feat: add blocky

kube/clusters/biohazard/flux/kustomization.yaml

@@ -125,6 +125,7 @@ resources:
   - ../../../deploy/apps/immich/
   - ../../../deploy/apps/kromgo/
   - ../../../deploy/apps/komga/
+  - ../../../deploy/apps/blocky/
   - ../../../deploy/vm/_kubevirt/
   #- ../../../deploy/vm/_base/
   - ../../../deploy/vm/ad/

kube/deploy/apps/blocky/app/config/config.yaml

@@ -0,0 +1,121 @@
+---
+upstreams:
+  groups:
+    default:
+      - "${IP_ROUTER_LAN}"
+      - &doh https://base.dns.mullvad.net/dns-query
+  strategy: strict
+  timeout: 2s
+bootstrapDns:
+  - "tcp+udp:${IP_ROUTER_LAN}"
+  - "tcp+udp:${IP_ROUTER_VLAN_K8S}"
+  - upstream: *doh
+    ips: ["192.242.2.2", "192.242.2.3", "192.242.2.4", "192.242.2.5", "192.242.2.6", "192.242.2.9", "2a07:e340::2", "2a07:e340::3", "2a07:e340::4", "2a07:e340::5", "2a07:e340::6", "2a07:e340::9"]
+
+#customDNS:
+#  customTTL: 24h
+#  mapping:
+#    printer.lan: 192.168.178.3,2001:0db8:85a3:08d3:1319:8a2e:0370:7344
+
+conditional:
+  fallbackUpstream: true
+  mapping:
+    jank.ing: &k8s "${APP_IP_K8S_GATEWAY}"
+    ${DNS_SHORT}: *k8s
+    ${DNS_MAIN}: *k8s
+    ${DNS_ME}: *k8s
+    ${DNS_VPN}: https://one.one.one.one/dns-query
+    ${DNS_AD}: "${IP_AD_CIDR_PREFIX}1,${IP_AD_CIDR_PREFIX}2"
+    ts.net: 100.100.100.100
+
+blocking:
+  denylists:
+    default: # mostly error free
+      - https://big.oisd.nl/domainswild
+      - https://v.firebog.net/hosts/AdguardDNS.txt
+      - https://urlhaus.abuse.ch/downloads/hostfile
+      - https://raw.githubusercontent.com/mullvad/dns-blocklists/main/output/doh/doh_privacy.txt
+      - https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/hosts.txt
+      - https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt
+      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.txt
+      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif.txt
+      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/doh.txt # use DoH-only first rather than doh-vpn-proxy-bypass since I do use Mullvad
+      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/gambling.txt
+      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/anti.piracy.txt
+      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/nosafesearch.txt
+      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/hoster.txt
+      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/dyndns.txt
+      - https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt
+      - https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
+      - /secrets/blocklist # mounted from ExternalSecret
+      - |
+        *.zip
+        example.com
+    safe:
+      - https://nsfw.oisd.nl/domainswild
+    extra: # might not be as error free but will definitely block more
+      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
+      - http://sysctl.org/cameleon/hosts
+      - https://adaway.org/hosts.txt
+      - https://someonewhocares.org/hosts/zero/hosts
+      - https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext
+      # hardcore mode activated
+      - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/ultimate.txt
+      - https://raw.githubusercontent.com/badmojr/1Hosts/master/Pro/wildcards.txt
+  # definition of allowlist groups.
+  # Note: if the same group has both allow/denylists, allowlists take precedence. Meaning if a domain is both blocked and allowed, it will be allowed.
+  # If a group has only allowlist entries, only domains from this list are allowed, and all others be blocked.
+  allowlists:
+    extra:
+      - /secrets/allowlist # mounted from ExternalSecret
+  # definition: which groups should be applied for which client
+  clientGroupsBlock:
+    default: [default, nsfw]
+    ${IP_JJ_V4}: [default, extra]
+  blockType: zeroIp
+  blockTTL: 5m
+  loading:
+    refreshPeriod: 1h
+    downloads:
+      cooldown: 10s
+
+clientLookup:
+  upstream: ${IP_ROUTER_LAN}
+  #clients:
+  #  jj: ["${IP_JJ_V4}"]
+
+caching:
+  minTime: 1h
+  maxTime: 1h
+  prefetching: true
+  cacheTimeNegative: 1m
+
+prometheus:
+  enable: true
+  path: /metrics
+
+#queryLog:
+#  type: postgresql
+#  target: postgres://user:password@db_host_or_ip:5432/db_name
+#  logRetentionDays: 7
+
+minTlsServeVersion: 1.3
+
+filtering:
+  queryTypes: [AAAA]
+
+fqdnOnly:
+  enable: false
+
+ports:
+  dns: 8053
+  http: 8080
+
+log:
+  level: info
+  format: text
+  timestamp: true
+  privacy: false
+
+ecs:
+  useAsClient: true

kube/deploy/apps/blocky/app/config/kustomization.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+configMapGenerator:
+  - name: blocky-config
+    namespace: blocky
+    files:
+      - config.yml=config.yaml
+generatorOptions:
+  disableNameSuffixHash: true

