scottk/homelab
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/homelab.git synced 2025-11-03 11:27:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(network): Creating an auxiliary deployment of network tools

Browse Source 
Backup Pi-Hole DNS and cloudflared tunnel
This commit is contained in:
Vegard Hagen
2023-07-26 20:15:17 +02:00
parent 03bab47e17
commit d0986d5ee1
19 changed files with 323 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
infra/net-aux/auth-secret.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: traefik-forward-auth-secrets
namespace: net-aux
spec:
encryptedData:
google-client-id: AgCGsF+yfAWt9/Typgamv0TT+iS/fcNNej7M55V2otWkGqlxrqAJHjzdftprZGlVLirB7eEsQ06qNNgjXxni7MJnJvjuCUO+tTNmXTvxnDY9NF/k6yvoNul719amn4ovajPY4IgRVQeZPE3V6ov2CsubG2sli/FbujuCwsv8RI6/G5c8ghhLWnYQcfYPtFtBAnKZ/hK9fL+N+I/Xg/rrpAG2sgg2YyWwRfyWBECRE11wNMRHKe9Yx28JjLRFkOttTJeGVc/aK/GweR2Ji1yB0xhoNn0a5ozRWcdwQgXxQuzmzi9OjyqE0LwnsWIKvKa6IKrLJW+weS+mOVTIiDbxCPohaoNRn60LfKFUeNzyfKCX6kl9YQp7EfRNRc89sU2bGUEUKjmVZ/KDIDZl7bgJTus1xylo8YUlYKLmhoF8wy1JC/MfXr6e8Hm+RRLVjcBlrWYjCgl9HPuArn1ChjuqGAJJn0n2tklxbzYcYnt1h/uh2QkbE7eatu/NLadV4+SHRb/St0u/vnvikZgGwlamsf3KH2sXGr/DxZjWan+avCTZE5SjRn66B6K6ipAVDi0/dG7M3uuF/E7J6priSBZ1srcqlB3MKsgal/GQCwd5pS8BPuU7FslCy0y6LI03/F1dU1p/xqfQ5x92pVyTNi7nB5H311+ltZVp77Bxh1nYuk64GyOAD9+uYxBUP0xYcx0LfRDDH4xxiul64uWDM4sAiQKQZfWWGuh2THvm2lCoU2JN6PT7j0kqcPQ3y21bmTPuujMHA44BcG/4KEhRseG5eIA/FiTk8gxNCd4=
google-client-secret: AgAbfF9RJWvcVlg5Fc/gWCvv70iPBYK1bmSu0juRJr7FSXOpPixIjo39Ume7t4Y5DUAtsEvZIfS1L+6GJsTSfTtOnI8ROFnU458C5+2QBrPMhPaRAxY1JtZspI09mcJZPRhpUIIusicHzaJ2+ob5RhBqjM4QXjcpe2bwoxpyhtTui2QtM2i2P8RBu9lQIbJiryOujzsDqP80uv4+VbOs/EsByHHZd7gYkZR8FylD2gwkNzPPgE1ynHJ8vlRNelRNiOYjiYy98KVbNvjnVI8fjrwZ3VcSke0SRi1OxoTyccN0rjU/qTAZXhZfQtGwW8ek4gdqzpsh6dR0zY/8crM0ORBCzOLSYBxYVjOOQhQi9MrtIETA09iue7tniw+iMX26dBCxEwpVTFDgvePMPKJHmktD2kXaLJvoxYNit8xhES/IkN/CPqPVD9PMxh3adz/RJQxUWU5a7mibhBV5mqXy/9u1E721IQpn770nbXmtL3KD4vH2lN+OpzEpMM8ngqX4b3EbbXBVAMUv03FHpBdrTzf1FtVK8LOpcxC+pSyFt0+59DJfRA4BgLRttzhY7EEXdNLXn+hlD3CzFZEqx+r8spQql/Hbo3CV5CD7D3+Ia/nl8t+807ap4s2AwygYWZq1T78vCCFmYe6Wd/rlQo5M5JLZgE9czaUubc3eY8sM/d0/6lfAb9QqKWL28f8liXwExcicCSKer7Uo95b8/Q+wP+xqT0gN3mtf4JLTk0pJ+k/9D7QE+Q==
secret: AgCWwwhIv6D24GF9ftBx7XKS5Npo+ayt6Xk4O2249iUTe8wNODnTXWGj5hgVSB5+J3z6WM0URj3lmW9JQssoLPwqtOhCmUc9ZWmHl/proLu0CTpOyUrM1Bt6+q5jLUKq/FPSSRGRtH0tpwYlop1FpC7C3HVuQ2KHVQgo2JBP7Dp0KbcQU3UEJPeJdm3HaFA03hx+yocH7aR2eQDvjzQjpHLE2rtCqV+D7KzXqAaBuy78Gx3r9XxAP76qMan6JTFUW/NAGOV5z2lC4YQjCGpCP9rwYBcjQqjxhng0W0XO0rWlDKcQVAw8gaR6Ki/gdXAagji4SQvGsyq8PWjOgsmBBfy2v3dxP+pSuwr6z699Jn8Zv63GpWnJacUo4tEPxuIUVqZoJkAHoVsbMia+QFKYNuhtEz7DIKaq5B9ZKuOn/NoNoa7lRQNQ/bJPTgplyxIocVsQkhebMkMKsVgzbN+4FZ41o16WbGvjoIb3MxqzCM+Y7n/OEcJYB6YhTF1EvfYbhg6VabyrpRuJUFE5pI/sIS+PK0YXY+0jP19hmnVOEbJAk6qGPuMOk0LHMFumciYeqwH++psRAU7eXvog6S+1ZUCzMhY1aNIZIXLBJ2Zd2dtQVxA+XBF6DouI28/6fupwiHnKe5ZOB3i3LsuY3sHsvAuo1b8VkhR3ROxP8MFOSckY1hwobAFVXxqVo/GG0mMxipWaYP32b1Qek1g+bw==
template:
metadata:
name: traefik-forward-auth-secrets
namespace: net-aux

