diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index 3748fee536..1ec342aae1 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -125,6 +125,7 @@ resources: - ../../../deploy/apps/immich/ - ../../../deploy/apps/kromgo/ - ../../../deploy/apps/komga/ + - ../../../deploy/apps/blocky/ - ../../../deploy/vm/_kubevirt/ #- ../../../deploy/vm/_base/ - ../../../deploy/vm/ad/ diff --git a/kube/deploy/apps/blocky/app/config/config.yaml b/kube/deploy/apps/blocky/app/config/config.yaml new file mode 100644 index 0000000000..f409b80816 --- /dev/null +++ b/kube/deploy/apps/blocky/app/config/config.yaml @@ -0,0 +1,121 @@ +--- +upstreams: + groups: + default: + - "${IP_ROUTER_LAN}" + - &doh https://base.dns.mullvad.net/dns-query + strategy: strict + timeout: 2s +bootstrapDns: + - "tcp+udp:${IP_ROUTER_LAN}" + - "tcp+udp:${IP_ROUTER_VLAN_K8S}" + - upstream: *doh + ips: ["192.242.2.2", "192.242.2.3", "192.242.2.4", "192.242.2.5", "192.242.2.6", "192.242.2.9", "2a07:e340::2", "2a07:e340::3", "2a07:e340::4", "2a07:e340::5", "2a07:e340::6", "2a07:e340::9"] + +#customDNS: +# customTTL: 24h +# mapping: +# printer.lan: 192.168.178.3,2001:0db8:85a3:08d3:1319:8a2e:0370:7344 + +conditional: + fallbackUpstream: true + mapping: + jank.ing: &k8s "${APP_IP_K8S_GATEWAY}" + ${DNS_SHORT}: *k8s + ${DNS_MAIN}: *k8s + ${DNS_ME}: *k8s + ${DNS_VPN}: https://one.one.one.one/dns-query + ${DNS_AD}: "${IP_AD_CIDR_PREFIX}1,${IP_AD_CIDR_PREFIX}2" + ts.net: 100.100.100.100 + +blocking: + denylists: + default: # mostly error free + - https://big.oisd.nl/domainswild + - https://v.firebog.net/hosts/AdguardDNS.txt + - https://urlhaus.abuse.ch/downloads/hostfile + - https://raw.githubusercontent.com/mullvad/dns-blocklists/main/output/doh/doh_privacy.txt + - https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/hosts.txt + - https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt + - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.txt + - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif.txt + - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/doh.txt # use DoH-only first rather than doh-vpn-proxy-bypass since I do use Mullvad + - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/gambling.txt + - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/anti.piracy.txt + - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/nosafesearch.txt + - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/hoster.txt + - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/dyndns.txt + - https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt + - https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt + - /secrets/blocklist # mounted from ExternalSecret + - | + *.zip + example.com + safe: + - https://nsfw.oisd.nl/domainswild + extra: # might not be as error free but will definitely block more + - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts + - http://sysctl.org/cameleon/hosts + - https://adaway.org/hosts.txt + - https://someonewhocares.org/hosts/zero/hosts + - https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext + # hardcore mode activated + - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/ultimate.txt + - https://raw.githubusercontent.com/badmojr/1Hosts/master/Pro/wildcards.txt + # definition of allowlist groups. + # Note: if the same group has both allow/denylists, allowlists take precedence. Meaning if a domain is both blocked and allowed, it will be allowed. + # If a group has only allowlist entries, only domains from this list are allowed, and all others be blocked. + allowlists: + extra: + - /secrets/allowlist # mounted from ExternalSecret + # definition: which groups should be applied for which client + clientGroupsBlock: + default: [default, nsfw] + ${IP_JJ_V4}: [default, extra] + blockType: zeroIp + blockTTL: 5m + loading: + refreshPeriod: 1h + downloads: + cooldown: 10s + +clientLookup: + upstream: ${IP_ROUTER_LAN} + #clients: + # jj: ["${IP_JJ_V4}"] + +caching: + minTime: 1h + maxTime: 1h + prefetching: true + cacheTimeNegative: 1m + +prometheus: + enable: true + path: /metrics + +#queryLog: +# type: postgresql +# target: postgres://user:password@db_host_or_ip:5432/db_name +# logRetentionDays: 7 + +minTlsServeVersion: 1.3 + +filtering: + queryTypes: [AAAA] + +fqdnOnly: + enable: false + +ports: + dns: 8053 + http: 8080 + +log: + level: info + format: text + timestamp: true + privacy: false + +ecs: + useAsClient: true diff --git a/kube/deploy/apps/blocky/app/config/kustomization.yaml b/kube/deploy/apps/blocky/app/config/kustomization.yaml new file mode 100644 index 0000000000..9e1010b745 --- /dev/null +++ b/kube/deploy/apps/blocky/app/config/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +configMapGenerator: + - name: blocky-config + namespace: blocky + files: + - config.yml=config.