381 lines
10 KiB
YAML
381 lines
10 KiB
YAML
|
image:
|
||
|
repository: spx01/blocky
|
||
|
tag: v0.23@sha256:24855b63986c790093554a1f62b58379a06bc10a90ee073906e7c39bf692adcc
|
||
|
pullPolicy: IfNotPresent
|
||
|
k8sgatewayImage:
|
||
|
repository: quay.io/oriedge/k8s_gateway
|
||
|
pullPolicy: IfNotPresent
|
||
|
tag: v0.4.0@sha256:7bdbd447c0244b8f89de9cd6f4826ed0ac66c9406fac3a4ac80081020c251c6b
|
||
|
|
||
|
workload:
|
||
|
main:
|
||
|
replicas: 2
|
||
|
strategy: RollingUpdate
|
||
|
podSpec:
|
||
|
containers:
|
||
|
main:
|
||
|
probes:
|
||
|
liveness:
|
||
|
enabled: false
|
||
|
type: exec
|
||
|
command:
|
||
|
- /app/blocky
|
||
|
- healthcheck
|
||
|
readiness:
|
||
|
enabled: false
|
||
|
type: exec
|
||
|
command:
|
||
|
- /app/blocky
|
||
|
- healthcheck
|
||
|
startup:
|
||
|
enabled: false
|
||
|
type: exec
|
||
|
command:
|
||
|
- /app/blocky
|
||
|
- healthcheck
|
||
|
# -- Blocky Config File content
|
||
|
blockyConfig: {}
|
||
|
# upstream:
|
||
|
# default:
|
||
|
# - 1.1.1.1
|
||
|
|
||
|
# -- some general blocky settings
|
||
|
blocky:
|
||
|
# -- Enable prometheus annotations
|
||
|
enablePrometheus: true
|
||
|
service:
|
||
|
main:
|
||
|
enabled: true
|
||
|
ports:
|
||
|
main:
|
||
|
enabled: true
|
||
|
port: 4000
|
||
|
protocol: http
|
||
|
targetPort: 4000
|
||
|
dns:
|
||
|
enabled: true
|
||
|
ports:
|
||
|
dns:
|
||
|
enabled: true
|
||
|
port: 53
|
||
|
protocol: udp
|
||
|
targetPort: 53
|
||
|
dnstcp:
|
||
|
enabled: true
|
||
|
protocol: tcp
|
||
|
port: "{{ .Values.service.dns.ports.dns.port }}"
|
||
|
targetPort: 53
|
||
|
dot:
|
||
|
enabled: true
|
||
|
ports:
|
||
|
dot:
|
||
|
enabled: true
|
||
|
port: 853
|
||
|
protocol: tcp
|
||
|
targetPort: 853
|
||
|
https:
|
||
|
enabled: true
|
||
|
ports:
|
||
|
https:
|
||
|
enabled: true
|
||
|
port: 4443
|
||
|
protocol: https
|
||
|
targetPort: 4443
|
||
|
k8sgateway:
|
||
|
enabled: true
|
||
|
ports:
|
||
|
k8sgateway:
|
||
|
enabled: true
|
||
|
port: 5353
|
||
|
protocol: udp
|
||
|
targetPort: 5353
|
||
|
## TODO Add support for SCALE certificates and certificates secrets here
|
||
|
certFile: ""
|
||
|
keyFile: ""
|
||
|
logLevel: info
|
||
|
logFormat: text
|
||
|
logTimestamp: true
|
||
|
logPrivacy: false
|
||
|
dohUserAgent: ""
|
||
|
minTlsServeVersion: 1.2
|
||
|
# -- set the default DNS upstream servers
|
||
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
||
|
defaultUpstreams:
|
||
|
# Cloudflare
|
||
|
- 1.1.1.1
|
||
|
- 1.0.0.1
|
||
|
# Google
|
||
|
- 8.8.8.8
|
||
|
- 8.8.4.4
|
||
|
# Quad9
|
||
|
- 9.9.9.9
|
||
|
- 149.112.112.112
|
||
|
# OpenDNS
|
||
|
- 208.67.222.222
|
||
|
- 208.67.220.220
|
||
|
# ComodoSecure DNS
|
||
|
- 8.26.56.26
|
||
|
- 8.20.247.20
|
||
|
# -- set additional upstreams
|
||
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
||
|
upstreams:
|
||
|
# - name: group2
|
||
|
# dnsservers:
|
||
|
# - 1.1.1.1
|
||
|
|
||
|
# -- set bootstrap dns (not needed)
|
||
|
# Ensures bootstrap encryption and ensure it doesn't use k8s dns
|
||
|
bootstrapDns:
|
||
|
# -- Upstream
|
||
|
upstream: ""
|
||
|
# -- IP's linked to upstream DoT/DoH DNS name
|
||
|
ips: []
|
||
|
# -- set additional bootstrap dns (not needed, only used if bootstrapDns is set)
|
||
|
additionalBootstrapDns: []
|
||
|
# - upstream: ""
|
||
|
# ips: []
|
||
|
|
||
|
# -- Return empty answer for these queries
|
||
|
filtering:
|
||
|
# -- Ensures filtering by query type
|
||
|
queryTypes: []
|
||
|
# -- Set manual custom DNS resolution
|
||
|
customDNS:
|
||
|
customTTL: 1h
|
||
|
filterUnmappedTypes: true
|
||
|
rewrite: []
|
||
|
# - in: something.com
|
||
|
# out: somethingelse.com
|
||
|
mapping: []
|
||
|
# - domain: something.com
|
||
|
# dnsserver: 192.168.178.1
|
