diff --git a/main.tf b/main.tf index d104e4d0..1966bb6d 100644 --- a/main.tf +++ b/main.tf @@ -108,6 +108,10 @@ variable "realestate_crawler_notification_settings" { variable "kured_notify_url" {} variable "onlyoffice_db_password" { type = string } variable "onlyoffice_jwt_token" { type = string } +variable "xray_reality_clients" { type = list(map(string)) } +variable "xray_reality_private_key" { type = string } +variable "xray_reality_short_ids" { type = list(string) } + # data "terraform_remote_state" "foo" { # backend = "kubernetes" @@ -430,6 +434,10 @@ module "kubernetes_cluster" { onlyoffice_db_password = var.onlyoffice_db_password onlyoffice_jwt_token = var.onlyoffice_jwt_token + + xray_reality_clients = var.xray_reality_clients + xray_reality_private_key = var.xray_reality_private_key + xray_reality_short_ids = var.xray_reality_short_ids } diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index b2294159..2c227578 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -90,6 +90,9 @@ variable "realestate_crawler_notification_settings" { variable "kured_notify_url" {} variable "onlyoffice_db_password" { type = string } variable "onlyoffice_jwt_token" { type = string } +variable "xray_reality_clients" { type = list(map(string)) } +variable "xray_reality_private_key" { type = string } +variable "xray_reality_short_ids" { type = list(string) } @@ -657,3 +660,12 @@ module "forgejo" { source = "./forgejo" tls_secret_name = var.tls_secret_name } + +module "xray" { + source = "./xray" + tls_secret_name = var.tls_secret_name + + xray_reality_clients = var.xray_reality_clients + xray_reality_private_key = var.xray_reality_private_key + xray_reality_short_ids = var.xray_reality_short_ids +} diff --git a/modules/kubernetes/wireguard/main.tf b/modules/kubernetes/wireguard/main.tf index eecf6204..c1b69b34 100644 --- a/modules/kubernetes/wireguard/main.tf +++ b/modules/kubernetes/wireguard/main.tf @@ -219,176 +219,3 @@ resource "kubernetes_service" "wireguard_exporter" { } } } - - -# resource "kubernetes_deployment" "webui" { -# metadata { -# name = "webui" -# namespace = "wireguard" -# labels = { -# app = "webui" -# } -# # annotations = { -# # "configmap.reloader.stakater.com/reload" = "wg0-conf" -# # } -# annotations = { -# "reloader.stakater.com/search" = "true" -# } -# } -# spec { -# replicas = 1 -# selector { -# match_labels = { -# app = "webui" -# } -# } -# template { -# metadata { -# labels = { -# app = "webui" -# } -# } -# spec { -# init_container { -# image = "busybox" -# name = "setup-config" -# command = ["/bin/sh", "-c", "cat /config/config.json && cp /config/config.json /cache/config.json"] -# # command = ["/bin/sh", "-c", "cat /config/config.json /cache/config.json; tail -f /dev/null"] -# volume_mount { -# name = "config" -# mount_path = "/config/config.json" -# sub_path = "config.json" -# } -# volume_mount { -# name = "cache" -# mount_path = "/cache" -# } -# } -# container { -# image = "embarkstudios/wireguard-ui:latest" -# name = "webui" -# image_pull_policy = "IfNotPresent" -# lifecycle { -# } -# command = ["/wireguard-ui"] -# args = [ -# "--data-dir", -# "/data", -# "--log-level", -# "debug", -# "--wg-endpoint", -# "vpn.viktorbarzin.me:51820", -# "--wg-dns", -# "10.0.20.1", -# "--wg-allowed-ips", -# "0.0.0.0/0", -# "--client-ip-range", -# "10.3.3.10/24", -# "--no-nat", -# ] -# port { -# container_port = 8080 -# protocol = "TCP" -# } -# security_context { -# capabilities { -# add = ["NET_ADMIN", "SYS_MODULE", "CAP_SYS_ADMIN"] -# } -# } - -# # volume_mount { -# # name = "wg0-key" -# # mount_path = "/data/config.json" -# # sub_path = "config.json" -# # } -# volume_mount { -# name = "cache" -# mount_path = "/data" -# } -# # volume_mount { -# # name = "wg0-key" -# # mount_path = "/etc/wireguard/wg0.key" -# # sub_path = "wg0.key" -# # } -# } -# # volume { -# # name = "wg0-conf" -# # config_map { -# # name = "wg0-conf" -# # } -# # } -# volume { -# name = "config" -# secret { -# secret_name = "wg0-key" -# items { -# key = "wg-ui-config" -# path = "config.json" -# } -# } -# } -# volume { -# name = "cache" -# empty_dir { -# } -# } -# } -# } -# } -# } -# resource "kubernetes_service" "webui" { -# metadata { -# name = "webui" -# namespace = "wireguard" - -# labels = { -# app = "webui" -# } -# } -# spec { -# type = "ClusterIP" -# port { -# name = "http" -# protocol = "TCP" -# port = 80 -# target_port = "8080" -# } -# selector = { -# app = "webui" -# } -# } -# } - - -# resource "kubernetes_ingress_v1" "webui" { -# metadata { -# name = "webui-ingress" -# namespace = "wireguard" -# annotations = { -# "kubernetes.io/ingress.class" = "nginx" -# } -# } - -# spec { -# tls { -# hosts = ["wg.viktorbarzin.me"] -# secret_name = var.tls_secret_name -# } -# rule { -# host = "wg.viktorbarzin.me" -# http { -# path { -# path = "/" -# backend { -# service { -# name = "webui" -# port { -# number = 80 -# } -# } -# } -# } -# } -# } -# } -# } diff --git a/modules/kubernetes/xray/main.tf b/modules/kubernetes/xray/main.tf new file mode 100644 index 00000000..85a17a70 --- /dev/null +++ b/modules/kubernetes/xray/main.tf @@ -0,0 +1,284 @@ +variable "tls_secret_name" {} +variable "xray_reality_clients" { type = list(map(string)) } +variable "xray_reality_private_key" { type = string } +variable "xray_reality_short_ids" { type = list(string) } + + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "xray" + tls_secret_name = var.tls_secret_name +} + +resource "kubernetes_namespace" "xray" { + metadata { + name = "xray" + } +} + +resource "kubernetes_config_map" "xray_config" { + metadata { + name = "xray-config" + namespace = "xray" + + labels = { + app = "xray" + } + annotations = { + "reloader.stakater.com/match" = "true" + } + } + + data = { + "config.json" = templatefile("${path.module}/xray_config.json.tpl", { + clients = jsonencode(var.xray_reality_clients) + reality_private_key = var.xray_reality_private_key + reality_short_ids = jsonencode(var.xray_reality_short_ids) + }) + } +} + +resource "kubernetes_deployment" "xray" { + metadata { + name = "xray" + namespace = "xray" + labels = { + app = "xray" + } + annotations = { + "reloader.stakater.com/search" = "true" + } + } + spec { + replicas = 1 + strategy { + rolling_update { + max_surge = "2" + max_unavailable = "0" + } + } + selector { + match_labels = { + app = "xray" + } + } + template { + metadata { + labels = { + app = "xray" + } + } + spec { + container { + image = "teddysun/xray" + name = "xray" + image_pull_policy = "IfNotPresent" + port { + container_port = 6443 // vless + protocol = "TCP" + } + port { + container_port = 7443 // reality + protocol = "TCP" + } + port { + container_port = 8443 // websocket + protocol = "TCP" + } + port { + container_port = 9443 // gRPC + protocol = "TCP" + } + volume_mount { + name = "tls" + mount_path = "/etc/xray/tls.crt" + sub_path = "tls.crt" + } + volume_mount { + name = "tls" + mount_path = "/etc/xray/tls.key" + sub_path = "tls.key" + } + volume_mount { + name = "config" + mount_path = "/etc/xray/config.json" + sub_path = "config.json" + } + } + + volume { + name = "tls" + secret { + secret_name = var.tls_secret_name + } + } + volume { + name = "config" + config_map { + name = "xray-config" + } + } + } + } + } +} + +resource "kubernetes_service" "xray" { + metadata { + name = "xray" + namespace = "xray" + labels = { + "app" = "xray" + } + } + + spec { + selector = { + app = "xray" + } + port { + name = "vless" + port = 6443 + protocol = "TCP" + } + port { + name = "websocket" + port = 8443 + protocol = "TCP" + } + port { + name = "grpc" + port = 9443 + protocol = "TCP" + } + } +} + +resource "kubernetes_service" "xray-reality" { + metadata { + name = "xray-reality" + namespace = "xray" + labels = { + "app" = "xray" + } + } + + spec { + type = "LoadBalancer" + selector = { + app = "xray" + } + port { + name = "reality" + port = 7443 + protocol = "TCP" + } + } +} + +resource "kubernetes_ingress_v1" "ingress" { + metadata { + namespace = "xray" + name = "xray" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + "nginx.ingress.kubernetes.io/backend-protocol" = "HTTP" + "nginx.org/websocket-services" : "xray" + "nginx.ingress.kubernetes.io/enable-access-log" = "false" + } + } + + spec { + tls { + hosts = ["xray-ws.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "xray-ws.viktorbarzin.me" + http { + path { + backend { + service { + name = "xray" + port { + number = 8443 + + } + } + } + } + } + } + } +} + +resource "kubernetes_ingress_v1" "ingress-grpc" { + metadata { + namespace = "xray" + name = "xray-grpc" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + "nginx.ingress.kubernetes.io/enable-access-log" = "false" + "nginx.ingress.kubernetes.io/backend-protocol" = "GRPC" + "nginx.ingress.kubernetes.io/proxy-read-timeout" = "3600" + "nginx.ingress.kubernetes.io/proxy-send-timeout" = "3600" + } + } + + spec { + tls { + hosts = ["xray-grpc.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "xray-grpc.viktorbarzin.me" + http { + path { + path = "/grpc-vpn" + path_type = "Prefix" + backend { + service { + name = "xray" + port { + number = 9443 + } + } + } + } + } + } + } +} + +resource "kubernetes_ingress_v1" "ingress-vless" { + metadata { + namespace = "xray" + name = "xray-vless" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + } + } + + spec { + tls { + hosts = ["xray-vless.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "xray-vless.viktorbarzin.me" + http { + path { + backend { + service { + name = "xray" + port { + number = 6443 + + } + } + } + } + } + } + } +} diff --git a/modules/kubernetes/xray/xray_config.json.tpl b/modules/kubernetes/xray/xray_config.json.tpl new file mode 100644 index 00000000..a3cefd3a --- /dev/null +++ b/modules/kubernetes/xray/xray_config.json.tpl @@ -0,0 +1,80 @@ +{ + "log": { + "loglevel": "none" + }, + "inbounds": [ + { + "port": 7443, + "protocol": "vless", + "settings": { + "clients": ${clients}, + "decryption": "none" + }, + "streamSettings": { + "network": "tcp", + "security": "reality", + "realitySettings": { + "show": false, + "dest": "www.cloudflare.com:443", + "xver": 0, + "serverNames": [ + "www.cloudflare.com" + ], + "privateKey": "${reality_private_key}", + "shortIds": ${reality_short_ids} + } + } + }, + { + "port": 8443, + "protocol": "vless", + "settings": { + "clients": ${clients}, + "decryption": "none" + }, + "streamSettings": { + "network": "ws", + "security": "none", + "tlsSettings": { + "certificates": [ + { + "certificateFile": "/etc/xray/tls.crt", + "keyFile": "/etc/xray/tls.key" + } + ] + }, + "wsSettings": { + "path": "/ws" + } + } + }, + { + "port": 9443, + "protocol": "vless", + "settings": { + "clients": ${clients}, + "decryption": "none" + }, + "streamSettings": { + "network": "xhttp", + "security": "none", + "tlsSettings": { + "certificates": [ + { + "certificateFile": "/etc/xray/tls.crt", + "keyFile": "/etc/xray/tls.key" + } + ] + }, + "xhttpSettings": { + "path": "/grpc-vpn" + } + } + } + ], + "outbounds": [ + { + "protocol": "freedom" + } + ] +} diff --git a/terraform.tfstate b/terraform.tfstate index 74897df3..edd64472 100644 Binary files a/terraform.tfstate and b/terraform.tfstate differ diff --git a/terraform.tfvars b/terraform.tfvars index c3a593fd..33101bfb 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