From 2b9630eb0445b9ef1cb85b1ecb9aa5395f10c15d Mon Sep 17 00:00:00 2001
From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com>
Date: Mon, 27 Apr 2026 13:20:35 +0200
Subject: [PATCH] chore(gluetun): Rework port forward

---
 k8s-wheatley/qbittorrent/configmap.yaml   | 22 ++++++++++++++--------
 k8s-wheatley/qbittorrent/deployments.yaml |  6 ++++++
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/k8s-wheatley/qbittorrent/configmap.yaml b/k8s-wheatley/qbittorrent/configmap.yaml
index 484d4d6..61c614d 100644
--- a/k8s-wheatley/qbittorrent/configmap.yaml
+++ b/k8s-wheatley/qbittorrent/configmap.yaml
@@ -9,20 +9,26 @@ data:
   VPN_TYPE: "wireguard"
   VPN_PORT_FORWARDING: on
   VPN_PORT_FORWARDING_PROVIDER: protonvpn
-  VPN_PORT_FORWARDING_UP_COMMAND: |
-    /bin/sh -c '
+  VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh"
+  VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh"
+  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
+  FIREWALL_INPUT_PORTS: "8112"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gluetun-scripts
+data:
+  port-up.sh: |
+    #!/bin/sh
     wget -O- --retry-connrefused \
       --post-data "json={\"listen_port\":{{PORTS}},\"current_network_interface\":\"tun0\",\"random_port\":false,\"upnp\":false}" \
       http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1
-    '
-  VPN_PORT_FORWARDING_DOWN_COMMAND: |
-    /bin/sh -c '
+  port-down.sh: |
+    #!/bin/sh
     wget -O- --retry-connrefused \
       --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo\"}" \
       http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1
-    '
-  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
-  FIREWALL_INPUT_PORTS: "8112"
 ---
 apiVersion: v1
 kind: ConfigMap
diff --git a/k8s-wheatley/qbittorrent/deployments.yaml b/k8s-wheatley/qbittorrent/deployments.yaml
index 0e1600b..5dba05a 100644
--- a/k8s-wheatley/qbittorrent/deployments.yaml
+++ b/k8s-wheatley/qbittorrent/deployments.yaml
@@ -33,6 +33,8 @@ spec:
             - mountPath: "/gluetun/wireguard"
               name: gluetun-wgconfig
               readOnly: true
+            - name: gluetun-scripts
+              mountPath: /scripts
             - name: gluetun-tmp
               mountPath: /tmp/gluetun
           restartPolicy: Always
@@ -128,6 +130,10 @@ spec:
         - name: gluetun-wgconfig
           secret:
             secretName: gluetun-wgconfig
+        - name: gluetun-scripts
+          configMap:
+            name: gluetun-scripts
+            defaultMode: 0755
         - name: gluetun-tmp
           emptyDir: {}
         - name: nfs-media