381 lines
10 KiB
YAML
381 lines
10 KiB
YAML
image:
|
|
repository: spx01/blocky
|
|
tag: v0.23@sha256:24855b63986c790093554a1f62b58379a06bc10a90ee073906e7c39bf692adcc
|
|
pullPolicy: IfNotPresent
|
|
k8sgatewayImage:
|
|
repository: quay.io/oriedge/k8s_gateway
|
|
pullPolicy: IfNotPresent
|
|
tag: v0.4.0@sha256:7bdbd447c0244b8f89de9cd6f4826ed0ac66c9406fac3a4ac80081020c251c6b
|
|
|
|
workload:
|
|
main:
|
|
replicas: 2
|
|
strategy: RollingUpdate
|
|
podSpec:
|
|
containers:
|
|
main:
|
|
probes:
|
|
liveness:
|
|
enabled: false
|
|
type: exec
|
|
command:
|
|
- /app/blocky
|
|
- healthcheck
|
|
readiness:
|
|
enabled: false
|
|
type: exec
|
|
command:
|
|
- /app/blocky
|
|
- healthcheck
|
|
startup:
|
|
enabled: false
|
|
type: exec
|
|
command:
|
|
- /app/blocky
|
|
- healthcheck
|
|
# -- Blocky Config File content
|
|
blockyConfig: {}
|
|
# upstream:
|
|
# default:
|
|
# - 1.1.1.1
|
|
|
|
# -- some general blocky settings
|
|
blocky:
|
|
# -- Enable prometheus annotations
|
|
enablePrometheus: true
|
|
service:
|
|
main:
|
|
enabled: true
|
|
ports:
|
|
main:
|
|
enabled: true
|
|
port: 4000
|
|
protocol: http
|
|
targetPort: 4000
|
|
dns:
|
|
enabled: true
|
|
ports:
|
|
dns:
|
|
enabled: true
|
|
port: 53
|
|
protocol: udp
|
|
targetPort: 53
|
|
dnstcp:
|
|
enabled: true
|
|
protocol: tcp
|
|
port: "{{ .Values.service.dns.ports.dns.port }}"
|
|
targetPort: 53
|
|
dot:
|
|
enabled: true
|
|
ports:
|
|
dot:
|
|
enabled: true
|
|
port: 853
|
|
protocol: tcp
|
|
targetPort: 853
|
|
https:
|
|
enabled: true
|
|
ports:
|
|
https:
|
|
enabled: true
|
|
port: 4443
|
|
protocol: https
|
|
targetPort: 4443
|
|
k8sgateway:
|
|
enabled: true
|
|
ports:
|
|
k8sgateway:
|
|
enabled: true
|
|
port: 5353
|
|
protocol: udp
|
|
targetPort: 5353
|
|
## TODO Add support for SCALE certificates and certificates secrets here
|
|
certFile: ""
|
|
keyFile: ""
|
|
logLevel: info
|
|
logFormat: text
|
|
logTimestamp: true
|
|
logPrivacy: false
|
|
dohUserAgent: ""
|
|
minTlsServeVersion: 1.2
|
|
# -- set the default DNS upstream servers
|
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
|
defaultUpstreams:
|
|
# Cloudflare
|
|
- 1.1.1.1
|
|
- 1.0.0.1
|
|
# Google
|
|
- 8.8.8.8
|
|
- 8.8.4.4
|
|
# Quad9
|
|
- 9.9.9.9
|
|
- 149.112.112.112
|
|
# OpenDNS
|
|
- 208.67.222.222
|
|
- 208.67.220.220
|
|
# ComodoSecure DNS
|
|
- 8.26.56.26
|
|
- 8.20.247.20
|
|
# -- set additional upstreams
|
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
|
upstreams:
|
|
# - name: group2
|
|
# dnsservers:
|
|
# - 1.1.1.1
|
|
|
|
# -- set bootstrap dns (not needed)
|
|
# Ensures bootstrap encryption and ensure it doesn't use k8s dns
|
|
bootstrapDns:
|
|
# -- Upstream
|
|
upstream: ""
|
|
# -- IP's linked to upstream DoT/DoH DNS name
|
|
ips: []
|
|
# -- set additional bootstrap dns (not needed, only used if bootstrapDns is set)
|
|
additionalBootstrapDns: []
|
|
# - upstream: ""
|
|
# ips: []
|
|
|
|
# -- Return empty answer for these queries
|
|
filtering:
|
|
# -- Ensures filtering by query type
|
|
queryTypes: []
|
|
# -- Set manual custom DNS resolution
|
|
customDNS:
|
|
customTTL: 1h
|
|
filterUnmappedTypes: true
|
|
rewrite: []
|
|
# - in: something.com
|
|
# out: somethingelse.com
|
|
mapping: []
|
|
# - domain: something.com
|
|
# dnsserver: 192.168.178.1
|
|
# -- Setup client-name lookup
|
|
clientLookup:
|
|