7
infra/net-aux/auth-values.yaml Normal file
View File

@@ -0,0 +1,7 @@
name: auth
namespace: net-aux
authOnly: true
auth:
cookieDomain: stonegarden.dev
whitelist:
- veghag@gmail.com

2
infra/net-aux/config/cloudflared/config.yaml Normal file
View File

@@ -0,0 +1,2 @@
metrics: 0.0.0.0:2000
no-autoupdate: true

2
infra/net-aux/config/pi-hole/02-custom.conf Normal file
View File

@@ -0,0 +1,2 @@
address=/stonegarden.dev/192.168.1.128
address=/stonegarden.lan/192.168.1.128

10
infra/net-aux/config/pi-hole/adlists.list Normal file
View File

@@ -0,0 +1,10 @@
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.2o7Net/hosts
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt

0
infra/pi-hole/config/pi-hole-env → infra/net-aux/config/pi-hole/env
View File

2
infra/net-aux/config/pi-hole/pihole-FTL.conf Normal file
View File

@@ -0,0 +1,2 @@
MAXDBDAYS=200
LOGFILE=/var/log/pihole/pihole-FTL.log

0
infra/net-aux/config/pi-hole/regex.list Normal file
View File

2
infra/net-aux/config/pi-hole/whitelist.txt Normal file
View File

@@ -0,0 +1,2 @@
ichnaea.netflix.com
nrdp.nccp.netflix.com

140
infra/net-aux/deployment.yaml Normal file
View File

@@ -0,0 +1,140 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: net-aux
name: net-aux
namespace: net-aux
spec:
replicas: 1
selector:
matchLabels:
app: net-aux
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
app: net-aux
spec:
dnsPolicy: None
dnsConfig:
nameservers:
- 127.0.0.1
containers:
- name: pi-hole
image: pihole/pihole:2023.05.2
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: pi-hole-env
ports:
- name: dns-tcp
containerPort: 53
protocol: TCP
- name: dns-udp
containerPort: 53
protocol: UDP
- name: dchp
containerPort: 67
protocol: UDP
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
resources:
requests:
cpu: "20m"
memory: "512Mi"
limits:
cpu: "250m"
memory: "896Mi"
livenessProbe:
tcpSocket:
port: dns-tcp
initialDelaySeconds: 60
failureThreshold: 10
timeoutSeconds: 5
readinessProbe:
exec:
command:
- 'dig'
- '@127.0.0.1'
- 'github.com'
initialDelaySeconds: 60
failureThreshold: 3
timeoutSeconds: 5
volumeMounts:
- name: config
mountPath: /etc/pihole
- name: custom-dnsmasq
mountPath: /etc/dnsmasq.d/02-custom.conf
subPath: 02-custom.conf
#- name: ftl-conf
# mountPath: /etc/pihole/pihole-FTL.conf
# subPath: pihole-FTL.conf
- name: ad-lists
mountPath: /etc/pihole/adlists.list
subPath: adlists.list
- name: regex
mountPath: /etc/pihole/regex.list
subPath: regex.list
- name: whitelist
mountPath: /etc/pihole/whitelist.txt
subPath: whitelist.txt
- name: cloudflared
image: cloudflare/cloudflared:latest
args:
- tunnel
- --config
- /etc/cloudflared/config/config.yaml
- run
livenessProbe:
httpGet:
path: /ready
port: 2000
