feat(adguard): mount config-file for declarative configuration

2025-11-03 19:37:55 +00:00 · 2024-08-18 15:31:32 +02:00
parent 9dec025db7
commit 872f33c295
5 changed files with 92 additions and 34 deletions
--- a/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml
+++ b/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml
@@ -4,9 +4,6 @@ http:
    enabled: false
  address: 0.0.0.0:3000
  session_ttl: 720h
-users:
-  - name: veh
-    password: $2a$10$/84M9f9064xOSmb3MGXBmuApKPhvXnRxMGjISmvAmkp85ViiMd5l.
 auth_attempts: 5
 block_auth_min: 15
 http_proxy: ""
@@ -23,15 +20,16 @@ dns:
  ratelimit_whitelist: [ ]
  refuse_any: true
  upstream_dns:
-    - https://dns10.quad9.net/dns-query
+    - 10.96.0.11
+    - udp://unbound.dns.svc.cluster.local:53
+    - tcp://unbound.dns.svc.cluster.local:53
  upstream_dns_file: ""
  bootstrap_dns:
-    - 9.9.9.10
-    - 149.112.112.10
-    - 2620:fe::10
-    - 2620:fe::fe:10
-  fallback_dns: []
-  upstream_mode: load_balance
+    - 10.96.0.10
+  fallback_dns:
+    - 1.1.1.1
+    - 9.9.9.9
+  upstream_mode: fastest_addr
  fastest_timeout: 1s
  allowed_clients: [ ]
  disallowed_clients: [ ]
@@ -142,7 +140,17 @@ filtering:
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
-  rewrites: []
+  rewrites:
+    - domain: '*.stonegarden.dev'
+      answer: 192.168.1.222
+    - domain: stonegarden.dev
+      answer: 192.168.1.222
+    - domain: plex.stonegarden.dev
+      answer: 192.168.1.228
+    - domain: jellyfin.stonegarden.dev
+      answer: 192.168.1.229
+    - domain: whoami.stonegarden.dev
+      answer: 192.168.1.223
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
--- a/k8s/infra/network/dns/adguard/deployment.yaml
+++ b/k8s/infra/network/dns/adguard/deployment.yaml
@@ -18,6 +18,35 @@ spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
+      initContainers:
+        - name: copy-base-config
+          image: busybox
+          command: [ "cp", "/tmp/AdGuardHome.yaml", "/opt/adguardhome/conf/AdGuardHome.yaml" ]
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: [ "ALL" ]
+          volumeMounts:
+            - name: config
+              mountPath: /tmp/AdGuardHome.yaml
+              subPath: AdGuardHome.yaml
+            - name: config-folder
+              mountPath: /opt/adguardhome/conf
+        - name: append-users
+          image: busybox
+          command: [ "sh", "-c", "cat /tmp/users.yaml >> /opt/adguardhome/conf/AdGuardHome.yaml" ]
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: [ "ALL" ]
+          volumeMounts:
+            - name: users
+              mountPath: /tmp/users.yaml
+              subPath: users.yaml
+            - name: config-folder
+              mountPath: /opt/adguardhome/conf
      containers:
        - name: adguard
          image: docker.io/adguard/adguardhome:v0.107.48 # renovate: docker=docker.io/adguard/adguardhome
@@ -47,12 +76,18 @@ spec:
              cpu: 500m
              memory: 256Mi
          volumeMounts:
-            - name: adguard-conf
+            - name: config-folder
              mountPath: /opt/adguardhome/conf
-            - name: adguard-work
+            - name: work-folder
              mountPath: /opt/adguardhome/work
      volumes:
-        - name: adguard-conf
+        - name: config
+          configMap:
+            name: adguard-config
+        - name: users
+          secret:
+            secretName: users
+        - name: config-folder
          emptyDir: { }
-        - name: adguard-work
+        - name: work-folder
          emptyDir: { }
--- a/k8s/infra/network/dns/adguard/kustomization.yaml
+++ b/k8s/infra/network/dns/adguard/kustomization.yaml
@@ -9,5 +9,6 @@ configMapGenerator:

 resources:
  - svc.yaml
+  - secret-users.yaml
  - deployment.yaml
  - http-route.yaml
--- a/k8s/infra/network/dns/adguard/secret-users.yaml
+++ b/k8s/infra/network/dns/adguard/secret-users.yaml
@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: users
+  namespace: dns
+spec:
+  encryptedData:
+    users.yaml: AgDR07t8nqDB5CdVU1OUr6bFKHP766dk8alMNn1pbMQngS7lW5aas9gpwTxjayhIEdXlX76jC+LB8CrwL4FcFpuMaqJgqXZLFO5XOV2HKrA6jgoCnoGJtaVTvYfD2dHP426+sqSSVzDUglxCs5fmrLmaH2kUhZbUzbzVc6lQzQgqv4kZSU8VpDUZ35aE5QGUog35j8HmIKb4ieL9iL7qo1pdh2e/fKlMZ7TxwmL8eoHplnGePnI4JMMI5K4kOmMNZKm2w9Zg5/MQbtglA8Ws246z9ECMbmAojc4w1Crv2EKeghdzUiiuPALzfwoLVtCgYC5qrPmlm0VRhTBGm0eatxFXu9LWWOYGQvwgiRmBe/bxs7r3kXZfh59G2R/ehJikAEJtMocyOfixguKTcjxjgAPvLSctti7hMji67lbxWs3Mc00mG3t0JOWGyFpWcTIZ4g3c4zCMNGx9lrxZbVxrP8FuKWtc+1hGlgxHnyNMLyYUJXV3EDd2Kp5E5cN98991H0UeVKUvCMTXRCdfeKcaxI/E9PDzSAzy5ARKUb3LkYS3+LLvfgjY1BOXT5ZmkI+HhExgvZjsecT8H72qeHxFPX/bksM/oskBcLyYYkNePETKYiwTnipqCA+AGTqMh1bd5OgaalBvxTTqP5pfvuFeMHRrp0a90eMP//3Ibl8Ev2hN9eQtSu2Z4a/clD26HIHt2g+s+COUjdyPgCj9kEgAqrReTC2MdjrTIirAQJgcuIwMx/hPwKIt+9On6X3lzgdXBJNqN57z3PI5VjVRnEB2eS/wr7zKBI9apbfNOQkpitH5a+fdldaeBBf7N99YkZ6DBw2dfA==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: users
+      namespace: dns
--- a/k8s/infra/network/dns/unbound/svc.yaml
+++ b/k8s/infra/network/dns/unbound/svc.yaml
@@ -5,6 +5,7 @@ metadata:
  namespace: dns
 spec:
  type: ClusterIP
+  # https://kubernetes.io/docs/concepts/services-networking/cluster-ip-allocation/
  clusterIP: 10.96.0.11
  ports:
    - name: dns