From 43f924d6e95eae4a4c9b12173e01b8bb4f0f3a36 Mon Sep 17 00:00:00 2001
From: Nikita Volodin <volodin.n@gmail.com>
Date: Mon, 11 Nov 2024 00:24:29 -0500
Subject: [PATCH] feat(apps/qbittorrent): update gluetun setup with v3.39.0

Resolves #1430
---
 .../qbittorrent/app/externalsecret.yaml       |  4 ---
 .../default/qbittorrent/app/helmrelease.yaml  | 28 +++++++++++++------
 .../secrets/secrets.sops.yaml                 | 10 ++-----
 3 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/kubernetes/main/apps/default/qbittorrent/app/externalsecret.yaml b/kubernetes/main/apps/default/qbittorrent/app/externalsecret.yaml
index 0e2db94d4..7be22e01b 100644
--- a/kubernetes/main/apps/default/qbittorrent/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/qbittorrent/app/externalsecret.yaml
@@ -13,11 +13,7 @@ spec:
     template:
       engineVersion: v2
       data:
-        VPN_ENDPOINT_IP: "{{ .qbittorrent_vpn_ip }}"
-        WIREGUARD_PUBLIC_KEY: "{{ .qbittorrent_wg_public_key }}"
         WIREGUARD_PRIVATE_KEY: "{{ .qbittorrent_wg_private_key }}"
-        WIREGUARD_ADDRESSES: "{{ .qbittorrent_wg_addresses }}"
-        wg0.conf: "{{ .qbittorrent_wg0_conf }}"
   dataFrom:
     - extract:
         key: everything
diff --git a/kubernetes/main/apps/default/qbittorrent/app/helmrelease.yaml b/kubernetes/main/apps/default/qbittorrent/app/helmrelease.yaml
index 9f000c071..4ce23ccf0 100644
--- a/kubernetes/main/apps/default/qbittorrent/app/helmrelease.yaml
+++ b/kubernetes/main/apps/default/qbittorrent/app/helmrelease.yaml
@@ -43,7 +43,7 @@ spec:
             env:
               TZ: ${TIMEZONE}
               UMASK: "022"
-              QBITTORRENT__PORT: &port "8080"
+              QBT_WEBUI_PORT: &port "8080"
               QBT_BitTorrent__Session__Interface: &iface wg0
               QBT_BitTorrent__Session__InterfaceName: *iface
             probes: &probes
@@ -59,6 +59,12 @@ spec:
             securityContext:
               runAsUser: 568
               runAsGroup: 568
+              runAsNonRoot: true
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop:
+                  - ALL
             resources:
               requests:
                 cpu: 10m
@@ -69,29 +75,33 @@ spec:
           gluetun:
             image:
               repository: ghcr.io/qdm12/gluetun
-              tag: v3.38.0@sha256:5522794f5cce6d84bc7f06b1e3a3b836ede9100c64aec94543cb503bb2ecb72f
+              tag: v3.39.1@sha256:6a8058e626763cbf735ac2f78c774dbb24fec2490bd9d9f7d67e22592cb4a991
             env:
               TZ: ${TIMEZONE}
-              VPN_SERVICE_PROVIDER: custom
