access to the home network
-# ip route add "\{\{ home_network }}" via "$local_gateway"
diff --git a/roles/alpina/collections/apps/arrstack/templates/docker-compose.yml.j2 b/roles/alpina/collections/apps/arrstack/templates/docker-compose.yml.j2
index 50d17d5..e09781b 100644
--- a/roles/alpina/collections/apps/arrstack/templates/docker-compose.yml.j2
+++ b/roles/alpina/collections/apps/arrstack/templates/docker-compose.yml.j2
@@ -3,35 +3,60 @@
 version: "3.9"
 
 networks:
-{#  {{ helpers.default_network(249) | indent(2) }}#}
-  # TODO: Figure out IPv6 leaks
-  ipv4_only:
+  {{ helpers.default_network(249) | indent(2) }}
   traefik_traefik:
     external: true
 
 services:
+  gluetun:
+    image: qmcgaw/gluetun:latest
+    container_name: gluetun
+    cap_add:
+      - NET_ADMIN
+    sysctls:
+      - net.ipv6.conf.all.disable_ipv6=0
+    env_file:
+      - .env.gluetun
+    restart: unless-stopped
+    networks:
+      - default
+      - traefik_traefik
+
   qbittorrent:
     image: linuxserver/qbittorrent:latest
     container_name: qbittorrent
-    cap_add:
-      - NET_ADMIN
     labels:
       - {{ helpers.traefik_labels('qbit', port='8080', auth=true) | indent(6) }}
     restart: unless-stopped
     environment:
+      {#  Keeping this for debugging purposes  -#}
       - DOCKER_MODS=linuxserver/mods:universal-package-install
-      - INSTALL_PACKAGES=wireguard-tools-wg
-    networks:
-      - ipv4_only
-      - traefik_traefik
+    network_mode: service:gluetun
     volumes:
-      - ./wireguard:/etc/wireguard:ro
-      - ./custom-init:/custom-cont-init.d:ro
       - {{ base_volume_path }}/arrstack/config/qbittorrent:/config
       - {{ base_volume_path }}/arrstack/downloads:/downloads
       - {{ media_volume_path }}/Plex:/media/Plex
       - {{ media_volume_path }}/iso-img:/media/iso-img
 
+  {#  https://github.com/qdm12/gluetun/issues/1488#issuecomment-1489597284  -#}
+  {#  Even though it should work without this, there is no way to manually set the router in qbittorrent.  -#}
+  {#  So you get 'UPnP/NAT-PMP port mapping failed. Message: "could not map port using UPnP[10.2.0.2]: no router found"'  -#}
+  qbittorrent_natmap:
+    container_name: qbittorrent_natmap
+    image: ghcr.io/soxfor/qbittorrent-natmap:latest
+    restart: unless-stopped
+    environment:
+      - QBITTORRENT_SERVER=10.2.0.2
+      - VPN_GATEWAY=10.2.0.1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    network_mode: "service:gluetun"
+    depends_on:
+      gluetun:
+        condition: service_healthy
+      qbittorrent:
+        condition: service_started
+
   prowlarr:
     image: linuxserver/prowlarr:latest
     container_name: prowlarr
@@ -41,7 +66,7 @@ services:
     depends_on:
       - qbittorrent
     networks:
-      - ipv4_only
+      - default
       - traefik_traefik
     volumes:
       - {{ base_volume_path }}/arrstack/config/prowlarr:/config
@@ -55,7 +80,7 @@ services:
     depends_on:
       - qbittorrent
     networks:
-      - ipv4_only
+      - default
       - traefik_traefik
     volumes:
       - {{ base_volume_path }}/arrstack/config/sonarr:/config
@@ -71,7 +96,7 @@ services:
     depends_on:
       - qbittorrent
     networks:
-      - ipv4_only
+      - default
       - traefik_traefik
     volumes:
       - {{ base_volume_path }}/arrstack/config/radarr:/config
diff --git a/roles/alpina/collections/apps/arrstack/templates/wireguard/wg0.conf.j2 b/roles/alpina/collections/apps/arrstack/templates/wireguard/wg0.conf.j2
deleted file mode 100644
index b27e042..0000000
--- a/roles/alpina/collections/apps/arrstack/templates/wireguard/wg0.conf.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-# Stripped version of the wg config
-
-[Interface]
-PrivateKey = {{ wg_privkey }}
-# Address = {{ wg_address }}
-# DNS = {{ wg_dns }} # This is also used as the gateway address for NAT-PMP to work properly
-
-[Peer]
-PublicKey = {{ wg_peer_pubkey }}
-AllowedIPs = 0.0.0.0/0,::0/0
-Endpoint = {{ wg_peer_endpoint }}