refactor: qbit custom wireguard config replaced with gluetun

2023-11-04 17:43:51 -07:00 · 2023-11-04 17:43:51 -07:00 · 18c1d96b0a
commit 18c1d96b0a
parent 74679ed8e5
7 changed files with 84 additions and 76 deletions
--- a/inventories/prod/group_vars/all.yml
+++ b/inventories/prod/group_vars/all.yml
@ -2,12 +2,12 @@ domain: cazzzer.com
 wg_privkey: !vault |
  $ANSIBLE_VAULT;1.2;AES256;alpina
-          61346533346138643038616365373264333063626539316266326164353935666464346534643433
+  61393332313539313434346432313864386536393330383137303765616661366462353863646461
-          3634353332373937323464346634643639623039366163350a666161323932633866633264303034
+  3533323061306232316235623830373432343332396437640a343465623565303730363464616363
-          32303833613236316463643066363565333536323833373562343832333435303732626264353337
+  31376561363064353261313030626662653064313366656266393639323731373566323633366331
-          3831353935663865390a383335333133613039386237653665653663346666626666616439323530
+  3964373763396665380a663930363232626165306434613835313436646565313266363432646265
-          33626333383830383430313765386439323738336336333234303738383837356135353635366365
+  36626264356332383663613731633333333539313133613365613738613339313134626463653131
-          3066313962653537376430613963316132613663356665316238
+  3830353835306265333736373766326362363032383363633666
 github_consumer_key: 32d5cae58d744c56fcc9
 github_consumer_secret: !vault |
--- a/inventories/staging/group_vars/all.yml
+++ b/inventories/staging/group_vars/all.yml
@ -2,12 +2,12 @@ domain: lab.cazzzer.com
 wg_privkey: !vault |
  $ANSIBLE_VAULT;1.2;AES256;alpina
-          66323965396438656630376232373462616536303233663163373933306261396634623164653536
+  65323564393964323564366665663835383263313266306132313063353866336330666335363835
-          3964323735386530303932616135346461353036393635350a353434303730633265343035623434
+  3537633434346631343266633964646362646263633961610a356664326330646338373336636536
-          35323064373733373436383939386335306463316634363436396264313432363961353766633930
+  37616631373936623732663462373437383032306362623431383832343238613331643233353262
-          3662633131636332620a313334396161386230303936646566363162643831393965376563386432
+  6136343930636233310a323162396239316330616164313438303832636661666363363731366135
-          37613538613466353266666566373836663037363139316463313335633335633536613232323062
+  39383461633966396638356632656635346166363633613261333333346435336633366339316231
-          3765366135356362326138313636646263646235656333386132
+  3262343033633438383538366135356239303939643262353137
 github_consumer_key: dbacb8621c37320eb745
 github_consumer_secret: !vault |
--- a/roles/alpina/collections/apps/arrstack/app_config.yml
+++ b/roles/alpina/collections/apps/arrstack/app_config.yml
@ -1,12 +1,13 @@
 $ANSIBLE_VAULT;1.2;AES256;alpina
-37653839366635373530306432303538626233356164633761316231623732316138643532383735
+63346463363535316637363430646637633164656432643064663166636233343766623539343466
-3132613432333636383363383162643434626638613234320a343337333435393461323735646338
+3362346266633930313332353836663633616366646135340a343461663237363031343563323630
-34353764366561633738383933626261643734343266333364353162366161313738663064656530
+32373734383739376437373836613465636462313262356666616264383137643734373032326236
-6666313731343663650a343761646664356238373763383136366431383337313065613663303233
+6564393337346263660a663331303334653165383930653938356539663861646638343536383637
-36613233653666306338373839623130323833393932386161353933613338613836326632653262
+33343962663965623131306365323265336564633866653639393930346132613664306631356237
-31646131646637646237373964376365336337386639396266393731623761393038396233663663
+31323132383737383462386237343866303231396137383139316536373537373937616339333130
-32393964313361326463356435343064643964343731386238643263653738356534383536353330
+39656332633730333462663931643366333131393466303031633439323234343234393062336262
-32376162376235663636626562646436613265656461656133643762396137313238383533653831
+35383939343037393266333736396563666238633163316631326432353430616430663665313765
-31396632656630626138326335363462383131343431336264656236346665366236353863326237
+35623064366632336635323236353837636562663161633837663564376266336433333733663533
-66653064653166373838653631653563303834303334633830383064323965393563663563636361
+65656532663739613033653662386366616432333032303336663733346439616561626532303237
-653139663339346331336435313263343936
+61613231383435353532383232356434663735373463666430396336646637303964643563646532
 31613163633538653432
--- a/roles/alpina/collections/apps/arrstack/templates/.env.gluetun.j2
+++ b/roles/alpina/collections/apps/arrstack/templates/.env.gluetun.j2
@ -0,0 +1,19 @@
 #VPN_SERVICE_PROVIDER=protonvpn
 #OPENVPN_USER=+pmp
 #OPENVPN_PASSWORD=