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
env:
- name: TUNNEL_TOKEN
valueFrom:
secretKeyRef:
key: tunnel-token
name: tunnel-token
volumeMounts:
- name: cloudflared-config
mountPath: /etc/cloudflared/config/config.yaml
subPath: config.yaml
restartPolicy: Always
volumes:
- name: config
emptyDir: {}
# persistentVolumeClaim:
# claimName: pi-hole-config
- name: custom-dnsmasq
configMap:
name: custom-dnsmasq
#- name: ftl-conf
# configMap:
# name: ftl-conf
- name: ad-lists
configMap:
name: adlists.list
- name: regex
configMap:
name: regex.list
- name: whitelist
configMap:
name: whitelist.txt
- name: cloudflared-config
configMap:
name: cloudflared-config
- name: tunnel-token
secret:
secretName: tunnel-token

18
infra/net-aux/ingress-route.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: net-aux
spec:
entryPoints:
- websecure
routes:
- match: Host(`net-aux.stonegarden.dev`)
kind: Rule
services:
- name: pi-hole-web
port: http
middlewares:
- name: traefik-forward-auth
tls:
store:
name: cloudflare-tls

44
infra/net-aux/kustomization.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: net-aux
commonLabels:
app: pi-hole
configMapGenerator:
- name: pi-hole-env
envs:
- config/pi-hole/env
- name: ftl-conf
files:
- config/pi-hole/pihole-FTL.conf
- name: custom-dnsmasq
files:
- config/pi-hole/02-custom.conf
- name: adlists.list
files:
- config/pi-hole/adlists.list
- name: regex.list
files:
- config/pi-hole/regex.list
- name: whitelist.txt
files:
- config/pi-hole/whitelist.txt
- name: cloudflared-config
files:
- config/cloudflared/config.yaml
resources:
- namespace.yaml
- auth-secret.yaml
- tunnel-token.yaml
- ingress-route.yaml
- service.yaml
- deployment.yaml
helmGlobals:
chartHome: ../../charts
helmCharts:
- name: application
releaseName: auth
valuesFile: auth-values.yaml

4
infra/net-aux/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: net-aux

53
infra/net-aux/service.yaml Normal file
View File

@@ -0,0 +1,53 @@
---
kind: Service
apiVersion: v1
metadata:
name: pi-hole-dns-udp
namespace: pi-hole
annotations:
metallb.universe.tf/allow-shared-ip: net-aux
spec:
selector:
app: pi-hole
ports:
- name: dns-udp
port: 53
protocol: UDP
targetPort: dns-udp
type: LoadBalancer
---
kind: Service
apiVersion: v1
metadata:
name: pi-hole-dns-tcp
namespace: pi-hole
annotations:
metallb.universe.tf/allow-shared-ip: net-aux
spec:
selector:
app: pi-hole
ports:
- name: dns-tcp
port: 53
protocol: TCP
targetPort: dns-tcp
type: LoadBalancer
---
kind: Service
apiVersion: v1
metadata:
name: pi-hole-web
namespace: pi-hole
annotations:
metallb.universe.tf/allow-shared-ip: net-aux
spec:
selector:
app: pi-hole
ports:
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: https
type: LoadBalancer

