Skip to content

Instantly share code, notes, and snippets.

@romeg

romeg/deployment.yaml

Forked from red-avtovo/deployment.yaml
Created November 10, 2024 12:34
Show Gist options
  • Save romeg/471fce8c0f7b5e65b1315596d0f53c3f to your computer and use it in GitHub Desktop.
Save romeg/471fce8c0f7b5e65b1315596d0f53c3f to your computer and use it in GitHub Desktop.
Download ZIP
Marzban deployment
Raw
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: marzban
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: marzban
template:
metadata:
labels:
app: marzban
spec:
hostname: marzban
containers:
- name: marzban
# releases: https://github.com/Gozargah/Marzban/releases/tag/v0.7.0
# https://github.com/Gozargah/Marzban/pkgs/container/marzban
image: ghcr.io/gozargah/marzban:v0.7.0
env:
- name: UVICORN_SSL_CERTFILE
value: "/certs/tls.crt"
- name: UVICORN_SSL_KEYFILE
value: "/certs/tls.key"
- name: SQLALCHEMY_DATABASE_URL
value: "sqlite:////var/lib/marzban/marzban.sqlite3"
- name: XRAY_JSON
value: "/var/lib/marzban/xray_config.json"
- name: TELEGRAM_ADMIN_ID
value: "12345678" #CHANGE_ME
- name: XRAY_SUBSCRIPTION_URL_PREFIX
value: "https://sub-example.com"
- name: SUB_PROFILE_TITLE
value: "Subscription"
envFrom:
- secretRef:
name: marzban
volumeMounts:
- name: volume
mountPath: /var/lib/marzban
subPath: marzban
- name: cert
mountPath: /certs
readOnly: true
ports:
- name: web
containerPort: 8000
protocol: TCP
- name: tls
containerPort: 443
protocol: TCP
- name: shadow
containerPort: 1080
hostPort: 1080
protocol: TCP
resources:
requests:
memory: "300Mi"
cpu: "50m"
limits:
memory: "512Mi"
cpu: "500m"
readinessProbe:
httpGet:
scheme: HTTPS
path: /dashboard/
port: 8000
initialDelaySeconds: 15
timeoutSeconds: 5
volumes:
- name: volume
persistentVolumeClaim:
claimName: vpn
- name: cert
secret:
secretName: example-com-tls # CHANGE_ME
---
apiVersion: v1
kind: Service
metadata:
name: marzban
spec:
selector:
app: marzban
ports:
- name: web
protocol: TCP
port: 80
targetPort: web
---
apiVersion: v1
kind: Service
metadata:
name: marzban-tls
spec:
selector:
app: marzban
ports:
- name: tls
protocol: TCP
port: 443
targetPort: tls
---
apiVersion: v1
kind: Secret
metadata:
name: marzban
namespace: tools
type: Opaque
data:
TELEGRAM_API_TOKEN: #CHANGE_ME
# Panel exposure
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: marzban
annotations:
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
# do not terminate tls here, it is done by the service itself
# tls:
rules:
- host: example.com #CHANGE_ME
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: marzban
port:
name: web
# Subscription
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: marzban-sub
annotations:
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
# do not terminate tls here, it is done by the service itself
# tls:
rules:
- host: sub-example.com # CHANGE_ME
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: marzban
port:
name: web
# Reality
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: marzban-reality
annotations:
# external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
# if not dns-controller - external-dns will skip this ingress
external-dns.alpha.kubernetes.io/controller: "not-exposed"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
# do not terminate tls here, it is done by the service itself
rules:
- host: google.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: marzban-tls
port:
name: tls
- host: mirror.yandex.ru
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: marzban-tls
port:
name: tls
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment