diff --git a/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml b/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml index bedfa27..5c3cc3b 100644 --- a/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml +++ b/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml @@ -4,9 +4,6 @@ http: enabled: false address: 0.0.0.0:3000 session_ttl: 720h -users: - - name: veh - password: $2a$10$/84M9f9064xOSmb3MGXBmuApKPhvXnRxMGjISmvAmkp85ViiMd5l. auth_attempts: 5 block_auth_min: 15 http_proxy: "" @@ -20,21 +17,22 @@ dns: ratelimit: 20 ratelimit_subnet_len_ipv4: 24 ratelimit_subnet_len_ipv6: 56 - ratelimit_whitelist: [] + ratelimit_whitelist: [ ] refuse_any: true upstream_dns: - - https://dns10.quad9.net/dns-query + - 10.96.0.11 + - udp://unbound.dns.svc.cluster.local:53 + - tcp://unbound.dns.svc.cluster.local:53 upstream_dns_file: "" bootstrap_dns: - - 9.9.9.10 - - 149.112.112.10 - - 2620:fe::10 - - 2620:fe::fe:10 - fallback_dns: [] - upstream_mode: load_balance + - 10.96.0.10 + fallback_dns: + - 1.1.1.1 + - 9.9.9.9 + upstream_mode: fastest_addr fastest_timeout: 1s - allowed_clients: [] - disallowed_clients: [] + allowed_clients: [ ] + disallowed_clients: [ ] blocked_hosts: - version.bind - id.server @@ -46,7 +44,7 @@ dns: cache_ttl_min: 0 cache_ttl_max: 0 cache_optimistic: false - bogus_nxdomain: [] + bogus_nxdomain: [ ] aaaa_disabled: false enable_dnssec: false edns_client_subnet: @@ -55,15 +53,15 @@ dns: use_custom: false max_goroutines: 300 handle_ddr: true - ipset: [] + ipset: [ ] ipset_file: "" bootstrap_prefer_ipv6: false upstream_timeout: 10s - private_networks: [] + private_networks: [ ] use_private_ptr_resolvers: true - local_ptr_upstreams: [] + local_ptr_upstreams: [ ] use_dns64: false - dns64_prefixes: [] + dns64_prefixes: [ ] serve_http3: false use_http3_upstreams: false serve_plain_dns: true @@ -85,14 +83,14 @@ tls: strict_sni_check: false querylog: dir_path: "" - ignored: [] + ignored: [ ] interval: 2160h size_memory: 1000 enabled: true file_enabled: true statistics: dir_path: "" - ignored: [] + ignored: [ ] interval: 24h enabled: true filters: @@ -104,8 +102,8 @@ filters: url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt name: AdAway Default Blocklist id: 2 -whitelist_filters: [] -user_rules: [] +whitelist_filters: [ ] +user_rules: [ ] dhcp: enabled: false interface_name: "" @@ -117,7 +115,7 @@ dhcp: range_end: "" lease_duration: 86400 icmp_timeout_msec: 1000 - options: [] + options: [ ] dhcpv6: range_start: "" lease_duration: 86400 @@ -129,7 +127,7 @@ filtering: blocked_services: schedule: time_zone: UTC - ids: [] + ids: [ ] protection_disabled_until: null safe_search: enabled: false @@ -142,7 +140,17 @@ filtering: blocking_mode: default parental_block_host: family-block.dns.adguard.com safebrowsing_block_host: standard-block.dns.adguard.com - rewrites: [] + rewrites: + - domain: '*.stonegarden.dev' + answer: 192.168.1.222 + - domain: stonegarden.dev + answer: 192.168.1.222 + - domain: plex.stonegarden.dev + answer: 192.168.1.228 + - domain: jellyfin.stonegarden.dev + answer: 192.168.1.229 + - domain: whoami.stonegarden.dev + answer: 192.168.1.223 safebrowsing_cache_size: 1048576 safesearch_cache_size: 1048576 parental_cache_size: 1048576 @@ -160,7 +168,7 @@ clients: rdns: true dhcp: true hosts: true - persistent: [] + persistent: [ ] log: file: "" max_backups: 0 diff --git a/k8s/infra/network/dns/adguard/deployment.yaml b/k8s/infra/network/dns/adguard/deployment.yaml index b58bb97..27a9cd4 100644 --- a/k8s/infra/network/dns/adguard/deployment.yaml +++ b/k8s/infra/network/dns/adguard/deployment.yaml @@ -18,14 +18,43 @@ spec: securityContext: seccompProfile: type: RuntimeDefault + initContainers: + - name: copy-base-config + image: busybox + command: [ "cp", "/tmp/AdGuardHome.yaml", "/opt/adguardhome/conf/AdGuardHome.yaml" ] + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ "ALL" ] + volumeMounts: + - name: config + mountPath: /tmp/AdGuardHome.yaml + subPath: AdGuardHome.yaml + - name: config-folder + mountPath: /opt/adguardhome/conf + - name: append-users + image: busybox + command: [ "sh", "-c", "cat /tmp/users.yaml >> /opt/adguardhome/conf/AdGuardHome.yaml" ] + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ "ALL" ] + volumeMounts: + - name: users + mountPath: /tmp/users.yaml + subPath: users.yaml + - name: config-folder + mountPath: /opt/adguardhome/conf containers: - name: adguard image: docker.io/adguard/adguardhome:v0.107.48 # renovate: docker=docker.io/adguard/adguardhome securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true -# capabilities: -# drop: [ "ALL" ] + # capabilities: + # drop: [ "ALL" ] ports: - name: dns-tcp containerPort: 53 @@ -47,12 +76,18 @@ spec: cpu: 500m memory: 256Mi volumeMounts: - - name: adguard-conf + - name: config-folder mountPath: /opt/adguardhome/conf - - name: adguard-work + - name: work-folder mountPath: /opt/adguardhome/work volumes: - - name: adguard-conf - emptyDir: {} - - name: adguard-work - emptyDir: {} + - name: config + configMap: + name: adguard-config + - name: users + secret: + secretName: users + - name: config-folder + emptyDir: { } + - name: work-folder + emptyDir: { } diff --git a/k8s/infra/network/dns/adguard/kustomization.yaml b/k8s/infra/network/dns/adguard/kustomization.yaml index f57b048..15fa1d3 100644 --- a/k8s/infra/network/dns/adguard/kustomization.yaml +++ b/k8s/infra/network/dns/adguard/kustomization.yaml @@ -9,5 +9,6 @@ configMapGenerator: resources: - svc.yaml + - secret-users.yaml - deployment.yaml - http-route.yaml diff --git a/k8s/infra/network/dns/adguard/secret-users.yaml b/k8s/infra/network/dns/adguard/secret-users.yaml new file mode 100644 index 0000000..14a676e --- /dev/null +++ b/k8s/infra/network/dns/adguard/secret-users.yaml @@ -0,0 +1,13 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: users + namespace: dns +spec: + encryptedData: + users.yaml: AgDR07t8nqDB5CdVU1OUr6bFKHP766dk8alMNn1pbMQngS7lW5aas9gpwTxjayhIEdXlX76jC+LB8CrwL4FcFpuMaqJgqXZLFO5XOV2HKrA6jgoCnoGJtaVTvYfD2dHP426+sqSSVzDUglxCs5fmrLmaH2kUhZbUzbzVc6lQzQgqv4kZSU8VpDUZ35aE5QGUog35j8HmIKb4ieL9iL7qo1pdh2e/fKlMZ7TxwmL8eoHplnGePnI4JMMI5K4kOmMNZKm2w9Zg5/MQbtglA8Ws246z9ECMbmAojc4w1Crv2EKeghdzUiiuPALzfwoLVtCgYC5qrPmlm0VRhTBGm0eatxFXu9LWWOYGQvwgiRmBe/bxs7r3kXZfh59G2R/ehJikAEJtMocyOfixguKTcjxjgAPvLSctti7hMji67lbxWs3Mc00mG3t0JOWGyFpWcTIZ4g3c4zCMNGx9lrxZbVxrP8FuKWtc+1hGlgxHnyNMLyYUJXV3EDd2Kp5E5cN98991H0UeVKUvCMTXRCdfeKcaxI/E9PDzSAzy5ARKUb3LkYS3+LLvfgjY1BOXT5ZmkI+HhExgvZjsecT8H72qeHxFPX/bksM/oskBcLyYYkNePETKYiwTnipqCA+AGTqMh1bd5OgaalBvxTTqP5pfvuFeMHRrp0a90eMP//3Ibl8Ev2hN9eQtSu2Z4a/clD26HIHt2g+s+COUjdyPgCj9kEgAqrReTC2MdjrTIirAQJgcuIwMx/hPwKIt+9On6X3lzgdXBJNqN57z3PI5VjVRnEB2eS/wr7zKBI9apbfNOQkpitH5a+fdldaeBBf7N99YkZ6DBw2dfA== + template: + metadata: + creationTimestamp: null + name: users + namespace: dns diff --git a/k8s/infra/network/dns/unbound/svc.yaml b/k8s/infra/network/dns/unbound/svc.yaml index 28cb992..a70cb3e 100644 --- a/k8s/infra/network/dns/unbound/svc.yaml +++ b/k8s/infra/network/dns/unbound/svc.yaml @@ -5,6 +5,7 @@ metadata: namespace: dns spec: type: ClusterIP + # https://kubernetes.io/docs/concepts/services-networking/cluster-ip-allocation/ clusterIP: 10.96.0.11 ports: - name: dns