From c35412c99b4330320c2222b1fc4eacc47fb03876 Mon Sep 17 00:00:00 2001
From: Swordsteel <swordsteel@gmail.com>
Date: Mon, 25 Aug 2025 19:20:19 +0200
Subject: [PATCH] test

---
 .gitea/workflows/release.yaml   |  11 ++++
 .gitignore                      |   1 +
 README.md                       | 102 ++++++++++++++++++++++++++++++++
 helm/.helmignore                |  23 +++++++
 helm/Chart.yaml                 |   6 ++
 helm/templates/_helpers.tpl     |   2 +
 helm/templates/configmap.yaml   |   8 +++
 helm/templates/service.yaml     |  20 +++++++
 helm/templates/statefulset.yaml |  78 ++++++++++++++++++++++++
 helm/values.yaml                |  34 +++++++++++
 10 files changed, 285 insertions(+)
 create mode 100644 .gitea/workflows/release.yaml
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 helm/.helmignore
 create mode 100644 helm/Chart.yaml
 create mode 100644 helm/templates/_helpers.tpl
 create mode 100644 helm/templates/configmap.yaml
 create mode 100644 helm/templates/service.yaml
 create mode 100644 helm/templates/statefulset.yaml
 create mode 100644 helm/values.yaml

diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
new file mode 100644
index 0000000..0dced27
--- /dev/null
+++ b/.gitea/workflows/release.yaml
@@ -0,0 +1,11 @@
+name: Publish Helm Chart
+
+on:
+  workflow_dispatch:
+
+jobs:
+  call-helm-ci:
+    uses: helm/common-workflows/.gitea/workflows/release.yaml@master
+    secrets:
+      CI_BOT_USERNAME: ${{ secrets.CI_BOT_USERNAME }}
+      CI_BOT_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..62c8935
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.idea/
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..fb1dee9
--- /dev/null
+++ b/README.md
@@ -0,0 +1,102 @@
+# WireGuard with UI
+
+## K8s and unsafe option
+
+Config file on k8s host
+
+```shell
+sudo nano /var/snap/microk8s/current/args/kubelet
+```
+
+add `ipv4` and `ipv6` to be added to the end of the `kubelet` file.
+
+> --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv6.conf.all.forwarding
+
+## Changing IP
+
+these are recommended, as we use 8.0.0.0/8 for other things...
+
+```
+IPv4 172.16.0.0/24
+IPv6 fdb0::/112
+```
+
+> info: changing ip's, a restart of the pod is needed... for iptables and nat to change to new ip.
+
+## Rout traffic
+
+Here is two ways of making the k8s server handle routing of traffic
+
+### persistent iptables
+
+```shell
+sudo apt install iptables-persistent
+```
+
+- replace `<interface>` with your network card like `eth0`.
+- replace `<host-ipv4>` with ip like `10.8.0.0/24`.
+- replace `<host-ipv6>` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`.
+
+```shell
+sudo iptables -t nat -A POSTROUTING -s <host-ipv4> -o <interface> -j MASQUERADE
+sudo iptables -t nat -A POSTROUTING -s <host-ipv6> -o <interface> -j MASQUERADE
+```
+
+```shell
+sudo netfilter-persistent save
+```
+
+### Systemd service
+
+create this file `/etc/systemd/system/wireguard-masquerade.service`
+
+```shell
+sudo nano /etc/systemd/system/wireguard-masquerade.service
+```
+
+Changes
+
+- replace `<interface>` with your network card like `eth0`.
+- replace `<host-ipv4>` with ip like `10.8.0.0/24`.
+- replace `<host-ipv6>` with ip like `fdcc:ad94:bacf:61a4::cafe:0/112`.
+
+```
+[Unit] 
+Description=WireGuard MASQUERADE for <host-ipv4> and <host-ipv6>
+After=network.target 
+
+[Service] 
+Type=oneshot 
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s <host-ipv4> -o <interface> -j MASQUERADE 
+ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s <host-ipv6> -o <interface> -j MASQUERADE
+RemainAfterExit=yes 
+
+[Install] 
+WantedBy=multi-user.target
+```
+
+#### Enable
+
+```shell
+sudo systemctl enable wireguard-masquerade
+```
+
+#### Start
+
+```shell
+sudo systemctl start wireguard-masquerade
+```
+
+## check system
+
+check IPv4 packet forwarding status.
+
+```shell
+kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv4.ip_forward
+```
+
+check IPv6 packet forwarding status.