-              VPN_TYPE: wireguard
+              DOT: "off"
+              DNS_ADDRESS: "127.0.0.2"
               VPN_INTERFACE: *iface
-              VPN_ENDPOINT_PORT: "51820"
+              VPN_SERVICE_PROVIDER: protonvpn
+              VPN_TYPE: wireguard
+              SERVER_COUNTRIES: United States,Canada,Mexico
+              PORT_FORWARD_ONLY: "on"
               VPN_PORT_FORWARDING: "on"
               VPN_PORT_FORWARDING_PROVIDER: "protonvpn"
               FIREWALL_INPUT_PORTS: *port
-              # Allow access to k8s subnets
+              # Allow access to k8s and nodes subnets
               FIREWALL_OUTBOUND_SUBNETS: "${CLUSTER_CIDR},${SERVICE_CIDR},${NODE_CIDR}"
-              SHADOWSOCKS: "on"
-              DOT: "off"
-              DNS_ADDRESS: "127.0.0.2"
             envFrom:
               - secretRef:
                   name: qbittorrent-secret
             probes: *probes
             securityContext:
+              allowPrivilegeEscalation: false
               capabilities:
                 add:
                   - NET_ADMIN
+            resources:
+              limits:
+                squat.ai/tun: "1"
 
           dnsdist:
             image:
diff --git a/kubernetes/main/apps/external-secrets/external-secrets/secrets/secrets.sops.yaml b/kubernetes/main/apps/external-secrets/external-secrets/secrets/secrets.sops.yaml
index 52297c104..bf2f35f2d 100644
--- a/kubernetes/main/apps/external-secrets/external-secrets/secrets/secrets.sops.yaml
+++ b/kubernetes/main/apps/external-secrets/external-secrets/secrets/secrets.sops.yaml
@@ -245,11 +245,7 @@ stringData:
     prowlarr_postgres_maindb: ENC[AES256_GCM,data:mqHiGMuYTrUneLWqFw==,iv:Ul8OqmaqUYINcls0RVqBD0rdNEQzOv0eWNGbg2b2E7Y=,tag:dMpjmJ7ZLdD1rqRnNdPK5A==,type:str]
     #
     #ENC[AES256_GCM,data:Vogli2SezDgMOIkp,iv:C5eAidKe8f3RHxYCARv1M52op9PtXbtDzPhm7Y3ypG0=,tag:VX+QjGyk6uMisrnzIiQPww==,type:comment]
-    qbittorrent_vpn_ip: ENC[AES256_GCM,data:6NRchsnTgosC0/9O+BEM,iv:SNfhzd8bx3dF8BsZpp7pZdCSTpk6q/U9xM4a71NTnco=,tag:YTXD5DDgJVSpT3csQfzRww==,type:str]
-    qbittorrent_wg_public_key: ENC[AES256_GCM,data:ayosiRpRt1MiARgmS5fk3eXKe0nfW4f2BRxb1R1ziq02mLGL9FBa2nq8c+8=,iv:Q/duSMqZrU1L3F/kxBuGt5UUbyj0MItaRt44EhJMhzU=,tag:isEkne0vn6Gzv+uGSaz6FQ==,type:str]
-    qbittorrent_wg_private_key: ENC[AES256_GCM,data:NC2FQe4Mm25OcPTiyJKuaPnDMsxaqmrGEg6ylaSyVflWgM0kQwKjdhIlWGI=,iv:Rdd4+gQxHOiivRHETwRWchL23ptx7RtK2OXGRshvMS0=,tag:G4BXw9/l+TB4Fi2uyPmKGQ==,type:str]
-    qbittorrent_wg_addresses: ENC[AES256_GCM,data:uDQZNYZ/CYAGO/w=,iv:r4NU/CMUPXetjWow+1K/MVQLsub0Yx+ZPiVHc5J0dCQ=,tag:WR1pAD1TU+wgcIUfalOS6w==,type:str]