kube/deploy/apps/blocky/app/es.yaml

@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name blocky-secrets
+  namespace: blocky
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1p
+  dataFrom:
+    - extract:
+        key: "blocky - ${CLUSTER_NAME}"
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: *name
+    # template:
+    #   type: Opaque
+    #   data:
+    #     age.agekey: '{{ .agekey }}'

kube/deploy/apps/blocky/app/hr.yaml

@@ -0,0 +1,146 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app blocky
+  namespace: *app
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.1.0
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controllers:
+      blocky:
+        type: deployment
+        replicas: 1
+        pod:
+          labels:
+            ingress.home.arpa/nginx-external: allow
+            db.home.arpa/pg: pg-default
+            egress.home.arpa/world: allow # TODO: tighten up
+        containers:
+          main:
+            image: &img
+              repository: ghcr.io/0xerr0r/blocky
+              tag: v0.24@sha256:9a82e0235c52ef3048586f8006add06e52132adaae70d02f980569dae16421a2
+            #args: ["--config", &dir "/config"]
+            env: &env
+              TZ: "${CONFIG_TZ}"
+            securityContext: &sc
+              readOnlyRootFilesystem: true
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+                add: ["NET_BIND_SERVICE"]
+            resources:
+              requests:
+                cpu: "10m"
+              limits:
+                cpu: "3000m"
+                memory: "512Mi"
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+    service:
+      blocky:
+        controller: blocky
+        ports:
+          http:
+            port: 8080
+            protocol: HTTP
+            appProtocol: http
+      expose:
+        primary: false
+        controller: blocky
+        type: LoadBalancer
+        annotations:
+          "io.cilium/lb-ipam-ips": "${APP_IP_BLOCKY}"
+        ports:
+          dns:
+            port: 53
+            targetPort: 8053
+            protocol: UDP
+            appProtocol: domain
+          dns-tcp:
+            port: 53
+            targetPort: 8053
+            protocol: TCP
+            appProtocol: domain
+    ingress:
+      main:
+        className: nginx-external
+        hosts:
+          - host: &host "${APP_DNS_BLOCKY}"
+            paths: &paths
+              - path: /dns-query
+                pathType: Prefix
+                service:
+                  identifier: blocky
+                  port: http
+        tls:
+          - hosts: [*host]
+    persistence:
+      config:
+        type: configMap
+        name: blocky-config
+        advancedMounts:
+          blocky:
+            main:
+              - subPath: config.yml
+                path: /app/config.yml
+      secrets:
+        type: secret
+        name: blocky-secrets
+        defaultMode: 0400
+        advancedMounts:
+          blocky:
+            main:
+              - subPath: allowlist
+                path: /secrets/allowlist
+              - subPath: blocklist
+                path: /secrets/blocklist
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: &uid 1000
+        runAsGroup: *uid
+        fsGroup: *uid
+        fsGroupChangePolicy: Always
+        seccompProfile: { type: "RuntimeDefault" }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: *app
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: fuckoff.home.arpa/blocky
+                    operator: DoesNotExist
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "1"
+    serviceMonitor:
+      blocky:
+        serviceName: blocky
+        endpoints:
+          - port: metrics
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 30s

kube/deploy/apps/blocky/ks.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: blocky-app
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/name: "blocky"
+spec:
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/apps/blocky/app
+  targetNamespace: "blocky"
+  dependsOn:
+    - name: blocky-db
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: blocky-db
+  namespace: flux-system
+  labels: &l
+    prune.flux.home.arpa/enabled: "true"
+    db.home.arpa/pg: "pg-default"
+    app.kubernetes.io/name: "blocky"
+spec:
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/core/db/pg/clusters/template/pguser
+  targetNamespace: "pg"
+  dependsOn:
+    - name: 1-core-db-pg-clusters-default
+    - name: 1-core-secrets-es-k8s
+  postBuild:
+    substitute:
+      PG_NAME: "default"
+      PG_DB_USER: &app "blocky"
+      PG_APP_NS: *app

kube/deploy/apps/blocky/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ns.yaml
+  - ks.yaml

kube/deploy/apps/blocky/ns.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: blocky
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: &ps restricted
+    pod-security.kubernetes.io/audit: *ps
+    pod-security.kubernetes.io/warn: *ps

kube/deploy/core/_networking/cilium/loadbalancer/LB-IPs.yaml

@@ -29,8 +29,10 @@ kind: CiliumLoadBalancerIPPool
 metadata:
   name: dns
 spec:
+  allowFirstLastIPs: yes
   cidrs:
     - cidr: "${IP_LB_DNS_CIDR}"
+    - cidr: "${APP_IP_BLOCKY}/32"
   serviceSelector:
     matchLabels:
       exposeSvc: dns
@@ -45,3 +47,14 @@ spec:
   serviceSelector:
     matchLabels:
       io.cilium/internal: "true"
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: vm-ad
+spec:
+  cidrs:
+    - cidr: "${IP_AD_CIDR}"
+  serviceSelector:
+    matchLabels:
+      vm.home.arpa/windows: "ad"