+
+```shell
+kubectl -n wireguard exec -it pod/wg-easy-0 -- sysctl net.ipv6.conf.all.forwarding
+```
diff --git a/helm/.helmignore b/helm/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/helm/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
new file mode 100644
index 0000000..4364ac3
--- /dev/null
+++ b/helm/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: wg-easy
+description: Helm chart for wg-easy with MetalLB and StatefulSet
+type: application
+version: 0.1.0
+appVersion: "15.1.0"
\ No newline at end of file
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
new file mode 100644
index 0000000..4fec5ff
--- /dev/null
+++ b/helm/templates/_helpers.tpl
@@ -0,0 +1,2 @@
+{{- define "wg-easy.name" -}}wg-easy{{- end }}
+{{ define "wg-easy.environment" -}}wg-easy-environment{{- end }}
diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml
new file mode 100644
index 0000000..2352bba
--- /dev/null
+++ b/helm/templates/configmap.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "wg-easy.environment" . }}
+data:
+  INSECURE: {{ .Values.environment.INSECURE | default "true" | quote }}
+  PGID: {{ .Values.environment.PGID | default "1000" | quote }}
+  PUID: {{ .Values.environment.PUID | default "1000" | quote }}
diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml
new file mode 100644
index 0000000..c39928e
--- /dev/null
+++ b/helm/templates/service.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "wg-easy.name" . }}
+spec:
+  type: {{ .Values.service.type }}
+  {{- if and .Values.service.loadBalancerIP (ne .Values.service.loadBalancerIP "") }}
+  loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+  {{- end }}
+  ports:
+    - name: http
+      port: {{ .Values.service.uiPort }}
+      targetPort: 51821
+      protocol: TCP
+    - name: wireguard
+      port: {{ .Values.service.wgPort }}
+      targetPort: {{ .Values.service.wgPort }}
+      protocol: UDP
+  selector:
+    app: {{ include "wg-easy.name" . }}
diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml
new file mode 100644
index 0000000..e579041
--- /dev/null
+++ b/helm/templates/statefulset.yaml
@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "wg-easy.name" . }}
+  labels:
+    app: {{ include "wg-easy.name" . }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ include "wg-easy.name" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "wg-easy.name" . }}
+    spec:
+      securityContext:
+        sysctls:
+          {{- if .Values.sysctls.ipv4Forward }}
+          - name: net.ipv4.ip_forward
+            value: "1"
+          {{- end }}
+          {{- if .Values.sysctls.ipv6Forward }}
+          - name: net.ipv6.conf.all.forwarding
+            value: "1"
+          {{- end }}
+      containers:
+        - name: {{ include "wg-easy.name" . }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 51821
+              protocol: TCP
+            - name: wireguard
+              containerPort: {{ .Values.service.wgPort }}
+              protocol: UDP
+          envFrom:
+            - configMapRef:
+                name: {{ include "wg-easy.environment" . }}
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN", "SYS_MODULE"]
+          volumeMounts:
+            - name: wg-easy-data
+              mountPath: /etc/wireguard
+          {{- if .Values.resources }}
+          resources:
+            {{- if .Values.resources.requests }}
+            requests:
+              {{- if .Values.resources.requests.cpu }}
+              cpu: "{{ .Values.resources.requests.cpu }}"
+              {{- end }}
+              {{- if .Values.resources.requests.memory }}
+              memory: "{{ .Values.resources.requests.memory }}"
+              {{- end }}
+            {{- end }}
+            {{- if .Values.resources.limits }}
+            limits:
+              {{- if .Values.resources.limits.cpu }}
+              cpu: "{{ .Values.resources.limits.cpu }}"
+              {{- end }}
+              {{- if .Values.resources.limits.memory }}
+              memory: "{{ .Values.resources.limits.memory }}"
+              {{- end }}
+            {{- end }}
+          {{- end }}
+  volumeClaimTemplates:
+    - metadata:
+        name: wg-easy-data
+      spec:
+        accessModes: {{ .Values.persistence.accessModes }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size }}
+        {{- if and .Values.persistence.storageClass (ne .Values.persistence.storageClass "") }}
+        storageClassName: {{ .Values.persistence.storageClass | quote }}
+        {{- end }}
\ No newline at end of file
diff --git a/helm/values.yaml b/helm/values.yaml
new file mode 100644
index 0000000..59569f7
--- /dev/null
+++ b/helm/values.yaml
@@ -0,0 +1,34 @@
+replicaCount: 1
+
+image:
+  repository: ghcr.io/wg-easy/wg-easy
+  tag: "15.1.0"
+  pullPolicy: IfNotPresent
+
+persistence:
+  accessModes:
+    - ReadWriteOnce
+  size: 1Gi
+  storageClass:
+
+environment: {}
+#  INSECURE:
+#  PGID:
+#  PUID:
+
+resources:
+#  requests:
+#    cpu: "100m"
+#    memory: "128Mi"
+#  limits:
+#    cpu: "250m"
+#    memory: "256Mi"
+
+service:
+  type: ClusterIP
+  uiPort: 80
+  wgPort: 51820
+
+sysctls:
+  ipv4Forward: true
+  ipv6Forward: false