From e5e813afb5383ef3fb0768b0fea4f6d87af26e44 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 22 Aug 2025 21:41:51 +0000 Subject: [PATCH] add xray along with multiple configs [ci skip] --- main.tf | 8 + modules/kubernetes/main.tf | 12 + modules/kubernetes/xray/main.tf | 284 +++++++++++++++++++ modules/kubernetes/xray/xray_config.json.tpl | 80 ++++++ 4 files changed, 384 insertions(+) create mode 100644 modules/kubernetes/xray/main.tf create mode 100644 modules/kubernetes/xray/xray_config.json.tpl diff --git a/main.tf b/main.tf index d104e4d0..1966bb6d 100644 --- a/main.tf +++ b/main.tf @@ -108,6 +108,10 @@ variable "realestate_crawler_notification_settings" { variable "kured_notify_url" {} variable "onlyoffice_db_password" { type = string } variable "onlyoffice_jwt_token" { type = string } +variable "xray_reality_clients" { type = list(map(string)) } +variable "xray_reality_private_key" { type = string } +variable "xray_reality_short_ids" { type = list(string) } + # data "terraform_remote_state" "foo" { # backend = "kubernetes" @@ -430,6 +434,10 @@ module "kubernetes_cluster" { onlyoffice_db_password = var.onlyoffice_db_password onlyoffice_jwt_token = var.onlyoffice_jwt_token + + xray_reality_clients = var.xray_reality_clients + xray_reality_private_key = var.xray_reality_private_key + xray_reality_short_ids = var.xray_reality_short_ids } diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index b2294159..2c227578 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -90,6 +90,9 @@ variable "realestate_crawler_notification_settings" { variable "kured_notify_url" {} variable "onlyoffice_db_password" { type = string } variable "onlyoffice_jwt_token" { type = string } +variable "xray_reality_clients" { type = list(map(string)) } +variable "xray_reality_private_key" { type = string } +variable "xray_reality_short_ids" { type = list(string) } @@ -657,3 +660,12 @@ module "forgejo" { source = "./forgejo" tls_secret_name = var.tls_secret_name } + +module "xray" { + source = "./xray" + tls_secret_name = var.tls_secret_name + + xray_reality_clients = var.xray_reality_clients + xray_reality_private_key = var.xray_reality_private_key + xray_reality_short_ids = var.xray_reality_short_ids +} diff --git a/modules/kubernetes/xray/main.tf b/modules/kubernetes/xray/main.tf new file mode 100644 index 00000000..85a17a70 --- /dev/null +++ b/modules/kubernetes/xray/main.tf @@ -0,0 +1,284 @@ +variable "tls_secret_name" {} +variable "xray_reality_clients" { type = list(map(string)) } +variable "xray_reality_private_key" { type = string } +variable "xray_reality_short_ids" { type = list(string) } + + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "xray" + tls_secret_name = var.tls_secret_name +} + +resource "kubernetes_namespace" "xray" { + metadata { + name = "xray" + } +} + +resource "kubernetes_config_map" "xray_config" { + metadata { + name = "xray-config" + namespace = "xray" + + labels = { + app = "xray" + } + annotations = { + "reloader.stakater.com/match" = "true" + } + } + + data = { + "config.json" = templatefile("${path.module}/xray_config.json.tpl", { + clients = jsonencode(var.xray_reality_clients) + reality_private_key = var.xray_reality_private_key + reality_short_ids = jsonencode(var.xray_reality_short_ids) + }) + } +} + +resource "kubernetes_deployment" "xray" { + metadata { + name = "xray" + namespace = "xray" + labels = { + app = "xray" + } + annotations = { + "reloader.stakater.com/search" = "true" + } + } + spec { + replicas = 1 + strategy { + rolling_update { + max_surge = "2" + max_unavailable = "0" + } + } + selector { + match_labels = { + app = "xray" + } + } + template { + metadata { + labels = { + app = "xray" + } + } + spec { + container { + image = "teddysun/xray" + name = "xray" + image_pull_policy = "IfNotPresent" + port { + container_port = 6443 // vless + protocol = "TCP" + } + port { + container_port = 7443 // reality + protocol = "TCP" + } + port { + container_port = 8443 // websocket + protocol = "TCP" + } + port { + container_port = 9443 // gRPC + protocol = "TCP" + } + volume_mount { + name = "tls" + mount_path = "/etc/xray/tls.crt" + sub_path = "tls.crt" + } + volume_mount { + name = "tls" + mount_path = "/etc/xray/tls.key" + sub_path = "tls.key" + } + volume_mount { + name = "config" + mount_path = "/etc/xray/config.json" + sub_path = "config.json" + } + } + + volume { + name = "tls" + secret { + secret_name = var.tls_secret_name + } + } + volume { + name = "config" + config_map { + name = "xray-config" + } + } + } + } + } +} + +resource "kubernetes_service" "xray" { + metadata { + name = "xray" + namespace = "xray" + labels = { + "app" = "xray" + } + } + + spec { + selector = { + app = "xray" + } + port { + name = "vless" + port = 6443 + protocol = "TCP" + } + port { + name = "websocket" + port = 8443 + protocol = "TCP" + } + port { + name = "grpc" + port = 9443 + protocol = "TCP" + } + } +} + +resource "kubernetes_service" "xray-reality" { + metadata { + name = "xray-reality" + namespace = "xray" + labels = { + "app" = "xray" + } + } + + spec { + type = "LoadBalancer" + selector = { + app = "xray" + } + port { + name = "reality" + port = 7443 + protocol = "TCP" + } + } +} + +resource "kubernetes_ingress_v1" "ingress" { + metadata { + namespace = "xray" + name = "xray" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + "nginx.ingress.kubernetes.io/backend-protocol" = "HTTP" + "nginx.org/websocket-services" : "xray" + "nginx.ingress.kubernetes.io/enable-access-log" = "false" + } + } + + spec { + tls { + hosts = ["xray-ws.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "xray-ws.viktorbarzin.me" + http { + path { + backend { + service { + name = "xray" + port { + number = 8443 + + } + } + } + } + } + } + } +} + +resource "kubernetes_ingress_v1" "ingress-grpc" { + metadata { + namespace = "xray" + name = "xray-grpc" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + "nginx.ingress.kubernetes.io/enable-access-log" = "false" + "nginx.ingress.kubernetes.io/backend-protocol" = "GRPC" + "nginx.ingress.kubernetes.io/proxy-read-timeout" = "3600" + "nginx.ingress.kubernetes.io/proxy-send-timeout" = "3600" + } + } + + spec { + tls { + hosts = ["xray-grpc.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "xray-grpc.viktorbarzin.me" + http { + path { + path = "/grpc-vpn" + path_type = "Prefix" + backend { + service { + name = "xray" + port { + number = 9443 + } + } + } + } + } + } + } +} + +resource "kubernetes_ingress_v1" "ingress-vless" { + metadata { + namespace = "xray" + name = "xray-vless" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + } + } + + spec { + tls { + hosts = ["xray-vless.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "xray-vless.viktorbarzin.me" + http { + path { + backend { + service { + name = "xray" + port { + number = 6443 + + } + } + } + } + } + } + } +} diff --git a/modules/kubernetes/xray/xray_config.json.tpl b/modules/kubernetes/xray/xray_config.json.tpl new file mode 100644 index 00000000..a3cefd3a --- /dev/null +++ b/modules/kubernetes/xray/xray_config.json.tpl @@ -0,0 +1,80 @@ +{ + "log": { + "loglevel": "none" + }, + "inbounds": [ + { + "port": 7443, + "protocol": "vless", + "settings": { + "clients": ${clients}, + "decryption": "none" + }, + "streamSettings": { + "network": "tcp", + "security": "reality", + "realitySettings": { + "show": false, + "dest": "www.cloudflare.com:443", + "xver": 0, + "serverNames": [ + "www.cloudflare.com" + ], + "privateKey": "${reality_private_key}", + "shortIds": ${reality_short_ids} + } + } + }, + { + "port": 8443, + "protocol": "vless", + "settings": { + "clients": ${clients}, + "decryption": "none" + }, + "streamSettings": { + "network": "ws", + "security": "none", + "tlsSettings": { + "certificates": [ + { + "certificateFile": "/etc/xray/tls.crt", + "keyFile": "/etc/xray/tls.key" + } + ] + }, + "wsSettings": { + "path": "/ws" + } + } + }, + { + "port": 9443, + "protocol": "vless", + "settings": { + "clients": ${clients}, + "decryption": "none" + }, + "streamSettings": { + "network": "xhttp", + "security": "none", + "tlsSettings": { + "certificates": [ + { + "certificateFile": "/etc/xray/tls.crt", + "keyFile": "/etc/xray/tls.key" + } + ] + }, + "xhttpSettings": { + "path": "/grpc-vpn" + } + } + } + ], + "outbounds": [ + { + "protocol": "freedom" + } + ] +}