Move protonvpn variant to archive.

Still works great, just don't need it anymore.

.archive/kubernetes/qbittorrent/app/externalsecret.yaml

@@ -0,0 +1,31 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: qbittorrent
+  namespace: qbittorrent
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: qbittorrent-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: WIREGUARD_ENDPOINT_IP
+      remoteRef:
+        key: ProtonVPN
+        property: qbittorrent_vpn_endpoint_ip
+    - secretKey: WIREGUARD_PUBLIC_KEY
+      remoteRef:
+        key: ProtonVPN
+        property: qbittorrent_wireguard_public_key
+    - secretKey: WIREGUARD_PRIVATE_KEY
+      remoteRef:
+        key: ProtonVPN
+        property: qbittorrent_wireguard_private_key
+    - secretKey: WIREGUARD_ADDRESSES
+      remoteRef:
+        key: ProtonVPN
+        property: qbittorrent_wireguard_addresses

.archive/kubernetes/qbittorrent/app/helmrelease.yaml

@@ -0,0 +1,163 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app qbittorrent-protonvpn
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.3.2
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+      strategy: rollback
+  values:
+    controllers:
+      qbittorrent:
+        annotations:
+          configmap.reloader.stakater.com/reload: qbittorrent-scripts
+          secret.reloader.stakater.com/reload: qbittorrent-secret
+        pod:
+          securityContext:
+            fsGroup: 568
+            fsGroupChangePolicy: "OnRootMismatch"
+        containers:
+          app:
+            nameOverride: qbittorrent
+            image:
+              repository: ghcr.io/onedr0p/qbittorrent
+              tag: 4.6.6@sha256:e21c95568c9175f40390bacd7f778d8d2af5331d1e663e1a6860140891c65742
+            env:
+              UMASK: "022"
+              QBITTORRENT__PORT: &port 80
+              QBT_Preferences__WebUI__AlternativeUIEnabled: false
+              QBT_Preferences__WebUI__AuthSubnetWhitelistEnabled: true
+              QBT_Preferences__WebUI__AuthSubnetWhitelist: |-
+                10.244.0.0/16, 10.1.2.0/24
+              QBT_Preferences__WebUI__LocalHostAuth: false
+              QBT_BitTorrent__Session__Interface: wg0
+              QBT_BitTorrent__Session__InterfaceName: wg0
+            resources:
+              requests:
+                cpu: 49m
+                memory: 1024Mi
+              limits:
+                memory: 24Gi
+            securityContext:
+              runAsUser: 568
+              runAsGroup: 568
+              runAsNonRoot: true
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop:
+                  - ALL
+
+          gluetun:
+            image:
+              repository: ghcr.io/qdm12/gluetun
+              tag: latest@sha256:fb448a2eb8755b68106a386d1e5a78c781bf28a0eea0fb712824cd2dc0ec19a7
+            env:
+              VPN_SERVICE_PROVIDER: custom
+              VPN_TYPE: wireguard
+              VPN_INTERFACE: wg0
+              WIREGUARD_ENDPOINT_PORT: 51820
+              VPN_PORT_FORWARDING: on
+              VPN_PORT_FORWARDING_PROVIDER: protonvpn
+              FIREWALL_INPUT_PORTS: *port
+              FIREWALL_OUTBOUND_SUBNETS: 10.32.0.0/16 # Allow access to k8s subnets
+            envFrom:
+              - secretRef:
+                  name: qbittorrent-secret
+            securityContext:
+              # until I can debug the issues on talos 1.8.
+              privileged: true
+              capabilities:
+                add:
+                  - NET_ADMIN
+                drop:
+                  - ALL
+
+          port-forward:
+            image:
+              repository: ghcr.io/bjw-s/gluetun-qb-port-sync
+              tag: v0.0.2
+            env:
+              GLUETUN_CONTROL_SERVER_HOST: localhost
+              GLUETUN_CONTROL_SERVER_PORT: 8000
+              QBITTORRENT_HOST: localhost
+              QBITTORRENT_WEBUI_PORT: *port
+              CRON_ENABLED: true
+              CRON_SCHEDULE: "*/5 * * * *"
+              LOG_TIMESTAMP: false
+            securityContext:
+              runAsUser: 568
+              runAsGroup: 568
+              runAsNonRoot: true
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: false
+              capabilities:
+                drop:
+                  - ALL
+
+    service:
+      app:
+        controller: qbittorrent
+        type: LoadBalancer
+        annotations:
+          io.cilium/lb-ipam-ips: 10.1.1.34
+        nameOverride: qbittorrent
+        ports:
+          http:
+            port: *port
+          # bittorrent port is set by gluetun-qb-port-sync
+          # So we don't need to set it for forwarding-to from firewall here.
+          # bittorrent:
+          #   enabled: true
+          #   port: *bittorrentPort
+          #   protocol: TCP
+
+    ingress:
+      app:
+        className: "internal-nginx"
+        hosts:
+          - host: "qb.jahanson.tech"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts:
+              - "qb.jahanson.tech"
+
+    persistence:
+      config:
+        existingClaim: qbittorrent
+      media:
+        type: nfs
+        server: 10.1.1.11
+        path: /volume1/Media
+        advancedMounts:
+          qbittorrent:
+            app:
+              - path: /data/nas-media
+      qbtun:
+        type: hostPath
+        hostPath: /dev/net
+        advancedMounts:
+          qbittorrent:
+            gluetun:
+              - path: /dev/net

.archive/kubernetes/qbittorrent/app/kustomization.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
+  - ../../../../templates/volsync
+generatorOptions:
+  disableNameSuffixHash: true

.archive/kubernetes/qbittorrent/ks.yaml

@@ -0,0 +1,50 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app qbittorrent
+  namespace: flux-system
+spec:
+  targetNamespace: qbittorrent
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  interval: 10m
+  path: "./kubernetes/apps/qbittorrent/qbittorrent/app"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: homelab
+  wait: true
+  dependsOn:
+    - name: openebs
+    - name: volsync
+    - name: external-secrets-stores
+  postBuild:
+    substitute:
+      APP: *app
+      VOLSYNC_CAPACITY: 2Gi
+      VOLSYNC_STORAGECLASS: zfs-generic-nfs-csi
+      VOLSYNC_SNAPSHOTCLASS: zfs-generic-nfs-csi
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app qbittorrent-tools
+  namespace: flux-system
+spec:
+  targetNamespace: qbittorrent
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/qbittorrent/qbittorrent/tools
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: homelab
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

.archive/kubernetes/qbittorrent/tools/helmrelease.yaml

@@ -0,0 +1,146 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: qbtools
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.3.2
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  dependsOn:
+    - name: qbittorrent
+      namespace: qbittorrent
+  values:
+    controllers:
+      tagging:
+        type: cronjob
+        cronjob: &cronJobSpec
+          schedule: "@hourly"
+          timeZone: &timeZone America/Chicago
+          concurrencyPolicy: Forbid
+          successfulJobsHistory: 1
+          failedJobsHistory: 1
+        initContainers:
+          tagging: &container
+            image:
+              repository: ghcr.io/buroa/qbtools
+              tag: v0.16.3@sha256:1eb3be84d7d63bfd0aaffd1e85f1cfd9a5064fd8ce5ed94522672eca0d201e56
+            env:
+              TZ: *timeZone
+              POD_NAMESPACE:
+                valueFrom:
+                  fieldRef:
+                    fieldPath: metadata.namespace
+            args: [
+              "tagging",
+              "--added-on",
+              "--expired",
+              "--last-activity",
+              "--sites",
+              "--unregistered",
+              "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local",
+              "--port", "80",
+              "--config", "/config/config.yaml"
+            ]
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 25m
+              limits:
+                memory: 256M
+        containers:
+          unregistered:
+            <<: *container
+            args: [
+              "prune",
+              "--exclude-category", "manual",
+              "--exclude-category", "music",
+              "--exclude-tag", "added:24h",
+              "--include-tag", "unregistered",
+              # "--dry-run",
+              "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local",
+              "--port", "80"
+            ]
+          expired:
+            <<: *container
+            args: [
+              "prune",
+              "--exclude-category", "manual",
+              "--exclude-category", "music",
+              "--include-tag", "expired", # defined in config.yaml
+              "--include-tag", "added:7d",
+              # "--dry-run",
+              "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local",
+              "--port", "80"
+            ]
+        pod:
+          restartPolicy: OnFailure
+      orphaned:
+        type: cronjob
+        cronjob:
+          <<: *cronJobSpec
+          schedule: "@daily"
+        containers:
+          app:
+            <<: *container
+            args: [
+              "orphaned",
+              "--exclude-pattern", "*_unpackerred*",
+              "--exclude-pattern", "*/manual/*",
+              # "--dry-run",
+              "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local",
+              "--port", "80"
+            ]
+        pod:
+          restartPolicy: OnFailure
+      reannounce:
+        containers:
+          app:
+            <<: *container
+            args: [
+              "reannounce",
+              "--process-seeding",
+              "--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local",
+              "--port", "80"
+            ]
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 568
+        runAsGroup: 568
+        seccompProfile: { type: RuntimeDefault }
+    persistence:
+      secret-file:
+        type: secret
+        name: qbtools-secret
+        globalMounts:
+          - path: /config/config.yaml
+            subPath: config.yaml
+            readOnly: true
+      media:
+        type: nfs
+        server: 10.1.1.11
+        path: /volume1/Media
+        advancedMounts:
+          orphaned:
+            app:
+              - path: /data/nas-media
+                subPath: qb/downloads