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/kube/deploy/apps/blocky/app/es.yaml b/kube/deploy/apps/blocky/app/es.yaml new file mode 100644 index 0000000000..487d0a74f1 --- /dev/null +++ b/kube/deploy/apps/blocky/app/es.yaml @@ -0,0 +1,23 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name blocky-secrets + namespace: blocky +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "blocky - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + # template: + # type: Opaque + # data: + # age.agekey: '{{ .agekey }}' diff --git a/kube/deploy/apps/blocky/app/hr.yaml b/kube/deploy/apps/blocky/app/hr.yaml new file mode 100644 index 0000000000..6ae5dd715b --- /dev/null +++ b/kube/deploy/apps/blocky/app/hr.yaml @@ -0,0 +1,146 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app blocky + namespace: *app +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 3.1.0 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + blocky: + type: deployment + replicas: 1 + pod: + labels: + ingress.home.arpa/nginx-external: allow + db.home.arpa/pg: pg-default + egress.home.arpa/world: allow # TODO: tighten up + containers: + main: + image: &img + repository: ghcr.io/0xerr0r/blocky + tag: v0.24@sha256:9a82e0235c52ef3048586f8006add06e52132adaae70d02f980569dae16421a2 + #args: ["--config", &dir "/config"] + env: &env + TZ: "${CONFIG_TZ}" + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + add: ["NET_BIND_SERVICE"] + resources: + requests: + cpu: "10m" + limits: + cpu: "3000m" + memory: "512Mi" + probes: + liveness: + enabled: true + readiness: + enabled: true + service: + blocky: + controller: blocky + ports: + http: + port: 8080 + protocol: HTTP + appProtocol: http + expose: + primary: false + controller: blocky + type: LoadBalancer + annotations: + "io.cilium/lb-ipam-ips": "${APP_IP_BLOCKY}" + ports: + dns: + port: 53 + targetPort: 8053 + protocol: UDP + appProtocol: domain + dns-tcp: + port: 53 + targetPort: 8053 + protocol: TCP + appProtocol: domain + ingress: + main: + className: nginx-external + hosts: + - host: &host "${APP_DNS_BLOCKY}" + paths: &paths + - path: /dns-query + pathType: Prefix + service: + identifier: blocky + port: http + tls: + - hosts: [*host] + persistence: + config: + type: configMap + name: blocky-config + advancedMounts: + blocky: + main: + - subPath: config.yml + path: /app/config.yml + secrets: + type: secret + name: blocky-secrets + defaultMode: 0400 + advancedMounts: + blocky: + main: + - subPath: allowlist + path: /secrets/allowlist + - subPath: blocklist + path: /secrets/blocklist + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + securityContext: + runAsNonRoot: true + runAsUser: &uid 1000 + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: Always + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: fuckoff.home.arpa/blocky + operator: DoesNotExist + dnsConfig: + options: + - name: ndots + value: "1" + serviceMonitor: + blocky: + serviceName: blocky + endpoints: + - port: metrics + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 30s diff --git a/kube/deploy/apps/blocky/ks.yaml b/kube/deploy/apps/blocky/ks.yaml new file mode 100644 index 0000000000..9ed6d85329 --- /dev/null +++ b/kube/deploy/apps/blocky/ks.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: blocky-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "blocky" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/apps/blocky/app + targetNamespace: "blocky" + dependsOn: + - name: blocky-db +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: blocky-db + namespace: flux-system + labels: &l + prune.flux.home.arpa/enabled: "true" + db.home.arpa/pg: "pg-default" + app.kubernetes.io/name: "blocky" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/core/db/pg/clusters/template/pguser + targetNamespace: "pg" + dependsOn: + - name: 1-core-db-pg-clusters-default + - name: 1-core-secrets-es-k8s + postBuild: + substitute: + PG_NAME: "default" + PG_DB_USER: &app "blocky" + PG_APP_NS: *app diff --git a/kube/deploy/apps/blocky/kustomization.yaml b/kube/deploy/apps/blocky/kustomization.yaml new file mode 100644 index 0000000000..5eeb2657b6 --- /dev/null +++ b/kube/deploy/apps/blocky/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/deploy/apps/blocky/ns.yaml b/kube/deploy/apps/blocky/ns.yaml new file mode 100644 index 0000000000..40c30372ad --- /dev/null +++ b/kube/deploy/apps/blocky/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: blocky + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps diff --git a/kube/deploy/core/_networking/cilium/loadbalancer/LB-IPs.yaml b/kube/deploy/core/_networking/cilium/loadbalancer/LB-IPs.yaml index b625afed42..343b618261 100644 --- a/kube/deploy/core/_networking/cilium/loadbalancer/LB-IPs.yaml +++ b/kube/deploy/core/_networking/cilium/loadbalancer/LB-IPs.yaml @@ -29,8 +29,10 @@ kind: CiliumLoadBalancerIPPool metadata: name: dns spec: + allowFirstLastIPs: yes cidrs: - cidr: "${IP_LB_DNS_CIDR}" + - cidr: "${APP_IP_BLOCKY}/32" serviceSelector: matchLabels: exposeSvc: dns @@ -45,3 +47,14 @@ spec: serviceSelector: matchLabels: io.cilium/internal: "true" +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumLoadBalancerIPPool +metadata: + name: vm-ad +spec: + cidrs: + - cidr: "${IP_AD_CIDR}" + serviceSelector: + matchLabels: + vm.home.arpa/windows: "ad"