||
|
# -- Setup client-name lookup
|
||
|
clientLookup:
|
||
|
# -- upstream used for client-name lookup
|
||
|
upstream: ""
|
||
|
singleNameOrder: []
|
||
|
clients:
|
||
|
# - domain: laptop
|
||
|
# ips: []
|
||
|
# -- Setup caching
|
||
|
caching:
|
||
|
minTime: 15m
|
||
|
maxTime: 0
|
||
|
maxItemsCount: 0
|
||
|
prefetching: true
|
||
|
prefetchExpires: 12h
|
||
|
prefetchThreshold: 5
|
||
|
prefetchMaxItemsCount: 0
|
||
|
cacheTimeNegative: 30m
|
||
|
# -- set conditional settings
|
||
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
||
|
conditional:
|
||
|
rewrite: []
|
||
|
# - in: something.com
|
||
|
# out: somethingelse.com
|
||
|
mapping: []
|
||
|
# - domain: something.com
|
||
|
# dnsserver: 192.168.178.1
|
||
|
# -- set blocking settings using Lists
|
||
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
||
|
blocking:
|
||
|
# -- Sets the blocktype
|
||
|
blockType: nxDomain
|
||
|
# -- Sets the block ttl
|
||
|
blockTTL: 6h
|
||
|
# -- Sets the block refreshPeriod
|
||
|
refreshPeriod: 4h
|
||
|
# -- Sets the block download timeout
|
||
|
downloadTimeout: 60s
|
||
|
# -- Sets the block download attempt count
|
||
|
downloadAttempts: 3
|
||
|
# -- Sets the block download cooldown
|
||
|
downloadCooldown: 5s
|
||
|
# -- Set the start strategy (blocking | failOnError | fast)
|
||
|
startStrategy: fast
|
||
|
# -- Sets how many list-groups can be processed at the same time
|
||
|
processingConcurrency: 8
|
||
|
# -- Add blocky whitelists
|
||
|
# `default` name is reservered for TrueCharts included default whitelist
|
||
|
# example shows the structure, though name should be changed when used
|
||
|
whitelist:
|
||
|
[]
|
||
|
# - name: default
|
||
|
# lists:
|
||
|
# - https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt
|
||
|
# - https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
|
||
|
# - https://raw.githubusercontent.com/rahilpathan/pihole-whitelist/main/1.LowWL.txt
|
||
|
|
||
|
# -- Blocky blacklists
|
||
|
# `default` name is reservered for TrueCharts included default blacklist
|
||
|
# example shows the structure, though name should be changed when used
|
||
|
blacklist:
|
||
|
[]
|
||
|
# - name: default
|
||
|
# lists:
|
||
|
# - https://big.oisd.nl/domainswild
|
||
|
|
||
|
# -- Blocky clientGroupsBlock
|
||
|
clientGroupsBlock:
|
||
|
- name: default
|
||
|
groups:
|
||
|
- default
|
||
|
# -- configure using hostsfile for lookups
|
||
|
# Allows for using the hosts configured in kubernetes and such
|
||
|
hostsFile:
|
||
|
enabled: false
|
||
|
filePath: /etc/hosts
|
||
|
hostsTTL: 60m
|
||
|
refreshPeriod: 30m
|
||
|
|
||
|
podOptions:
|
||
|
automountServiceAccountToken: true
|
||
|
portal:
|
||
|
open:
|
||
|
enabled: false
|
||
|
serviceAccount:
|
||
|
main:
|
||
|
# -- Specifies whether a service account should be created
|
||
|
enabled: true
|
||
|
primary: true
|
||
|
# -- Create a ClusterRole and ClusterRoleBinding
|
||
|
# @default -- See below
|
||
|
rbac:
|
||
|
main:
|
||
|
# -- Enables or disables the ClusterRole and ClusterRoleBinding
|
||
|
enabled: true
|
||
|
primary: true
|
||
|
clusterWide: true
|
||
|
# -- Set Rules on the ClusterRole
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- services
|
||
|
- namespaces
|
||
|
verbs:
|
||
|
- list
|
||
|
- watch
|
||
|
- apiGroups:
|
||
|
- extensions
|
||
|
- networking.k8s.io
|
||
|
resources:
|
||
|
- ingresses
|
||
|
verbs:
|
||
|
- list
|
||
|
- watch
|
||
|
k8sgateway:
|
||
|
enabled: true
|
||
|
# -- TTL for non-apex responses (in seconds)
|
||
|
ttl: 300
|
||
|
# -- Limit what kind of resources to watch, e.g. watchedResources: ["Ingress"]
|
||
|
watchedResources: []
|
||
|
# -- Service name of a secondary DNS server (should be `serviceName.namespace`)
|