.archive/kubernetes/qbittorrent/tools/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./qbtools.secret.sops.yaml
+  - ./helmrelease.yaml

.archive/kubernetes/qbittorrent/tools/qbtools.secret.sops.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: qbtools-secret
+stringData:
+    config.yaml: ENC[AES256_GCM,data:NZq8GKG05lEp6lLvE/IMOkt6FrzJ8Hoj3KJ57y5rumsTxqydyxzmrt9IVf34nQ1SgSGKMdI8KgEIVnHBj/4jfYgJZ5+1AfKiTe0DW3NZSK3LkDJcs6Mcwu6f5lbil1vfaS3YgJ2K1pv5ys7GCmE/zMqiNsTpmc1niY/JMOs/0eJaUYNACHl0I1w3fLJVPjnhdK99IhFYo42XywODyVSRdMeFTP6Q7Y4NRNJKA3u9W0ix12yaTdfBk5ia1sIRb9H3Gvl5z/XTvr0X6IzIpfoP46wf/EXLU7Y7Rt5fvnymQgzQr7JtUL90NBkKvqOko4NSl36uEol5jsu9gj9o+FZbA2CnDbZ6mp6BqJIB9HuaWCrgb6ideNTUYL/ASU6Wp17A1CzPDjlm+b6kGZpJKQYFEZ/VO8BEoeW3Yx9D0dG1ep9xFTu6xDKo7JxF4pbMWgWU5I+mE6xiCK7XGrab1latVhcPHBAVoxBrdHvAgwgvs1WmAe0ofP0vPpq6ZHd+kgQg2qHPbkj4viXl1Hf9M9Q7HJm+hlgfCmjaT9m5/1ipzbj9xlu0vG5GFTbf6hcPJXlthaEubHggKD1Idx1k7NUvJzQi/Y6KpUCM4BUOGOgYpGWic7kTSUoqdqKQNAJr77EKOIRGkI+LCPSOWx4atUS8jgS8/tbeXYAb9eBhovGWXZsGyPQt1bpfXmfiBRTqyRC66qPw5+AcruVaJY3C7Aj0f6BhqkDWScBiF3H3ZJj0Wp6wWKh/KCxSqO+AqcB36nVa62zLy6sIZHclwQwgxLzXFiaHxblRWxNuyAASNnrbAutLTsQ4HXCQPaiJ/9LxK+QAow7hryQsikq4XhCRV0TdEYzBpB3eatpB5G02kApvbMRW5kYvR8GHJzF8eqWgcRit4g0Q+kJn5p+UAi1rOP2bh/9lwPadn7TuuW3J9SzUOOmP2eajsicUkqnxsrxQFJbxkztLkPpLGHpd4zI8Y3riHtv2di57/ktUP9acc4kIk2LyYiN6jwKEOc2HTmSE3l2qdBXoy6Rcl/V/Uz1hOE3vOFUNJQL2sRyBf/0R7IKzXRieghR9h17pKYAsvbN9vO02dLevSYsqktowjwA1QXxxR2Vzp15tMV45T/nP5XLe3+f4zfJjRSuNM13ddowXp6smUOZ0Myw=,iv:FszW51oSi/iKN1cquyhF+HwStHgpgmioyopdJriuiOw=,tag:GYaRuyCgXuGVWyxShyH39Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UzFWbHB0bVlGQXV4dEVt
+            ZUxrcnZ1MlFOY2o2eTl0cDV3T3BKdmNMUXg0CmcyejMzV1loSUNIMEw0K09yc3Ax
+            NGZOTE1tamV2a05kZm9lNkpoeG9OWm8KLS0tIEVVM01nSjhQYzBOZ0MrY2JpODRz
+            MGNWSGJmaXdkbUJDOHpCRk9YWUZVSm8KGGHivrtQfHayo6BGbH+Tch3fzVlFNU3s
+            lLec6VZauGjIXifXBLC5e65SrSO/nZS4xsurrZovOLn3DpeDQu/4+Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-15T17:21:52Z"
+    mac: ENC[AES256_GCM,data:V+K/2CEFommRZ7kkJlUSjOIMQL8c3OtnJnPT7heHpkGUm/XJ8JFAhqHc5G6D6bjN6vsXcr7X7b9Tm6OBNPHBCJIekBahySUThHc6IxhQrNVTMu2lNOS9B7+VwZN2oezmEwbpY+5dT+3angWiBy2k5XW/7hmVlz1mQX8tJBTUHOM=,iv:LorlvJFs067H6FI/UPvIgRi9xTReOTfv13IdInFhcAU=,tag:72TTcNC6Fh3SiWlJa2xgzg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1