---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tubesync
  namespace: tubesync
spec:
  ingressClassName: haproxy
  rules:
  - host: tubesync.strudelline.net
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: oauth2-proxy
            port:
              number: 4180
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: tubesync
  name: tubesync
  annotations:
    "reloader.stakater.com/auto": "true"
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tubesync
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: tubesync
    spec:
      terminationGracePeriodSeconds: 0
      restartPolicy: Always
      securityContext:
        sysctls:
        - name: net.ipv4.tcp_rmem
          value: "4096 87380 33554432"
        - name: net.ipv4.tcp_wmem
          value: "4096 65536 33554432"
      initContainers:
      - name: killswitch
        image: xjasonlyu/tun2socks:latest
        command: ["sh","-c"]
        args:
        - |
            iptables -t mangle -A POSTROUTING -o eth0 -d 172.16.0.0/12 -j ACCEPT
            iptables -t mangle -A POSTROUTING -o eth0 -d 10.0.0.0/8 -j ACCEPT
            iptables -t mangle -A POSTROUTING -o eth0 -d 192.168.0.0/16 -j ACCEPT
            iptables -t mangle -A POSTROUTING -o eth0 -j DROP
        securityContext:
          capabilities:
            add: ["NET_ADMIN","SYS_TIME"]
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: tubesync-data
      - name: video
        nfs:
          server: 172.16.18.1
          path: /volume1/video
      containers:
      - name: tubesync
        image: ghcr.io/meeb/tubesync:latest
        env:
        - name: TZ
          value: America/Chicago
        - name: PUID
          value: "1029"
        - name: PGID
          value: "101"
        volumeMounts:
        - mountPath: /downloads
          name: video
        - mountPath: /config
          name: data
      - name: vpn
        image: xjasonlyu/tun2socks:latest
        command: ["sh","-c"]
        args:
        - |
            mkdir -p /dev/net
            mknod /dev/net/tun c 10 200
            exec /entrypoint.sh
        env:
        - name: TUN
          value: tun0
        - name: PROXY
          value: socks5://172.16.17.180:1080
        - name: TUN_EXCLUDED_ROUTES
          value: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
        securityContext:
          capabilities:
            add: ["NET_ADMIN","SYS_TIME"]
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: tubesync
  name: tubesync
  namespace: tubesync
spec:
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: tubesync
    port: 4848
    protocol: TCP
    targetPort: 4848
  selector:
    app: tubesync
  sessionAffinity: None
  type: ClusterIP