feat(nzbget): route NNTP through gluetun VPN sidecar; drop dead HTTP proxy

nzbget's usenet downloads (NNTP/563) were egressing DIRECT: the HTTP_PROXY env
pointed at a standalone gluetun that isn't even running, and NNTP ignores HTTP
proxies anyway. Adopt the qbittorrent pattern instead: run gluetun as a sidecar
in the nzbget pod so the shared netns + kill-switch force ALL traffic through
the tunnel, regardless of protocol.

- Add gluetun sidecar (own AirVPN device via gluetun-wireguard-nzbget secret,
  FIREWALL_INPUT_PORTS=6789 to keep the WebUI reachable, DOT=off + DNS_ADDRESS
  per the AirVPN-blocks-DoT gotcha).
- Remove the useless HTTP_PROXY/NO_PROXY envs from nzbget.
- Delete the standalone gluetun chart/values/application (was not running; only
  nzbget referenced it).

Trade-off: if the tunnel drops, downloads stop (no leak) rather than falling
back to direct — same behaviour as qbittorrent.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

helm-values/nzbget_values.yaml

@@ -12,16 +12,76 @@ env:
     value: "1000"
   - name: TZ
     value: "Europe/Amsterdam"
-  - name: HTTP_PROXY
-    value: "http://gluetun.default.svc.cluster.local:8888"
-  - name: http_proxy
-    value: "http://gluetun.default.svc.cluster.local:8888"
-  - name: HTTPS_PROXY
-    value: "http://gluetun.default.svc.cluster.local:8888"
-  - name: https_proxy
-    value: "http://gluetun.default.svc.cluster.local:8888"
-  - name: NO_PROXY
-    value: "localhost,127.0.0.1,.svc,.cluster.local"
+
+# gluetun runs as a sidecar in this pod (same pattern as qbittorrent): it shares
+# the pod network namespace and installs the WireGuard tunnel + a kill-switch, so
+# ALL of nzbget's traffic — including NNTP (port 563) to newshosting — egresses
+# through the VPN. (An HTTP proxy can't cover NNTP, which is why the old
+# HTTP_PROXY-to-standalone-gluetun approach left usenet downloads going direct.)
+# Uses its own AirVPN device/secret (gluetun-wireguard-nzbget) to avoid sharing a
+# WireGuard IP with the qbittorrent tunnel. Keep DOT=off + DNS_ADDRESS — see the
+# AirVPN-blocks-DoT gotcha in CLAUDE.md.
+gluetun:
+  image:
+    repository: qmcgaw/gluetun
+    tag: v3.41.1
+    pullPolicy: IfNotPresent
+  env:
+    - name: VPN_SERVICE_PROVIDER
+      value: "airvpn"
+    - name: VPN_TYPE
+      value: "wireguard"
+    - name: WIREGUARD_PRIVATE_KEY
+      valueFrom:
+        secretKeyRef:
+          name: gluetun-wireguard-nzbget
+          key: WIREGUARD_PRIVATE_KEY
+    - name: WIREGUARD_PRESHARED_KEY
+      valueFrom:
+        secretKeyRef:
+          name: gluetun-wireguard-nzbget
+          key: WIREGUARD_PRESHARED_KEY
+    - name: WIREGUARD_ADDRESSES
+      value: "10.166.207.220/32,fd7d:76ee:e68f:a993:bd5e:ddfc:ad2c:d30c/128"
+    - name: SERVER_COUNTRIES
+      value: "Netherlands"
+    - name: DOT
+      value: "off"
+    - name: DNS_ADDRESS
+      value: "10.128.0.1"
+    - name: FIREWALL_INPUT_PORTS
+      value: "6789"
+    - name: TZ
+      value: "Europe/Amsterdam"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      add:
+        - NET_ADMIN
+  livenessProbe:
+    tcpSocket:
+      port: 8000
+    initialDelaySeconds: 10
+    periodSeconds: 20
+    timeoutSeconds: 2
+    failureThreshold: 3
+  readinessProbe:
+    tcpSocket:
+      port: 8000
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 2
+    failureThreshold: 3
+  resources:
+    requests:
+      memory: 128Mi
+      cpu: 100m
+    limits:
+      memory: 512Mi
+      cpu: 500m
+  volumeMounts:
+    - name: dev-tun
+      mountPath: "/dev/net/tun"
 
 # nzbget cannot read server credentials from environment variables (its
 # ${...} config syntax only references other nzbget options, not env). So an
@@ -76,6 +136,9 @@ volumes:
   - name: plex-data
     persistentVolumeClaim:
       claimName: "plex-data"
+  - name: dev-tun
+    hostPath:
+      path: /dev/net/tun
 
 volumeMounts:
   - name: plex-data