# -- upstream used for client-name lookup
|
|
upstream: ""
|
|
singleNameOrder: []
|
|
clients:
|
|
# - domain: laptop
|
|
# ips: []
|
|
# -- Setup caching
|
|
caching:
|
|
minTime: 15m
|
|
maxTime: 0
|
|
maxItemsCount: 0
|
|
prefetching: true
|
|
prefetchExpires: 12h
|
|
prefetchThreshold: 5
|
|
prefetchMaxItemsCount: 0
|
|
cacheTimeNegative: 30m
|
|
# -- set conditional settings
|
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
|
conditional:
|
|
rewrite: []
|
|
# - in: something.com
|
|
# out: somethingelse.com
|
|
mapping: []
|
|
# - domain: something.com
|
|
# dnsserver: 192.168.178.1
|
|
# -- set blocking settings using Lists
|
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
|
blocking:
|
|
# -- Sets the blocktype
|
|
blockType: nxDomain
|
|
# -- Sets the block ttl
|
|
blockTTL: 6h
|
|
# -- Sets the block refreshPeriod
|
|
refreshPeriod: 4h
|
|
# -- Sets the block download timeout
|
|
downloadTimeout: 60s
|
|
# -- Sets the block download attempt count
|
|
downloadAttempts: 3
|
|
# -- Sets the block download cooldown
|
|
downloadCooldown: 5s
|
|
# -- Set the start strategy (blocking | failOnError | fast)
|
|
startStrategy: fast
|
|
# -- Sets how many list-groups can be processed at the same time
|
|
processingConcurrency: 8
|
|
# -- Add blocky whitelists
|
|
# `default` name is reservered for TrueCharts included default whitelist
|
|
# example shows the structure, though name should be changed when used
|
|
whitelist:
|
|
[]
|
|
# - name: default
|
|
# lists:
|
|
# - https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt
|
|
# - https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
|
|
# - https://raw.githubusercontent.com/rahilpathan/pihole-whitelist/main/1.LowWL.txt
|
|
|
|
# -- Blocky blacklists
|
|
# `default` name is reservered for TrueCharts included default blacklist
|
|
# example shows the structure, though name should be changed when used
|
|
blacklist:
|
|
[]
|
|
# - name: default
|
|
# lists:
|
|
# - https://big.oisd.nl/domainswild
|
|
|
|
# -- Blocky clientGroupsBlock
|
|
clientGroupsBlock:
|
|
- name: default
|
|
groups:
|
|
- default
|
|
# -- configure using hostsfile for lookups
|
|
# Allows for using the hosts configured in kubernetes and such
|
|
hostsFile:
|
|
enabled: false
|
|
filePath: /etc/hosts
|
|
hostsTTL: 60m
|
|
refreshPeriod: 30m
|
|
|
|
podOptions:
|
|
automountServiceAccountToken: true
|
|
portal:
|
|
open:
|
|
enabled: false
|
|
serviceAccount:
|
|
main:
|
|
# -- Specifies whether a service account should be created
|
|
enabled: true
|
|
primary: true
|
|
# -- Create a ClusterRole and ClusterRoleBinding
|
|
# @default -- See below
|
|
rbac:
|
|
main:
|
|
# -- Enables or disables the ClusterRole and ClusterRoleBinding
|
|
enabled: true
|
|
primary: true
|
|
clusterWide: true
|
|
# -- Set Rules on the ClusterRole
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
- namespaces
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- extensions
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses
|
|
verbs:
|
|
- list
|
|
- watch
|
|
k8sgateway:
|
|
enabled: true
|
|
# -- TTL for non-apex responses (in seconds)
|
|
ttl: 300
|
|
# -- Limit what kind of resources to watch, e.g. watchedResources: ["Ingress"]
|
|
watchedResources: []
|
|
# -- Service name of a secondary DNS server (should be `serviceName.namespace`)
|
|
secondary: ""
|
|
