From 2d56389b22babbdb0a47ae5482360c8aa587dc1e Mon Sep 17 00:00:00 2001
From: Roger Sikorski <roger@sikorski.cloud>
Date: Fri, 5 Dec 2025 22:11:25 +0100
Subject: [PATCH] feature/transmission-with-vpn

---
 .../transmission/ImagePolicy.yaml             | 12 +++
 .../transmission/ImageRepository.yaml         |  9 ++
 .../transmission-with-vpn/IngressRoute.yaml   | 39 ++++++++
 .../configmap/gluetun.yaml                    | 17 ++++
 .../transmission-with-vpn/deployment.yaml     | 90 +++++++++++++++++++
 .../transmission-with-vpn/pvc/gluetun.yaml    | 16 ++++
 .../pvc/transmission-config.yaml              | 16 ++++
 .../transmission-with-vpn/service.yaml        | 15 ++++
 8 files changed, 214 insertions(+)
 create mode 100644 cluster/apps/plex-and-tools/transmission-with-vpn/ImageAutomation/transmission/ImagePolicy.yaml
 create mode 100644 cluster/apps/plex-and-tools/transmission-with-vpn/ImageAutomation/transmission/ImageRepository.yaml
 create mode 100644 cluster/apps/plex-and-tools/transmission-with-vpn/IngressRoute.yaml
 create mode 100644 cluster/apps/plex-and-tools/transmission-with-vpn/configmap/gluetun.yaml
 create mode 100644 cluster/apps/plex-and-tools/transmission-with-vpn/deployment.yaml
 create mode 100644 cluster/apps/plex-and-tools/transmission-with-vpn/pvc/gluetun.yaml
 create mode 100644 cluster/apps/plex-and-tools/transmission-with-vpn/pvc/transmission-config.yaml
 create mode 100644 cluster/apps/plex-and-tools/transmission-with-vpn/service.yaml

diff --git a/cluster/apps/plex-and-tools/transmission-with-vpn/ImageAutomation/transmission/ImagePolicy.yaml b/cluster/apps/plex-and-tools/transmission-with-vpn/ImageAutomation/transmission/ImagePolicy.yaml
new file mode 100644
index 0000000..32d81ae
--- /dev/null
+++ b/cluster/apps/plex-and-tools/transmission-with-vpn/ImageAutomation/transmission/ImagePolicy.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1
+kind: ImagePolicy
+metadata:
+  name: tranmission
+  namespace: plex-and-tools
+spec:
+  imageRepositoryRef:
+    name: tranmission
+  policy:
+    semver:
+      range: '4.*.*'
diff --git a/cluster/apps/plex-and-tools/transmission-with-vpn/ImageAutomation/transmission/ImageRepository.yaml b/cluster/apps/plex-and-tools/transmission-with-vpn/ImageAutomation/transmission/ImageRepository.yaml
new file mode 100644
index 0000000..b54a028
--- /dev/null
+++ b/cluster/apps/plex-and-tools/transmission-with-vpn/ImageAutomation/transmission/ImageRepository.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1
+kind: ImageRepository
+metadata:
+  name: tranmission
+  namespace: plex-and-tools
+spec:
+  image: ghcr.io/linuxserver/transmission
+  interval: 24h
diff --git a/cluster/apps/plex-and-tools/transmission-with-vpn/IngressRoute.yaml b/cluster/apps/plex-and-tools/transmission-with-vpn/IngressRoute.yaml
new file mode 100644
index 0000000..c3091de
--- /dev/null
+++ b/cluster/apps/plex-and-tools/transmission-with-vpn/IngressRoute.yaml
@@ -0,0 +1,39 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: transmission-with-vpn
+  namespace: plex-and-tools
+  labels:
+    app: transmission-with-vpn
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`transmission.example.org`)
+      kind: Rule
+      services:
+        - name: transmission-with-vpn
+          port: http
+      middlewares:
+        - name: security
+          namespace: traefik
+        - name: authentik-proxy
+          namespace: authentik
+
+    - match: Host(`transmission.example.org`) && PathPrefix(`/outpost.goauthentik.io/`)
+      priority: 15
+      kind: Rule
+      services:
+        - name: authentik-proxy
+          namespace: authentik
+          port: http
+      middlewares:
+        - name: security
+          namespace: traefik
+
+  tls:
+    secretName: transmission.example.org
+    options:
+      name: tls-security
+      namespace: traefik
diff --git a/cluster/apps/plex-and-tools/transmission-with-vpn/configmap/gluetun.yaml b/cluster/apps/plex-and-tools/transmission-with-vpn/configmap/gluetun.yaml
new file mode 100644
index 0000000..cc4219f
--- /dev/null
+++ b/cluster/apps/plex-and-tools/transmission-with-vpn/configmap/gluetun.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: transmission-with-vpn-gluetun
+  namespace: plex-and-tools
+  labels:
+    app: transmission-with-vpn
+data:
+  # See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
+
+  ### cyberghost ###
+  # https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/cyberghost.md
+  VPN_SERVICE_PROVIDER: 'cyberghost'
+  OPENVPN_USER: 'example'
+  OPENVPN_PASSWORD: 'example'
+  SERVER_COUNTRIES: 'Germany'
diff --git a/cluster/apps/plex-and-tools/transmission-with-vpn/deployment.yaml b/cluster/apps/plex-and-tools/transmission-with-vpn/deployment.yaml
