refactor: qbit custom wireguard config replaced with gluetun

2023-11-04 17:43:51 -07:00
parent 74679ed8e5
commit 18c1d96b0a
7 changed files with 84 additions and 76 deletions
--- a/roles/alpina/collections/apps/arrstack/app_config.yml
+++ b/roles/alpina/collections/apps/arrstack/app_config.yml
@@ -1,12 +1,13 @@
 $ANSIBLE_VAULT;1.2;AES256;alpina
-37653839366635373530306432303538626233356164633761316231623732316138643532383735
-3132613432333636383363383162643434626638613234320a343337333435393461323735646338
-34353764366561633738383933626261643734343266333364353162366161313738663064656530
-6666313731343663650a343761646664356238373763383136366431383337313065613663303233
-36613233653666306338373839623130323833393932386161353933613338613836326632653262
-31646131646637646237373964376365336337386639396266393731623761393038396233663663
-32393964313361326463356435343064643964343731386238643263653738356534383536353330
-32376162376235663636626562646436613265656461656133643762396137313238383533653831
-31396632656630626138326335363462383131343431336264656236346665366236353863326237
-66653064653166373838653631653563303834303334633830383064323965393563663563636361
-653139663339346331336435313263343936
+63346463363535316637363430646637633164656432643064663166636233343766623539343466
+3362346266633930313332353836663633616366646135340a343461663237363031343563323630
+32373734383739376437373836613465636462313262356666616264383137643734373032326236
+6564393337346263660a663331303334653165383930653938356539663861646638343536383637
+33343962663965623131306365323265336564633866653639393930346132613664306631356237
+31323132383737383462386237343866303231396137383139316536373537373937616339333130
+39656332633730333462663931643366333131393466303031633439323234343234393062336262
+35383939343037393266333736396563666238633163316631326432353430616430663665313765
+35623064366632336635323236353837636562663161633837663564376266336433333733663533
+65656532663739613033653662386366616432333032303336663733346439616561626532303237
+61613231383435353532383232356434663735373463666430396336646637303964643563646532
+31613163633538653432
--- a/roles/alpina/collections/apps/arrstack/templates/.env.gluetun.j2
+++ b/roles/alpina/collections/apps/arrstack/templates/.env.gluetun.j2
@@ -0,0 +1,19 @@
+#VPN_SERVICE_PROVIDER=protonvpn
+#OPENVPN_USER=+pmp
+#OPENVPN_PASSWORD=
+#SERVER_HOSTNAMES=node-us-160.protonvpn.net,node-us-161.protonvpn.net
+#VPN_PORT_FORWARDING=on
+
+VPN_SERVICE_PROVIDER=custom
+VPN_TYPE=wireguard
+VPN_ENDPOINT_IP={{ wg_peer_ip }}
+VPN_ENDPOINT_PORT={{ wg_peer_port }}
+WIREGUARD_PUBLIC_KEY={{ wg_peer_pubkey }}
+WIREGUARD_PRIVATE_KEY={{ wg_privkey }}
+WIREGUARD_PRESHARED_KEY=
+WIREGUARD_ADDRESSES={{ wg_address }}
+VPN_DNS_ADDRESS={{ wg_dns }}
+VPN_PORT_FORWARDING=on
+VPN_PORT_FORWARDING_PROVIDER=protonvpn
+
+#FIREWALL_OUTBOUND_SUBNETS=192.168.144.0/24
--- a/roles/alpina/collections/apps/arrstack/templates/custom-init/setup-wg.sh.j2
+++ b/roles/alpina/collections/apps/arrstack/templates/custom-init/setup-wg.sh.j2
@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-set -x
-
-local_gateway=$(ip route | grep default | awk '{print $3}')
-# This used as the gateway address for NAT-PMP to work properly
-wg_gateway="{{ wg_dns }}"
-wg_peer_address=$(echo "{{ wg_peer_endpoint }}" | cut -d: -f1)
-
-ip route add "$wg_peer_address" via "$local_gateway"
-ip link add wg0 type wireguard
-wg setconf wg0 /etc/wireguard/wg0.conf
-ip address add dev wg0 "{{ wg_address }}"
-ip link set wg0 up
-ip route add "$wg_gateway" dev wg0
-ip route del default
-ip route add default via "$wg_gateway"
-
-# Note that the DNS isn't changed, so there's actually a leak there
-# That's on purpose, just in case I want to access local jackett from qbit
-
-# Still need to figure out how to make this work with IPv6
-# Prevent IPv6 leaks
-# ip -6 route del default
-
-# Finally, optionally allow access to the home network
-# ip route add "\{\{ home_network }}" via "$local_gateway"
--- a/roles/alpina/collections/apps/arrstack/templates/docker-compose.yml.j2
+++ b/roles/alpina/collections/apps/arrstack/templates/docker-compose.yml.j2
@@ -3,35 +3,60 @@
 version: "3.9"

