commit 0bd6cd012d2c9af527dbb6d1805743e9b4796f4a
Author: Swordsteel <swordsteel@gmail.com>
Date:   Mon Aug 25 19:20:19 2025 +0200

    initialize wg-easy

diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
new file mode 100644
index 0000000..0dced27
--- /dev/null
+++ b/.gitea/workflows/release.yaml
@@ -0,0 +1,11 @@
+name: Publish Helm Chart
+
+on:
+  workflow_dispatch:
+
+jobs:
+  call-helm-ci:
+    uses: helm/common-workflows/.gitea/workflows/release.yaml@master
+    secrets:
+      CI_BOT_USERNAME: ${{ secrets.CI_BOT_USERNAME }}
+      CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..62c8935
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.idea/
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..8c94421
--- /dev/null
+++ b/README.md
@@ -0,0 +1,146 @@
+# WireGuard with UI
+
+## Basic stuff
+
+### Install
+
+```shell
+helm install wg-easy ./helm --namespace wireguard --create-namespace
+```
+
+### Update
+
+```shell
+helm -n wireguard upgrade wg-easy ./helm/
+```
+
+### Check
+
+```shell
+kubectl -n wireguard get cm,pvc,pod,svc
+```
+
+### Tail Log
+
+```shell
+kubectl -n wireguard logs -f wg-easy-0
+```
+
+### Delete
+
+```shell
+kubectl delete ns wireguard
+```
+
+## K8s and unsafe option
+
+Config file on k8s host
+
+```shell
+sudo nano /var/snap/microk8s/current/args/kubelet
+```
+
+add `ipv4` and `ipv6` to be added to the end of the `kubelet` file.
+
+> --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding
+
+## Changing IP
+
+these are recommended, as we use 8.0.0.0/8 for other things...
+
+```
+IPv4 172.16.0.0/24
+IPv6 fdb0::/112
+```
+
+> info: changing ip's, a restart of the pod is needed... for iptables and nat to change to new ip.
+
+## Problems with traffic
+
+This are more here for help if there is problem
+
+### Rout traffic
+
+Here is two ways of making the k8s server handle routing of traffic
+
+#### persistent iptables
+
+```shell
+sudo apt install iptables-persistent
+```
+
+- replace `<interface>` with your network card like `eth0`.
+- replace `<host-ipv4>` with ip like `10.8.0.0/24`.
+- replace `<host-ipv6>` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`.
+
+```shell
+sudo iptables -t nat -A POSTROUTING -s <host-ipv4> -o <interface> -j MASQUERADE
+sudo iptables -t nat -A POSTROUTING -s <host-ipv6> -o <interface> -j MASQUERADE
+```
+
+```shell
+sudo netfilter-persistent save
+```
+
+#### Systemd service
+
+create this file `/etc/systemd/system/wireguard-masquerade.service`
+
+```shell
+sudo nano /etc/systemd/system/wireguard-masquerade.service
+```
+
+Changes
+
+- replace `<interface>` with your network card like `eth0`.
+- replace `<host-ipv4>` with ip like `10.8.0.0/24`.
+- replace `<host-ipv6>` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`.
+
+```
+[Unit] 
+Description=WireGuard MASQUERADE for <host-ipv4> and <host-ipv6>
+After=network.target 
+
+[Service] 
+Type=oneshot 
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s <host-ipv4> -o <interface> -j MASQUERADE 
+ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s <host-ipv6> -o <interface> -j MASQUERADE
+RemainAfterExit=yes 
+
+[Install] 
+WantedBy=multi-user.target
+```
+
+##### Enable
+
+```shell
+sudo systemctl enable wireguard-masquerade
+```
+
+##### Start
+
+```shell
+sudo systemctl start wireguard-masquerade
+```
+
+### check things
+
+```shell
+kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv4.ip_forward
+```
+
+```shell
+kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv6.conf.all.forwarding
+```
+
+```shell
+kubectl -n wireguard exec -it wg-easy-0 -- wg show
+```
+
+```shell
+microk8s kubectl -n wireguard exec -it wg-easy-0 -- iptables -t nat -L -n -v | grep 10.8
+```
+
+```shell
+kubectl -n wireguard exec -it pod/wg-easy-0 -- ip add
+```
diff --git a/helm/.helmignore b/helm/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/helm/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
new file mode 100644
index 0000000..4364ac3
--- /dev/null
+++ b/helm/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: wg-easy
+description: Helm chart for wg-easy with MetalLB and StatefulSet
+type: application
+version: 0.1.0
+appVersion: "15.1.0"
\ No newline at end of file
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
new file mode 100644
index 0000000..eac6369
--- /dev/null
+++ b/helm/templates/_helpers.tpl
@@ -0,0 +1,7 @@
+{{ define "wg-easy.name" -}}
+{{ .Chart.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{ define "wg-easy.environment" -}}