14
infra/net-aux/tunnel-token.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: tunnel-token
namespace: net-aux
spec:
encryptedData:
tunnel-token: AgDp++v1aHWzqI52J7DI1xdt7h0l2aOvYSDxMuJdx1jPHSFtGFYEGwU6H5a9wJZ5A374ob4UFrrM68g6KMNImn61Vp8HDsYh33b2BdqA7JdmqE3I+HvB0I5Y85m1btIOrhcCs/+dABTv0bZD0lue2GZYWL9T8GbyUBLsD3PMrI5MXYnMFlKhpWUGweFRuDDLYTNPgaLx9tPNRYaXR3aX4gm6wdhv++u065tDhhyHgy0tMoviYmFjpLQrhnm4dHg6uzWRhbX5Z296S/kIygmf4ydh+petIeAGf87PuI/t0o94MM1uC+rx+ldvvzi+oRVXSyQ/K9JXOqqt/4cfqcIigZiT1w/DO2O8uKJZGkoKGoUhf9cCqE609iqf/tjTqa2uWl6fO/SlQWfeVz9KjRq0NWDYzYfgyMrzN4kWoAi7jYLpccGEq5YgVFNNVYbvyVjqN4lkqjPGnw7fKa4+pxbjwHwdk09KEVjVwYe/GRz6By62QKqzndZA020paJbfB99t3UcufiSW9V6/x5Jp1ekYtijeVx7BhYrzJPtyhWu2yYoB4DS674LE0oanjxfIAar6cThT4Iqxl5UPYq9hoQo1Ojcg7ALYNhgX5pHijr491e6kBAyfdq3CgCRDX9ImdYLDdAHGnd9au2cKQRbKHVylnRh37Otb1GcTMMw3pZBLcf//PAzDSbgtG7MgGQhPJrDRXA5vCcnPPACpVLeRqccAflr3NzYXzEZ8AAkgkQSu0+Ek5Gw1v+nPI3IUGvW41G2eEiddfu3nN60cxn1FoM/ctMez9gXZgEDhn7feAMYcERsmuIllD/mAqIGl04sofnBWN600s49D1+cH38simPv6tV39MFnUj1oQNr1bcEx7MzlDOyBd45DFMrNrtQIwEqU1fXWvKz6ipJKUHklaujQBCKj7a/WcqTKPBkX9Dvax4i6t6IxLhJO53AZe
template:
metadata:
name: tunnel-token
namespace: net-aux
type: Opaque

7
infra/pi-hole/config/env Normal file
View File

@@ -0,0 +1,7 @@
TZ=Europe/Oslo
DNSMASQ_LISTENING=all
WEBPASSWORD=password
DNS1=1.1.1.1
DNS2=8.8.8.8
VIRTUAL_HOST=pi.hole
WEB_PORT=80

2
infra/pi-hole/config/regex.list
View File

@@ -1,2 +0,0 @@
(^|\.)twitch\.tv$
(^|\.)youtube\.com$

2
infra/pi-hole/kustomization.yaml
View File

@@ -7,7 +7,7 @@ commonLabels:
configMapGenerator:
- name: pi-hole-env
envs:
- config/pi-hole-env
- config/env
- name: ftl-conf
files:
- config/pihole-FTL.conf

2
infra/project.yaml
View File

@@ -24,6 +24,8 @@ spec:
server: '*'
- namespace: 'pi-hole'
server: '*'
- namespace: 'net-aux'
server: '*'
- namespace: 'traefik-system'
server: '*'
- namespace: 'kube-system'