||
|
secondary: ""
|
||
|
# -- Override the default `serviceName.namespace` domain apex
|
||
|
apex: ""
|
||
|
# -- list of processed domains
|
||
|
domains: []
|
||
|
# -- Delegated domain
|
||
|
# - domain: "example.com"
|
||
|
# # -- Optional configuration option for DNS01 challenge that will redirect all acme
|
||
|
# # challenge requests to external cloud domain (e.g. managed by cert-manager)
|
||
|
# # See: https://cert-manager.io/docs/configuration/acme/dns01/
|
||
|
# dnsChallenge:
|
||
|
# enabled: false
|
||
|
# domain: dns01.clouddns.com
|
||
|
|
||
|
forward:
|
||
|
enabled: false
|
||
|
primary: tls://1.1.1.1
|
||
|
secondary: tls://1.0.0.1
|
||
|
options:
|
||
|
- name: tls_servername
|
||
|
value: cloudflare-dns.com
|
||
|
|
||
|
configmap:
|
||
|
dashboard:
|
||
|
enabled: true
|
||
|
labels:
|
||
|
grafana_dashboard: "1"
|
||
|
data:
|
||
|
blocky.json: >-
|
||
|
{{ .Files.Get "dashboard.json" | indent 8 }}
|
||
|
blockypostgres.json: >-
|
||
|
{{ .Files.Get "dashboardpsql.json" | indent 8 }}
|
||
|
datasource:
|
||
|
enabled: true
|
||
|
labels:
|
||
|
grafana_datasources: "1"
|
||
|
data:
|
||
|
datasourceblockypsql.yaml: |-
|
||
|
apiVersion: 1
|
||
|
datasources:
|
||
|
- name: BlockyPostgres
|
||
|
type: postgres
|
||
|
uid: blockypostgres
|
||
|
url: {{ printf "%s.%s:5432" (.Values.cnpg.main.creds.host | trimAll "\"") .Release.Namespace }}
|
||
|
access: proxy
|
||
|
user: {{ .Values.cnpg.main.user }}
|
||
|
secureJsonData:
|
||
|
password: {{ .Values.cnpg.main.creds.password | default "na" }}
|
||
|
jsonData:
|
||
|
database: {{ .Values.cnpg.main.database }}
|
||
|
sslmode: 'disable' # disable/require/verify-ca/verify-full
|
||
|
maxOpenConns: 100 # Grafana v5.4+
|
||
|
maxIdleConns: 100 # Grafana v5.4+
|
||
|
maxIdleConnsAuto: true # Grafana v9.5.1+
|
||
|
connMaxLifetime: 14400 # Grafana v5.4+
|
||
|
postgresVersion: 1500 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10
|
||
|
timescaledb: false
|
||
|
|
||
|
metrics:
|
||
|
main:
|
||
|
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
|
||
|
# @default -- See values.yaml
|
||
|
enabled: true
|
||
|
type: "servicemonitor"
|
||
|
endpoints:
|
||
|
- port: main
|
||
|
path: /metrics
|
||
|
# -- Enable and configure Prometheus Rules for the chart under this key.
|
||
|
# @default -- See values.yaml
|
||
|
prometheusRule:
|
||
|
enabled: false
|
||
|
labels: {}
|
||
|
# -- Configure additionial rules for the chart under this key.
|
||
|
# @default -- See prometheusrules.yaml
|
||
|
rules: []
|
||
|
# - alert: UnifiPollerAbsent
|
||
|
# annotations:
|
||
|
# description: Unifi Poller has disappeared from Prometheus service discovery.
|
||
|
# summary: Unifi Poller is down.
|
||
|
# expr: |
|
||
|
# absent(up{job=~".*unifi-poller.*"} == 1)
|
||
|
# for: 5m
|
||
|
# labels:
|
||
|
# severity: critical
|
||
|
|
||
|
redis:
|
||
|
enabled: true
|
||
|
includeCommon: true
|
||
|
# CANNOT be defined in above yaml section
|
||
|
queryLog:
|
||
|
# optional one of: mysql, postgresql, csv, csv-client. If empty, log to console
|
||
|
type: "postgresql"
|
||
|
# directory (should be mounted as volume in docker) for csv, db connection string for mysql, ignored for included postgresql
|
||
|
# target: /var/log/something
|
||
|
# postgresql target: postgres://user:password@db_host_or_ip:5432/db_name
|
||
|
# if > 0, deletes log files which are older than ... days
|
||
|
logRetentionDays: 0
|
||
|
# optional: Max attempts to create specific query log writer, default: 3
|
||
|
creationAttempts: 3
|
||
|
# optional: Time between the creation attempts, default: 2s
|
||
|
creationCooldown: 2s
|
||
|
|
||
|
cnpg:
|
||
|
main:
|
||
|
enabled: true
|
||
|
user: blocky
|
||
|
database: blocky
|