+{{ printf "environment-%s" .Chart.Name | trunc 51 | trimSuffix "-" }}
+{{- end }}
diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml
new file mode 100644
index 0000000..8d12561
--- /dev/null
+++ b/helm/templates/configmap.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "wg-easy.environment" . }}
+data:
+  PGID: {{ .Values.environment.PGID | quote }}
+  PUID: {{ .Values.environment.PUID | quote }}
+  INSECURE: {{ .Values.environment.INSECURE | quote }}
diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml
new file mode 100644
index 0000000..1dc6b18
--- /dev/null
+++ b/helm/templates/service.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "wg-easy.name" . }}
+spec:
+  type: {{ .Values.service.type }}
+  {{- if and .Values.service.loadBalancerIP (ne .Values.service.loadBalancerIP "") }}
+  loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+  {{- end }}
+  selector:
+    app: {{ include "wg-easy.name" . }}
+  ports:
+    - name: http
+      port: {{ .Values.service.uiPort }}
+      targetPort: 51821
+      protocol: TCP
+    - name: wireguard
+      port: {{ .Values.service.wgPort }}
+      targetPort: {{ .Values.service.wgPort }}
+      protocol: UDP
diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml
new file mode 100644
index 0000000..936f873
--- /dev/null
+++ b/helm/templates/statefulset.yaml
@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "wg-easy.name" . }}
+  labels:
+    app: {{ include "wg-easy.name" . }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ include "wg-easy.name" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "wg-easy.name" . }}
+    spec:
+      securityContext:
+        sysctls:
+          {{- if .Values.system.ipv4Forward }}
+          - name: net.ipv4.ip_forward
+            value: "1"
+          {{- end }}
+          {{- if .Values.system.ipv6Forward }}
+          - name: net.ipv6.conf.all.forwarding
+            value: "1"
+          {{- end }}
+      containers:
+        - name: {{ include "wg-easy.name" . }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 51821
+              protocol: TCP
+            - name: wireguard
+              containerPort: {{ .Values.service.wgPort }}
+              protocol: UDP
+          envFrom:
+            - configMapRef:
+                name: {{ include "wg-easy.environment" . }}
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN", "SYS_MODULE"]
+          volumeMounts:
+            - name: data
+              mountPath: /etc/wireguard
+          {{- if .Values.resources }}
+          resources:
+            {{- if .Values.resources.requests }}
+            requests:
+              {{- if .Values.resources.requests.cpu }}
+              cpu: "{{ .Values.resources.requests.cpu }}"
+              {{- end }}
+              {{- if .Values.resources.requests.memory }}
+              memory: "{{ .Values.resources.requests.memory }}"
+              {{- end }}
+            {{- end }}
+            {{- if .Values.resources.limits }}
+            limits:
+              {{- if .Values.resources.limits.cpu }}
+              cpu: "{{ .Values.resources.limits.cpu }}"
+              {{- end }}
+              {{- if .Values.resources.limits.memory }}
+              memory: "{{ .Values.resources.limits.memory }}"
+              {{- end }}
+            {{- end }}
+          {{- end }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: {{ .Values.persistence.accessModes }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size }}
+        {{- if and .Values.persistence.storageClass (ne .Values.persistence.storageClass "") }}
+        storageClassName: {{ .Values.persistence.storageClass | quote }}
+        {{- end }}
\ No newline at end of file
diff --git a/helm/values.yaml b/helm/values.yaml
new file mode 100644
index 0000000..5f9d178
--- /dev/null
+++ b/helm/values.yaml
@@ -0,0 +1,36 @@
+replicaCount: 1
+
+image:
+  repository: ghcr.io/wg-easy/wg-easy
+  tag: 15.1.0
+  pullPolicy: IfNotPresent
+
+persistence:
+  accessModes:
+    - ReadWriteOnce
+  size: 1Gi
+  storageClass:
+
+environment:
+  INSECURE: true
+  PGID: 1000
+  PUID: 1000
+
+resources:
+  requests:
+    cpu: "500m"
+    memory: "128Mi"
+  limits:
+    cpu: "2000m"
+    memory: "512Mi"
+
+service:
+#  type: ClusterIP
+  type: LoadBalancer
+  loadBalancerIP: 10.0.3.15
+  uiPort: 80
+  wgPort: 51820
+
+system:
+  ipv4Forward: true
+  ipv6Forward: false