# -- Override the default `serviceName.namespace` domain apex
|
|
apex: ""
|
|
# -- list of processed domains
|
|
domains: []
|
|
# -- Delegated domain
|
|
# - domain: "example.com"
|
|
# # -- Optional configuration option for DNS01 challenge that will redirect all acme
|
|
# # challenge requests to external cloud domain (e.g. managed by cert-manager)
|
|
# # See: https://cert-manager.io/docs/configuration/acme/dns01/
|
|
# dnsChallenge:
|
|
# enabled: false
|
|
# domain: dns01.clouddns.com
|
|
|
|
forward:
|
|
enabled: false
|
|
primary: tls://1.1.1.1
|
|
secondary: tls://1.0.0.1
|
|
options:
|
|
- name: tls_servername
|
|
value: cloudflare-dns.com
|
|
|
|
configmap:
|
|
dashboard:
|
|
enabled: true
|
|
labels:
|
|
grafana_dashboard: "1"
|
|
data:
|
|
blocky.json: >-
|
|
{{ .Files.Get "dashboard.json" | indent 8 }}
|
|
blockypostgres.json: >-
|
|
{{ .Files.Get "dashboardpsql.json" | indent 8 }}
|
|
datasource:
|
|
enabled: true
|
|
labels:
|
|
grafana_datasources: "1"
|
|
data:
|
|
datasourceblockypsql.yaml: |-
|
|
apiVersion: 1
|
|
datasources:
|
|
- name: BlockyPostgres
|
|
type: postgres
|
|
uid: blockypostgres
|
|
url: {{ printf "%s.%s:5432" (.Values.cnpg.main.creds.host | trimAll "\"") .Release.Namespace }}
|
|
access: proxy
|
|
user: {{ .Values.cnpg.main.user }}
|
|
secureJsonData:
|
|
password: {{ .Values.cnpg.main.creds.password | default "na" }}
|
|
jsonData:
|
|
database: {{ .Values.cnpg.main.database }}
|
|
sslmode: 'disable' # disable/require/verify-ca/verify-full
|
|
maxOpenConns: 100 # Grafana v5.4+
|
|
maxIdleConns: 100 # Grafana v5.4+
|
|
maxIdleConnsAuto: true # Grafana v9.5.1+
|
|
connMaxLifetime: 14400 # Grafana v5.4+
|
|
postgresVersion: 1500 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10
|
|
timescaledb: false
|
|
|
|
metrics:
|
|
main:
|
|
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
|
|
# @default -- See values.yaml
|
|
enabled: true
|
|
type: "servicemonitor"
|
|
endpoints:
|
|
- port: main
|
|
path: /metrics
|
|
# -- Enable and configure Prometheus Rules for the chart under this key.
|
|
# @default -- See values.yaml
|
|
prometheusRule:
|
|
enabled: false
|
|
labels: {}
|
|
# -- Configure additionial rules for the chart under this key.
|
|
# @default -- See prometheusrules.yaml
|
|
rules: []
|
|
# - alert: UnifiPollerAbsent
|
|
# annotations:
|
|
# description: Unifi Poller has disappeared from Prometheus service discovery.
|
|
# summary: Unifi Poller is down.
|
|
# expr: |
|
|
# absent(up{job=~".*unifi-poller.*"} == 1)
|
|
# for: 5m
|
|
# labels:
|
|
# severity: critical
|
|
|
|
redis:
|
|
enabled: true
|
|
includeCommon: true
|
|
# CANNOT be defined in above yaml section
|
|
queryLog:
|
|
# optional one of: mysql, postgresql, csv, csv-client. If empty, log to console
|
|
type: "postgresql"
|
|
# directory (should be mounted as volume in docker) for csv, db connection string for mysql, ignored for included postgresql
|
|
# target: /var/log/something
|
|
# postgresql target: postgres://user:password@db_host_or_ip:5432/db_name
|
|
# if > 0, deletes log files which are older than ... days
|
|
logRetentionDays: 0
|
|
# optional: Max attempts to create specific query log writer, default: 3
|
|
creationAttempts: 3
|
|
# optional: Time between the creation attempts, default: 2s
|
|
creationCooldown: 2s
|
|
|
|
cnpg:
|
|
main:
|
|
enabled: true
|
|
user: blocky
|
|
database: blocky
|