 #SERVER_HOSTNAMES=node-us-160.protonvpn.net,node-us-161.protonvpn.net
 #VPN_PORT_FORWARDING=on
 VPN_SERVICE_PROVIDER=custom
 VPN_TYPE=wireguard
 VPN_ENDPOINT_IP={{ wg_peer_ip }}
 VPN_ENDPOINT_PORT={{ wg_peer_port }}
 WIREGUARD_PUBLIC_KEY={{ wg_peer_pubkey }}
 WIREGUARD_PRIVATE_KEY={{ wg_privkey }}
 WIREGUARD_PRESHARED_KEY=
 WIREGUARD_ADDRESSES={{ wg_address }}
 VPN_DNS_ADDRESS={{ wg_dns }}
 VPN_PORT_FORWARDING=on
 VPN_PORT_FORWARDING_PROVIDER=protonvpn
 #FIREWALL_OUTBOUND_SUBNETS=192.168.144.0/24
--- a/roles/alpina/collections/apps/arrstack/templates/custom-init/setup-wg.sh.j2
+++ b/roles/alpina/collections/apps/arrstack/templates/custom-init/setup-wg.sh.j2
@ -1,26 +0,0 @@
 #!/usr/bin/env bash
 set -x
 local_gateway=$(ip route | grep default | awk '{print $3}')
 # This used as the gateway address for NAT-PMP to work properly
 wg_gateway="{{ wg_dns }}"
 wg_peer_address=$(echo "{{ wg_peer_endpoint }}" | cut -d: -f1)
 ip route add "$wg_peer_address" via "$local_gateway"
 ip link add wg0 type wireguard
 wg setconf wg0 /etc/wireguard/wg0.conf
 ip address add dev wg0 "{{ wg_address }}"
 ip link set wg0 up
 ip route add "$wg_gateway" dev wg0
 ip route del default
 ip route add default via "$wg_gateway"
 # Note that the DNS isn't changed, so there's actually a leak there
 # That's on purpose, just in case I want to access local jackett from qbit
 # Still need to figure out how to make this work with IPv6
 # Prevent IPv6 leaks
 # ip -6 route del default
 # Finally, optionally allow access to the home network
 # ip route add "\{\{ home_network }}" via "$local_gateway"
--- a/roles/alpina/collections/apps/arrstack/templates/docker-compose.yml.j2
+++ b/roles/alpina/collections/apps/arrstack/templates/docker-compose.yml.j2
@ -3,35 +3,60 @@
 version: "3.9"
 networks:
-{#  {{ helpers.default_network(249) | indent(2) }}#}
+  {{ helpers.default_network(249) | indent(2) }}
  # TODO: Figure out IPv6 leaks
  ipv4_only:
  traefik_traefik:
    external: true
 services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    env_file:
      - .env.gluetun
    restart: unless-stopped
    networks:
      - default
      - traefik_traefik
  qbittorrent:
    image: linuxserver/qbittorrent:latest
    container_name: qbittorrent
    cap_add:
      - NET_ADMIN
    labels:
      - {{ helpers.traefik_labels('qbit', port='8080', auth=true) | indent(6) }}
    restart: unless-stopped
    environment:
      {#  Keeping this for debugging purposes  -#}
      - DOCKER_MODS=linuxserver/mods:universal-package-install
-      - INSTALL_PACKAGES=wireguard-tools-wg
+    network_mode: service:gluetun
    networks:
      - ipv4_only
      - traefik_traefik
    volumes:
      - ./wireguard:/etc/wireguard:ro
      - ./custom-init:/custom-cont-init.d:ro
      - {{ base_volume_path }}/arrstack/config/qbittorrent:/config
      - {{ base_volume_path }}/arrstack/downloads:/downloads
      - {{ media_volume_path }}/Plex:/media/Plex
      - {{ media_volume_path }}/iso-img:/media/iso-img
  {#  https://github.com/qdm12/gluetun/issues/1488#issuecomment-1489597284  -#}
  {#  Even though it should work without this, there is no way to manually set the router in qbittorrent.  -#}
  {#  So you get 'UPnP/NAT-PMP port mapping failed. Message: "could not map port using UPnP[10.2.0.2]: no router found"'  -#}
  qbittorrent_natmap:
    container_name: qbittorrent_natmap
    image: ghcr.io/soxfor/qbittorrent-natmap:latest
    restart: unless-stopped
    environment:
      - QBITTORRENT_SERVER=10.2.0.2
      - VPN_GATEWAY=10.2.0.1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    network_mode: "service:gluetun"
    depends_on:
      gluetun:
        condition: service_healthy
      qbittorrent:
        condition: service_started
  prowlarr:
    image: linuxserver/prowlarr:latest
    container_name: prowlarr
@ -41,7 +66,7 @@ services:
    depends_on:
      - qbittorrent
    networks:
-      - ipv4_only
+      - default
      - traefik_traefik
    volumes:
      - {{ base_volume_path }}/arrstack/config/prowlarr:/config
@ -55,7 +80,7 @@ services:
    depends_on:
      - qbittorrent
    networks:
-      - ipv4_only
+      - default
      - traefik_traefik
    volumes:
      - {{ base_volume_path }}/arrstack/config/sonarr:/config
@ -71,7 +96,7 @@ services:
    depends_on:
      - qbittorrent
    networks:
-      - ipv4_only
+      - default
      - traefik_traefik
    volumes:
      - {{ base_volume_path }}/arrstack/config/radarr:/config
--- a/roles/alpina/collections/apps/arrstack/templates/wireguard/wg0.conf.j2
+++ b/roles/alpina/collections/apps/arrstack/templates/wireguard/wg0.conf.j2
@ -1,11 +0,0 @@
 # Stripped version of the wg config
 [Interface]
 PrivateKey = {{ wg_privkey }}
 # Address = {{ wg_address }}
 # DNS = {{ wg_dns }} # This is also used as the gateway address for NAT-PMP to work properly
 [Peer]
 PublicKey = {{ wg_peer_pubkey }}
 AllowedIPs = 0.0.0.0/0,::0/0
 Endpoint = {{ wg_peer_endpoint }}