wg-easy

apps/wg-easy/deployment.yaml

@@ -0,0 +1,74 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wg-easy
+  namespace: wg-easy
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: wg-easy
+  strategy:
+    # Restrict to a Single wg-easy instance, on redeploys it will tear down the old one before bring a new one up.
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: wg-easy
+    spec:
+      containers:
+        - name: wg-easy
+          # Specify external hostname and port as environment variables
+          env:
+            - name: WG_HOST
+              value: v.lilpenguins.com
+            - name: WG_PORT
+              value: "30000"
+          image: ghcr.io/wg-easy/wg-easy
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 51820
+              name: wg
+              protocol: UDP
+            - containerPort: 51821
+              name: http
+              protocol: TCP
+          # Use the http server for pod health checks
+          livenessProbe:
+            failureThreshold: 3
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+          readinessProbe:
+            failureThreshold: 3
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+          startupProbe:
+            failureThreshold: 30
+            periodSeconds: 5
+            successThreshold: 1
+            tcpSocket:
+              port: http
+            timeoutSeconds: 1
+          # Give pod permissions to modify iptables and load the wireguard kernel module
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - SYS_MODULE
+          # Persistent storage location
+          volumeMounts:
+            - mountPath: /etc/wireguard
+              name: config
+      restartPolicy: Always
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: wg-easy-storage-claim
+

apps/wg-easy/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencryptcertmanager # Or your certificate issuer
+  name: wg-easy
+  namespace: wg-easy
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: v.lilpenguins.com
+      http:
+        paths:
+          - backend:
+              service:
+                name: wg-easy-http
+                port: 
+                  name: http
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - v.lilpenguins.com
+      secretName: v-lilpenguins-com-tls
+

apps/wg-easy/service.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: wg-easy-wg
+  namespace: wg-easy
+spec:
+  ports:
+    - name: wg
+      port: 30000
+      nodePort: 30000
+      protocol: UDP
+      targetPort: wg
+  selector:
+    app.kubernetes.io/name: wg-easy
+  sessionAffinity: None
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: wg-easy-http
+  namespace: wg-easy
+spec:
+  ports:
+    - name: http
+      port: 51821
+      protocol: TCP
+      targetPort: http
+  selector:
+    app.kubernetes.io/name: wg-easy
+  type: ClusterIP

apps/wg-easy/storage.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: wg-easy-storage-claim
+  namespace: wg-easy
+spec:
+  storageClassName: synology-iscsi-storage-custom
+  accessModes:
+  - ReadWriteMany
+  volumeName: wg-easy-pv
+  resources:
+    requests:
+      storage: 256Mi
+