-    qbittorrent_wg0_conf: ENC[AES256_GCM,data:/7uF+y6AjX8Ynge9LND5/SySNhnZRruZkwRIDfQ58rGMJfDJgMt04tA2ZYsadxzikIU8teMTKT/g9CGETgktN7/0hzFE8GAsRh3hO035EirGzxtZGJTySNHJueO8Og0lB9WG1/wpty6jwrTFsiUkYjDBlzkckaj4S0qWmZ9WUnDBazyzfVT9LdiCnUBy/ErxtMH+UTjjTVIoYF0Jlr1SqhpJ/0obPOeL3XRJTJtYlVtza4r0vscx/Bldeu7cs1Dn5pM+c3TmRlu8WtfXwX4ml2Iz94vZDpY4H+NzupRaQnR9s6UfDIKqMdRcb0IAk+ECk6FxrB2kyM2AiV+VKiLteygxQlPSdUebAzdh56e3+42ANPNR4Ym9kDhK0zWfhNQuR/ITCIFK5KLZ+Z5p5VNjMhXDX0Eeto2QumWCgeNxGiRgXQXzN4GTvyoWllmCBQE/dbvSRwAoOyUbRnrdbUvrYjF9Jd/SOBRLZVpb5qG2GdP1uRT86rEq,iv:Eg6TKctuHDEWN+Sz0MFTsdZmki76oJeHptcfHqABUxg=,tag:uUxwKyowWTiwdLtjP/qyNw==,type:str]
+    qbittorrent_wg_private_key: ENC[AES256_GCM,data:Eputqqh+VDgJRmam5kMiLKa20GLMbCCsDTQftgH6ZcR5XCzkYzVCv+nJEYU=,iv:LES17HhrRbMH69l/cocqR8qrUVn++/2+3LK51MDeK98=,tag:sS563y6xtzS6PP2Y7nt4Og==,type:str]
     qbittorrent_restic_pass: ENC[AES256_GCM,data:9HXrDV63lrxFyWvjB0IuIIk2AvcKigtjLvAsSFwcQ5ZKRUrR2bi2vtmhqymli65JpcCyXkX91SUQDWofRxSnmPi287hjdfkeVJYxLH4kfOdgyf7WZw7erBDRmEUuWiDyjDa7RRjzTsrZKzacd9yhaKRtU8XkXl7JA8a1Qsk0dxc=,iv:fIOIxXnBbaPqfDYSPA/Ij4tdnAGoKXryqSbuZSmX76c=,tag:zw17OOV+vHu+zcaJoycFkQ==,type:str]
     qbittorrent_restic_minio_user: ENC[AES256_GCM,data:Rj7IIcbVJBpwcu8=,iv:20eOG8l+DHSTboyoPuowjmg/rm8ro8Lmhef1+47CfGk=,tag:Oh7m0VmQ24YtgUEvPwG8RQ==,type:str]
     qbittorrent_restic_minio_pass: ENC[AES256_GCM,data:gn9PcQRMVTD8711r2phCgeK1FkhTAhPyQq/DYZXejakS3el5+0haV6HezXY/pMw8HVXHYpsJR0LP0LW0VrdcsdeTys1r4rpCh9kkv+TnjmNspA1yuZc70mmdfdjDc0E0woftpWsekHl7v1cqyNBRKDOQTjGtS8cFsZVz6y0MsaI=,iv:KH6avvXCqK0wxYxQKPmDi5PGjxo3w4n6gWOSLFM+n1U=,tag:fOEiVVFTRAjD8DUxymKqFw==,type:str]
@@ -351,8 +347,8 @@ sops:
             S1Y2aUVvZDJUZ29vZ21SYnk4RDBvR2cK7HDsIjcO+R0Kdxxx9zAkymaqemZPBywk
             HV0CS8iCUdUlqfAvtNZvVJ/RjHQh7hZyQspEQnkMxLddLoHFEbQMyA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-09T17:27:21Z"
-    mac: ENC[AES256_GCM,data:8/3bjK0dP+VbOC+ay5fmhlYxn08SHjwTx3pod9UIjtNCDVfwmqViYQ7X/5qNDECreMWED1le73vUdhsWmWwTzzuozI63hBFfeypbUVBFyIYwPZ0lmFD+JqlzjZD3kxR1bORZSPyAdzUCGqR9ovUvaIUHR1n9d0bCulVdzqecS0g=,iv:fo09hrECe3iH6SaZKGLaC7+B+nZK0fVaNNKrIW2qdXU=,tag:Tg65NeAE4yDUrRM0hoASdg==,type:str]
+    lastmodified: "2024-11-11T05:26:22Z"
+    mac: ENC[AES256_GCM,data:b4q1+ekaZZ3MEohny/kA1V1ENbXaP+HnRiSh1kOllS06zQHpRyTXkXBCvYdrn7VrF6qprl45CSDlhaP6FAqhzsflcWVvZuyEX3rIX1lDtYfQBdFvaCPdI3YeWOJApCKnicQTtOkiqCDVx+fdO4aWJKClnsuLzfR1cqOz19aEOTo=,iv:AIw+h0byvAUEbjtMm8RVbJ/+Q81BC/0zU7iZ96Pckwk=,tag:DFvx0VRVqTP9N/KXphUKKA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.9.0