charts/blocky/values.yaml

#
# IMPORTANT NOTE
#
# This chart inherits from the common library chart. You can check the default values/options here:
# https://github.com/johanneskastl/helm-charts/tree/main/charts/common/values.yaml
#

image:
  # -- image repository
  repository: ghcr.io/0xerr0r/blocky
  # -- image tag
  # @default -- chart.appVersion
  tag:
  # -- image pull policy
  pullPolicy: IfNotPresent

controller:
  # -- Set the controller upgrade strategy
  strategy: RollingUpdate
  # -- (int) Number of pods to load balance between
  replicas: 1

# -- environment variables. See [image docs](https://0xerr0r.github.io/blocky/installation/#run-with-docker) for more details.
# @default -- See below
env:
  # -- Set the container timezone
  TZ: UTC

# -- Configures service settings for the chart.
# @default -- See values.yaml
service:
  main:
    enabled: false
    ports:
      http:
        port: 4000
  dns-tcp:
    enabled: false
    type: ClusterIP
    externalTrafficPolicy: Local
    ports:
      dns-tcp:
        enabled: true
        port: 53
        protocol: TCP
        targetPort: 53
  dns-udp:
    enabled: false
    type: ClusterIP
    externalTrafficPolicy: Local
    ports:
      dns-udp:
        enabled: true
        port: 53
        protocol: UDP
        targetPort: 53

# -- Enable and configure ingress settings for the chart under this key.
# @default -- See values.yaml
ingress:
  main:
    enabled: false
    hosts:
      - host: blocky-api.local
        paths:
        - path: /
          pathType: Prefix
          service:
            port: 4000

# -- Configure persistence settings for the chart under this key.
# @default -- See values.yaml
persistence:
  logs:
    enabled: false
    mountPath: /logs

metrics:
  # -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
  # @default -- See values.yaml
  enabled: false
  serviceMonitor:
    # -- Interval at which Prometheus should scrape metrics
    interval: 30s
    # -- Timeout after which the scrape is ended
    scrapeTimeout: 10s
    # -- Additional labels for the Kubernetes `ServiceMonitor` object
    labels: {}
    # -- The Kubernetes `Endpoints` label to use as the Prometheus job name
    jobLabel: ""
    # -- TargetLabels transfers labels from the Kubernetes `Service`` onto the created metrics.
    targetLabels: []
    # -- PodTargetLabels transfers labels on the Kubernetes `Pod`` onto the created metrics.
    podTargetLabels: []
  # -- Enable and configure Prometheus Rules for the chart under this key.
  # @default -- See values.yaml
  prometheusRule:
    enabled: false
    labels: {}
    # -- Configure additionial rules for the chart under this key.
    # @default -- See prometheusrules.yaml
    rules: []
      # - alert: BlockyDisabled
      #   annotations:
      #     description: Blocky's ad blocking has been disabled for 15min.
      #       Please re-enable protection.
      #     summary: Blocky is disabled.
      #   expr: |
      #     blocky_blocking_enabled == 0
      #   for: 15m
      #   labels:
      #     severity: critical

# -- Enable and configure redis subchart under this key.
# Useful if you're running more than one replica of blocky dns.
# For more options see [redis chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/redis)
# @default -- See values.yaml
redis:
  enabled: false
  # auth:
  #   enabled: false

# -- Full list of options https://github.com/0xERR0R/blocky/blob/v0.18/docs/config.yml
# @default -- see URL to default config
config: |
  upstream:
    # these external DNS resolvers will be used. Blocky picks 2 random resolvers from the list for each query
    # format for resolver: [net:]host:[port][/path]. net could be empty (default, shortcut for tcp+udp), tcp+udp, tcp, udp, tcp-tls or https (DoH). If port is empty, default port will be used (53 for udp and tcp, 853 for tcp-tls, 443 for https (Doh))
    # this configuration is mandatory, please define at least one external DNS resolver
    default:
      - 46.182.19.48
      - 80.241.218.68
      - tcp-tls:fdns1.dismail.de:853
      - https://dns.digitale-gesellschaft.ch/dns-query
    # optional: use client name (with wildcard support: * - sequence of any characters, [0-9] - range)
    # or single ip address / client subnet as CIDR notation
    laptop*:
      - 123.123.123.123

  # optional: timeout to query the upstream resolver. Default: 2s
  upstreamTimeout: 2s

  # optional: custom IP address(es) for domain name (with all sub-domains). Multiple addresses must be separated by a comma
  # example: query "printer.lan" or "my.printer.lan" will return 192.168.178.3
  customDNS:
    mapping:
      printer.lan: 192.168.178.3,2001:0db8:85a3:08d3:1319:8a2e:0370:7344

  # optional: definition, which DNS resolver(s) should be used for queries to the domain (with all sub-domains). Multiple resolvers must be separated by a comma
  # Example: Query client.fritz.box will ask DNS server 192.168.178.1. This is necessary for local network, to resolve clients by host name
  conditional:
    # optional: replace domain in the query with other domain before resolver lookup in the mapping
    rewrite:
      example.com: fritz.box
    mapping:
      fritz.box: udp:192.168.178.1
      lan.net: udp:192.168.178.1,udp:192.168.178.2

  # optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.)
  blocking:
    # definition of blacklist groups. Can be external link (http/https) or local file
    blackLists:
      ads:
        - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
        - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
        - https://mirror1.malwaredomains.com/files/justdomains
        - http://sysctl.org/cameleon/hosts
        - https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
        - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
        - |
          # inline definition with YAML literal block scalar style
          # hosts format
          someadsdomain.com
      special:
        - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
    # definition of whitelist groups. Attention: if the same group has black and whitelists, whitelists will be used to disable particular blacklist entries. If a group has only whitelist entries -> this means only domains from this list are allowed, all other domains will be blocked
    whiteLists:
      ads:
        - whitelist.txt
        - |
          # inline definition with YAML literal block scalar style
          # hosts format
          whitelistdomain.com
          # this is a regex
          /^banners?[_.-]/
    # definition: which groups should be applied for which client
    clientGroupsBlock:
      # default will be used, if no special definition for a client name exists
      default:
        - ads
        - special
      # use client name (with wildcard support: * - sequence of any characters, [0-9] - range)
      # or single ip address / client subnet as CIDR notation
      laptop*:
        - ads
      192.168.178.1/24:
        - special
    # which response will be sent, if query is blocked:
    # zeroIp: 0.0.0.0 will be returned (default)
    # nxDomain: return NXDOMAIN as return code
    # comma separated list of destination IP addresses (for example: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344). Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page.
    blockType: zeroIp
    # optional: TTL for answers to blocked domains
    # default: 6h
    blockTTL: 1m
    # optional: automatically list refresh period (in duration format). Default: 4h.
    # Negative value -> deactivate automatically refresh.
    # 0 value -> use default
    refreshPeriod: 4h
    # optional: timeout for list download (each url). Default: 60s. Use large values for big lists or slow internet connections
    downloadTimeout: 4m
    # optional: Download attempt timeout. Default: 60s
    downloadAttempts: 5
    # optional: Time between the download attempts. Default: 1s
    downloadCooldown: 10s
    # optional: if true, application startup will fail if at least one list can't be downloaded / opened. Default: false
    failStartOnListError: false

  # optional: configuration for caching of DNS responses
  caching:
    # duration how long a response must be cached (min value).
    # If <=0, use response's TTL, if >0 use this value, if TTL is smaller
    # Default: 0
    minTime: 5m
    # duration how long a response must be cached (max value).
    # If <0, do not cache responses
    # If 0, use TTL
    # If > 0, use this value, if TTL is greater
    # Default: 0
    maxTime: -1
    # Max number of cache entries (responses) to be kept in cache (soft limit). Useful on systems with limited amount of RAM.
    # Default (0): unlimited
    maxItemsCount: 0
    # if true, will preload DNS results for often used queries (default: names queried more than 5 times in a 2-hour time window)
    # this improves the response time for often used queries, but significantly increases external traffic
    # default: false
    prefetching: true
    # prefetch track time window (in duration format)
    # default: 120
    prefetchExpires: 2h
    # name queries threshold for prefetch
    # default: 5
    prefetchThreshold: 5
    # Max number of domains to be kept in cache for prefetching (soft limit). Useful on systems with limited amount of RAM.
    # Default (0): unlimited
    prefetchMaxItemsCount: 0

  # optional: configuration of client name resolution
  clientLookup:
    # optional: this DNS resolver will be used to perform reverse DNS lookup (typically local router)
    upstream: udp:192.168.178.1
    # optional: some routers return multiple names for client (host name and user defined name). Define which single name should be used.
    # Example: take second name if present, if not take first name
    singleNameOrder:
      - 2
      - 1
    # optional: custom mapping of client name to IP addresses. Useful if reverse DNS does not work properly or just to have custom client names.
    clients:
      laptop:
        - 192.168.178.29
  # optional: configuration for prometheus metrics endpoint
  prometheus:
    # enabled if true
    enable: true
    # url path, optional (default '/metrics')
    path: /metrics

  # optional: write query information (question, answer, client, duration etc.) to daily csv file
  queryLog:
    # optional one of: mysql, csv, csv-client. If empty, log to console
    type: mysql
    # directory (should be mounted as volume in docker) for csv, db connection string for mysql
    target: db_user:db_password@tcp(db_host_or_ip:3306)/db_user?charset=utf8mb4&parseTime=True&loc=Local
    # if > 0, deletes log files which are older than ... days
    logRetentionDays: 7

  # optional: DNS listener port and bind ip address, default 53 (UDP and TCP). Example: 53, :53, 127.0.0.1:53
  port: 53
  # optional: Port for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853
  #tlsPort: 53
  # optional: HTTPS listener port and bind ip address, default empty = no http listener. If > 0, will be used for prometheus metrics, pprof, REST API, DoH... Example: 443, :443, 127.0.0.1:443
  httpPort: 4000
  #httpsPort: 443
  # mandatory, if https port > 0: path to cert and key file for SSL encryption
  #certFile: server.crt
  #keyFile: server.key
  # optional: use this DNS server to resolve blacklist urls and upstream DNS servers. Useful if no DNS resolver is configured and blocky needs to resolve a host name. Format net:IP:port, net must be udp or tcp
  bootstrapDns: tcp+udp:1.1.1.1
  # optional: Drop all AAAA query if set to true. Default: false
  disableIPv6: false
  # optional: Log level (one from debug, info, warn, error). Default: info
  logLevel: info
  # optional: Log format (text or json). Default: text
  logFormat: text
  # optional: log timestamps. Default: true
  logTimestamp: true
  # optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. Default: false
  logPrivacy: false
  #redis:
    #address: blocky-redis-headless:6379
    #password: passwd
    #database: 2
    #required: true
    #connectionAttempts: 10
    #connectionCooldown: 3s