 networks:
-{#  {{ helpers.default_network(249) | indent(2) }}#}
-  # TODO: Figure out IPv6 leaks
-  ipv4_only:
+  {{ helpers.default_network(249) | indent(2) }}
  traefik_traefik:
    external: true

 services:
+  gluetun:
+    image: qmcgaw/gluetun:latest
+    container_name: gluetun
+    cap_add:
+      - NET_ADMIN
+    sysctls:
+      - net.ipv6.conf.all.disable_ipv6=0
+    env_file:
+      - .env.gluetun
+    restart: unless-stopped
+    networks:
+      - default
+      - traefik_traefik
+
  qbittorrent:
    image: linuxserver/qbittorrent:latest
    container_name: qbittorrent
-    cap_add:
-      - NET_ADMIN
    labels:
      - {{ helpers.traefik_labels('qbit', port='8080', auth=true) | indent(6) }}
    restart: unless-stopped
    environment:
+      {#  Keeping this for debugging purposes  -#}
      - DOCKER_MODS=linuxserver/mods:universal-package-install
-      - INSTALL_PACKAGES=wireguard-tools-wg
-    networks:
-      - ipv4_only
-      - traefik_traefik
+    network_mode: service:gluetun
    volumes:
-      - ./wireguard:/etc/wireguard:ro
-      - ./custom-init:/custom-cont-init.d:ro
      - {{ base_volume_path }}/arrstack/config/qbittorrent:/config
      - {{ base_volume_path }}/arrstack/downloads:/downloads
      - {{ media_volume_path }}/Plex:/media/Plex
      - {{ media_volume_path }}/iso-img:/media/iso-img

+  {#  https://github.com/qdm12/gluetun/issues/1488#issuecomment-1489597284  -#}
+  {#  Even though it should work without this, there is no way to manually set the router in qbittorrent.  -#}
+  {#  So you get 'UPnP/NAT-PMP port mapping failed. Message: "could not map port using UPnP[10.2.0.2]: no router found"'  -#}
+  qbittorrent_natmap:
+    container_name: qbittorrent_natmap
+    image: ghcr.io/soxfor/qbittorrent-natmap:latest
+    restart: unless-stopped
+    environment:
+      - QBITTORRENT_SERVER=10.2.0.2
+      - VPN_GATEWAY=10.2.0.1
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    network_mode: "service:gluetun"
+    depends_on:
+      gluetun:
+        condition: service_healthy
+      qbittorrent:
+        condition: service_started
+
  prowlarr:
    image: linuxserver/prowlarr:latest
    container_name: prowlarr
@@ -41,7 +66,7 @@ services:
    depends_on:
      - qbittorrent
    networks:
-      - ipv4_only
+      - default
      - traefik_traefik
    volumes:
      - {{ base_volume_path }}/arrstack/config/prowlarr:/config
@@ -55,7 +80,7 @@ services:
    depends_on:
      - qbittorrent
    networks:
-      - ipv4_only
+      - default
      - traefik_traefik
    volumes:
      - {{ base_volume_path }}/arrstack/config/sonarr:/config
@@ -71,7 +96,7 @@ services:
    depends_on:
      - qbittorrent
    networks:
-      - ipv4_only
+      - default
      - traefik_traefik
    volumes:
      - {{ base_volume_path }}/arrstack/config/radarr:/config
--- a/roles/alpina/collections/apps/arrstack/templates/wireguard/wg0.conf.j2
+++ b/roles/alpina/collections/apps/arrstack/templates/wireguard/wg0.conf.j2
@@ -1,11 +0,0 @@
-# Stripped version of the wg config
-
-[Interface]
-PrivateKey = {{ wg_privkey }}
-# Address = {{ wg_address }}
-# DNS = {{ wg_dns }} # This is also used as the gateway address for NAT-PMP to work properly
-
-[Peer]
-PublicKey = {{ wg_peer_pubkey }}
-AllowedIPs = 0.0.0.0/0,::0/0
-Endpoint = {{ wg_peer_endpoint }}