set up wg-easy env vars

adamancini · adamancini · commit e7ec485712e6 · 2025-05-07T16:26:37.000-04:00
diff --git a/applications/wg-easy/charts/wg-easy/charts/wg-easy/values.yaml b/applications/wg-easy/charts/wg-easy/charts/wg-easy/values.yaml
@@ -3,6 +3,24 @@ controllers:
   main:
     containers:
       main:
+        env:
+          # Host is required, no default makes sense
+          WG_HOST: '{{ required "external host name is required. Set wireguard.host" .Values.wireguard.host }}'
+          # Use dig with sensible defaults for all other parameters
+          WG_PORT: '{{ dig "wireguard" "port" "51820" .Values | quote }}'
+          WG_MTU: '{{ dig "wireguard" "mtu" "1420" .Values | quote }}'
+          WG_PERSISTENT_KEEPALIVE: '{{ dig "wireguard" "persistentKeepalive" "25" .Values | quote }}'
+          WG_DEFAULT_ADDRESS: '{{ dig "wireguard" "defaultAddress" "10.10.10.x" .Values | quote }}'
+          WG_DEFAULT_DNS: '{{ dig "wireguard" "defaultDns" "1.1.1.1" .Values | quote }}'
+          WG_ALLOWED_IPS: '{{ dig "wireguard" "allowedIps" "0.0.0.0/0, ::/0" .Values | quote }}'
+          # Optional parameters that default to empty if not provided
+          WG_PRE_UP: '{{ dig "wireguard" "preUp" "" .Values | quote }}'
+          WG_POST_UP: '{{ dig "wireguard" "postUp" "" .Values | quote }}'
+          WG_PRE_DOWN: '{{ dig "wireguard" "preDown" "" .Values | quote }}'
+          WG_POST_DOWN: '{{ dig "wireguard" "postDown" "" .Values | quote }}'
+        envFrom:
+          - secretRef:
+              identifier: webpass
         securityContext:
           allowPrivilegeEscalation: false
           sysctls:
@@ -28,6 +46,12 @@ controllers:
             cpu: 100m
             memory: 100Mi
 
+secrets:
+  webpass:
+    enabled: true
+    data:
+      PASSWORD: '{{ dig "wireguard" "password" nil .Values | quote }}'
+
 service:
   web:
     controller: main
@@ -85,7 +109,40 @@ wireguard:
 # Troubleshoot
 troubleshoot:
   support-bundles:
-    # Replicated supplied default support bundle spec
     replicated:
-      # -- Enables or disables the Replicated default support bundle
       enabled: true
+    # wg-easy:  # arbitrary name for your custom spec
+    #   enabled: true
+    #   collectors:
+    #     - logs:
+    #         name: wg-easy
+    #         collectorName: wg-easy
+    #         selector:
+    #           - app=wg-easy
+    #         # namespace: {{ .Release.Namespace }}
+    #         containerNames:
+    #           - wg-easy
+    #     securityContext:
+    #       allowPrivilegeEscalation: false
+    #       sysctls:
+    #         - name: net.ipv4.ip_forward
+    #           value: "1"
+    #       capabilities:
+    #         add:
+    #           - NET_ADMIN
+    #     image:
+    #       repository: ghcr.io/wg-easy/wg-easy
+    #       tag: 9.0
+    #       pullPolicy: IfNotPresent
+    #     ports:
+    #       - containerPort: 51821
+    #         protocol: TCP
+    #       - containerPort: 51820
+    #         protocol: UDP
+    #     resources:
+    #       requests:
+    #         cpu: 50m
+    #         memory: 50Mi
+    #       limits:
+    #         cpu: 100m
+    #         memory: 100Mi
diff --git a/applications/wg-easy/charts/wg-easy/values.yaml b/applications/wg-easy/charts/wg-easy/values.yaml
@@ -1,25 +1,4 @@
 wg-easy:
-#   global:
-#     fullNameOverride: public
-#   apps:
-#     wg-easy:
-#       fullNameOverride: public
-#       containers:
-#         wg-container:
-#           resources:
-#             requests:
-#               cpu: 5m
-#               memory: 35Mi
-#   persistence:
-#     config:
-#       persistentVolumeClaim:
-#         spec:
-#           resources:
-#             requests:
-#               storage: 1Gi
-#   services:
-#     vpn:
-#       type: NodePort
   wireguard:
     password: "testpass"
     host: "example.com"
@@ -28,6 +7,7 @@ wg-easy:
     defaultDns: "1.1.1.1"
     allowedIps: "0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 224.0.0.0/3"
     postUp: "iptables -A FORWARD -i wg0 -o eth0 -d 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 -j DROP; iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT"
+
 templates:
   traefikRoutes:
     web-tls:
