ondrejmo/Dockerfile.aria

## aria.yml
---

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: aria

spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: aria
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 123.123.123.123/32
      ports:
        - protocol: UDP
          port: 51820

---

apiVersion: v1
kind: ConfigMap
metadata:
  name: aria-config

data:
  aria.conf: |
    ## downloads
    dir=/data
    max-concurrent-downloads=8
    max-connection-per-server=16
    disable-ipv6=true
    user-agent=User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_8_0) AppleWebKit/5312 (KHTML, like Gecko) Chrome/37.0.821.0 Mobile Safari/5312
    disk-cache=0
    file-allocation=none
    console-log-level=warn

    ## sessions
    force-save=true
    input-file=/data/sessions
    save-session=/data/sessions
    save-session-interval=10

    ## rpc
    enable-rpc=true
    rpc-listen-port=6800
    rpc-listen-all=true
    rpc-allow-origin-all=true
    rpc-secret=changeme

    ## torrents
    max-upload-limit=16k
    dht-file-path=/data/dht.dat
    enable-dht=true
    seed-time=0


  wg0.conf: |
    [Interface]
    PrivateKey = k2bLsMBfFgn4DqzwJN/cXWqI0NQml/uer0NeKfB/x5k=
    Address = 192.168.0.123/32
    DNS = 192.168.0.1

    [Peer]
    PublicKey = 4vGWBlflhLdiMKVMC7wowIosCzi9OQrB5VuZ3bQtf/U=
    AllowedIPs = 0.0.0.0/0
    Endpoint = 123.123.123.123:51820

---

apiVersion: v1
kind: Service
metadata:
  name: aria

spec:
  selector:
    app.kubernetes.io/name: aria
  ports:
    - name: rpc
      port: 6800

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: aria

spec:
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app.kubernetes.io/name: aria
  template:
    metadata:
      labels:
       app.kubernetes.io/name: aria
    spec:
      automountServiceAccountToken: false
      imagePullSecrets:
        - name: registry-image-pull
      containers:
        - name: aria
          image: registry.example.local/foobar/aria:v1
          resources:
            requests:
              cpu: 30m
              memory: 64Mi
          ports:
            - name: rpc
              containerPort: 6800
          volumeMounts:
            - name: config
              mountPath: /home/aria/config
            - name: data
              mountPath: /data
              subPath: download
        - name: wireguard
          image: registry.example.local/foobar/wireguard:v1
          command: [ "/bin/bash", "-c", "--" ]
          args: [ "/usr/bin/wg-quick up /config/wg0.conf; sleep infinity" ]
          securityContext:
            privileged: true
            capabilities:
              add:
                - NET_ADMIN
                - SYS_MODULE
          volumeMounts:
            - name: wg
              mountPath: /config
      volumes:
        - name: config
          configMap:
            name: aria-config
            items:
              - key: aria.conf
                path: aria.conf
        - name: wg
          configMap:
            name: aria-config
            items:
              - key: wg0.conf
                path: wg0.conf
        - name: data
          nfs:
            server: mynas
            path: /myshare

---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: aria

spec:
  dnsNames:
    - ariang.example.local
  secretName: aria-certificate
  issuerRef:
    name: cert-manager-default-clusterissuer
    kind: ClusterIssuer

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: aria
  annotations:
    link.argocd.argoproj.io/external-link: https://ariang.example.local

spec:
  entryPoints:
    - websecure

  routes:
    - match: Host(`ariang.example.local`) && Path(`/jsonrpc`)
      kind: Rule
      services:
        - name: aria
          port: 6800

  tls:
    secretName: aria-certificate

## Dockerfile.aria
FROM docker.io/library/debian:bullseye-slim

ARG UID=1000
ARG GID=1066 # this is arbitrarily chosen my environment

RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    aria2 && \
    rm -rf /var/lib/apt/lists

RUN groupadd -g $GID aria && \
    useradd --create-home --home-dir /home/aria --shell /bin/bash -g $GID -u $UID aria && \
    touch /home/aria/sessions && \
    chmod 0700 /home/aria/sessions && \
    chown aria:aria /home/aria/sessions

COPY --chown=aria:aria aria.conf /home/aria/config/aria.conf

USER aria:aria

VOLUME /data
EXPOSE 6800/tcp

ENTRYPOINT [ "/usr/bin/aria2c" ]
CMD [ "--conf-path", "/home/aria/config/aria.conf" ]

## Dockerfile.wg
FROM docker.io/library/debian:bullseye-slim

RUN apt-get update && apt-get install -y --no-install-recommends \
    openresolv \
    iptables \
    iproute2 \
    wireguard-tools \
    sed && \
    rm -rf /var/lib/apt/lists

# https://github.com/jordanpotter/docker-wireguard
# The net.ipv4.conf.all.src_valid_mark sysctl is set when running the Docker container, so don't have WireGuard also set it
RUN sed -i "s:sysctl -q net.ipv4.conf.all.src_valid_mark=1:echo Skipping setting net.ipv4.conf.all.src_valid_mark:" /usr/bin/wg-quick

ENTRYPOINT [ "/usr/bin/wg-quick" ]
CMD [ "up", "wg0" ]
	---

	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: aria

	spec:
	podSelector:
	matchLabels:
	app.kubernetes.io/name: aria
	policyTypes:
	- Egress
	egress:
	- to:
	- ipBlock:
	cidr: 123.123.123.123/32
	ports:
	- protocol: UDP
	port: 51820

	---

	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: aria-config

	data:
	aria.conf: \|
	## downloads
	dir=/data
	max-concurrent-downloads=8
	max-connection-per-server=16
	disable-ipv6=true
	user-agent=User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_8_0) AppleWebKit/5312 (KHTML, like Gecko) Chrome/37.0.821.0 Mobile Safari/5312
	disk-cache=0
	file-allocation=none
	console-log-level=warn

	## sessions
	force-save=true
	input-file=/data/sessions
	save-session=/data/sessions
	save-session-interval=10

	## rpc
	enable-rpc=true
	rpc-listen-port=6800
	rpc-listen-all=true
	rpc-allow-origin-all=true
	rpc-secret=changeme

	## torrents
	max-upload-limit=16k
	dht-file-path=/data/dht.dat
	enable-dht=true
	seed-time=0


	wg0.conf: \|
	[Interface]
	PrivateKey = k2bLsMBfFgn4DqzwJN/cXWqI0NQml/uer0NeKfB/x5k=
	Address = 192.168.0.123/32
	DNS = 192.168.0.1

	[Peer]
	PublicKey = 4vGWBlflhLdiMKVMC7wowIosCzi9OQrB5VuZ3bQtf/U=
	AllowedIPs = 0.0.0.0/0
	Endpoint = 123.123.123.123:51820

	---

	apiVersion: v1
	kind: Service
	metadata:
	name: aria

	spec:
	selector:
	app.kubernetes.io/name: aria
	ports:
	- name: rpc
	port: 6800

	---

	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: aria

	spec:
	revisionHistoryLimit: 3
	selector:
	matchLabels:
	app.kubernetes.io/name: aria
	template:
	metadata:
	labels:
	app.kubernetes.io/name: aria
	spec:
	automountServiceAccountToken: false
	imagePullSecrets:
	- name: registry-image-pull
	containers:
	- name: aria
	image: registry.example.local/foobar/aria:v1
	resources:
	requests:
	cpu: 30m
	memory: 64Mi
	ports:
	- name: rpc
	containerPort: 6800
	volumeMounts:
	- name: config
	mountPath: /home/aria/config
	- name: data
	mountPath: /data
	subPath: download
	- name: wireguard
	image: registry.example.local/foobar/wireguard:v1
	command: [ "/bin/bash", "-c", "--" ]
	args: [ "/usr/bin/wg-quick up /config/wg0.conf; sleep infinity" ]
	securityContext:
	privileged: true
	capabilities:
	add:
	- NET_ADMIN
	- SYS_MODULE
	volumeMounts:
	- name: wg
	mountPath: /config
	volumes:
	- name: config
	configMap:
	name: aria-config
	items:
	- key: aria.conf
	path: aria.conf
	- name: wg
	configMap:
	name: aria-config
	items:
	- key: wg0.conf
	path: wg0.conf
	- name: data
	nfs:
	server: mynas
	path: /myshare

	---

	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: aria

	spec:
	dnsNames:
	- ariang.example.local
	secretName: aria-certificate
	issuerRef:
	name: cert-manager-default-clusterissuer
	kind: ClusterIssuer

	---

	apiVersion: traefik.containo.us/v1alpha1
	kind: IngressRoute
	metadata:
	name: aria
	annotations:
	link.argocd.argoproj.io/external-link: https://ariang.example.local

	spec:
	entryPoints:
	- websecure

	routes:
	- match: Host(`ariang.example.local`) && Path(`/jsonrpc`)
	kind: Rule
	services:
	- name: aria
	port: 6800

	tls:
	secretName: aria-certificate
	FROM docker.io/library/debian:bullseye-slim

	ARG UID=1000
	ARG GID=1066 # this is arbitrarily chosen my environment

	RUN apt-get update && apt-get install -y --no-install-recommends \
	ca-certificates \
	aria2 && \
	rm -rf /var/lib/apt/lists

	RUN groupadd -g $GID aria && \
	useradd --create-home --home-dir /home/aria --shell /bin/bash -g $GID -u $UID aria && \
	touch /home/aria/sessions && \
	chmod 0700 /home/aria/sessions && \
	chown aria:aria /home/aria/sessions

	COPY --chown=aria:aria aria.conf /home/aria/config/aria.conf

	USER aria:aria

	VOLUME /data
	EXPOSE 6800/tcp

	ENTRYPOINT [ "/usr/bin/aria2c" ]
	CMD [ "--conf-path", "/home/aria/config/aria.conf" ]
	FROM docker.io/library/debian:bullseye-slim

	RUN apt-get update && apt-get install -y --no-install-recommends \
	openresolv \
	iptables \
	iproute2 \
	wireguard-tools \
	sed && \
	rm -rf /var/lib/apt/lists

	# https://github.com/jordanpotter/docker-wireguard
	# The net.ipv4.conf.all.src_valid_mark sysctl is set when running the Docker container, so don't have WireGuard also set it
	RUN sed -i "s:sysctl -q net.ipv4.conf.all.src_valid_mark=1:echo Skipping setting net.ipv4.conf.all.src_valid_mark:" /usr/bin/wg-quick

	ENTRYPOINT [ "/usr/bin/wg-quick" ]
	CMD [ "up", "wg0" ]