new file mode 100644
index 0000000..14c77c4
--- /dev/null
+++ b/cluster/apps/plex-and-tools/transmission-with-vpn/deployment.yaml
@@ -0,0 +1,90 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: transmission-with-vpn
+  namespace: plex-and-tools
+  annotations:
+    reloader.stakater.com/auto: 'true'
+  labels:
+    app: transmission-with-vpn
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate # because of iptables rules + torrent downloads
+  selector:
+    matchLabels:
+      app: transmission-with-vpn
+  template:
+    metadata:
+      labels:
+        app: transmission-with-vpn
+    spec:
+      terminationGracePeriodSeconds: 120 # to ensure that ip rules get deleted clean
+      containers:
+        - name: gluetun
+          # https://hub.docker.com/r/qmcgaw/gluetun
+          image: qmcgaw/gluetun:v3.40.0 # {"$imagepolicy": "plex-and-tools:gluetun"}
+          imagePullPolicy: IfNotPresent
+          # https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/kubernetes.md#adding-ipv6-rule--file-exists
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  [
+                    '/bin/sh',
+                    '-c',
+                    '(ip rule del table 51820; ip -6 rule del table 51820) || true',
+                  ]
+          resources:
+            limits:
+              memory: 2Gi
+            requests:
+              memory: 1Gi
+              cpu: 10m
+          envFrom:
+            - configMapRef:
+                name: transmission-with-vpn-gluetun
+          volumeMounts:
+            - mountPath: '/gluetun/'
+              name: transmission-with-vpn-gluetun
+          securityContext:
+            privileged: true
+            capabilities:
+              add:
+                - NET_ADMIN
+
+        - name: transmission
+          # https://hub.docker.com/r/linuxserver/transmission
+          image: ghcr.io/linuxserver/transmission:4.0.6 # {"$imagepolicy": "plex-and-tools:transmission"}
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              memory: 2Gi
+            requests:
+              memory: 1Gi
+              cpu: 10m
+          ports:
+            - name: http
+              containerPort: 9091
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: plex-and-tools
+          volumeMounts:
+            - name: transmission-with-vpn-transmission
+              mountPath: '/config/'
+            - name: plex-media
+              mountPath: /mnt/plex-media/
+      volumes:
+        - name: transmission-with-vpn-gluetun
+          persistentVolumeClaim:
+            claimName: transmission-with-vpn-gluetun
+
+        - name: transmission-with-vpn-transmission
+          persistentVolumeClaim:
+            claimName: transmission-with-vpn-transmission
+
+        # nfs
+        - name: plex-media
+          persistentVolumeClaim:
+            claimName: plex-media
diff --git a/cluster/apps/plex-and-tools/transmission-with-vpn/pvc/gluetun.yaml b/cluster/apps/plex-and-tools/transmission-with-vpn/pvc/gluetun.yaml
new file mode 100644
index 0000000..8662ccc
--- /dev/null
+++ b/cluster/apps/plex-and-tools/transmission-with-vpn/pvc/gluetun.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: transmission-with-vpn-gluetun
+  namespace: plex-and-tools
+  labels:
+    app: transmission-with-vpn
+    velero.io/exclude-from-backup: 'true' # because this is nfs storage
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: k8s-nfs-ssd
+  resources:
+    requests:
+      storage: 20Mi
diff --git a/cluster/apps/plex-and-tools/transmission-with-vpn/pvc/transmission-config.yaml b/cluster/apps/plex-and-tools/transmission-with-vpn/pvc/transmission-config.yaml
new file mode 100644
index 0000000..0bb6943
--- /dev/null
+++ b/cluster/apps/plex-and-tools/transmission-with-vpn/pvc/transmission-config.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: transmission-with-vpn-transmission
+  namespace: plex-and-tools
+  labels:
+    app: transmission-with-vpn
+    velero.io/exclude-from-backup: 'true' # because this is nfs storage
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: k8s-nfs-ssd
+  resources:
+    requests:
+      storage: 100Mi
diff --git a/cluster/apps/plex-and-tools/transmission-with-vpn/service.yaml b/cluster/apps/plex-and-tools/transmission-with-vpn/service.yaml
new file mode 100644
index 0000000..1eaac03
--- /dev/null
+++ b/cluster/apps/plex-and-tools/transmission-with-vpn/service.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: transmission-with-vpn
+  namespace: plex-and-tools
+  labels:
+    app: transmission-with-vpn
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+  selector:
+    app: transmission-with-vpn