adguard and routes

apps/adguard/base/adguard-cm.yaml

@@ -0,0 +1,211 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: adguard-config
+  namespace: adguard
+data:
+  AdGuardHome.yaml: |
+    http:
+      pprof:
+        port: 6060
+        enabled: false
+      address: 0.0.0.0:8300
+      session_ttl: 720h
+    auth_attempts: 5
+    block_auth_min: 15
+    http_proxy: ""
+    language: en
+    theme: dark
+    dns:
+      bind_hosts:
+        - 0.0.0.0
+      port: 53
+      anonymize_client_ip: false
+      ratelimit: 20
+      ratelimit_subnet_len_ipv4: 24
+      ratelimit_subnet_len_ipv6: 56
+      ratelimit_whitelist: []
+      refuse_any: false
+      upstream_dns:
+        - https://dns10.quad9.net/dns-query
+        - https://dns.google/dns-query
+      upstream_dns_file: ""
+      bootstrap_dns:
+        - 9.9.9.10
+        - 149.112.112.10
+        - 2620:fe::10
+        - 2620:fe::fe:10
+      fallback_dns: []
+      upstream_mode: load_balance
+      fastest_timeout: 1s
+      allowed_clients:
+        - 192.168.178.0/24
+        - 10.6.0.0/24
+        - fd00::dea6:32ff:fe42:317b
+        - fd00::ec4:8d18:3bfa:349b
+        - fd00::98fb:4209:47b7:5f85
+        - 127.0.0.1
+      disallowed_clients: []
+      blocked_hosts:
+        - version.bind
+        - id.server
+        - hostname.bind
+      trusted_proxies:
+        - 127.0.0.0/8
+        - 10.6.0.0/24
+        - 192.168.178.0/24
+        - ::1/128
+      cache_size: 4194304
+      cache_ttl_min: 0
+      cache_ttl_max: 0
+      cache_optimistic: true
+      bogus_nxdomain: []
+      aaaa_disabled: false
+      enable_dnssec: false
+      edns_client_subnet:
+        custom_ip: ""
+        enabled: false
+        use_custom: false
+      max_goroutines: 300
+      handle_ddr: true
+      ipset: []
+      ipset_file: ""
+      bootstrap_prefer_ipv6: false
+      upstream_timeout: 10s
+      private_networks: []
+      use_private_ptr_resolvers: true
+      local_ptr_upstreams:
+        - 192.168.178.1
+      use_dns64: false
+      dns64_prefixes: []
+      serve_http3: false
+      use_http3_upstreams: false
+      serve_plain_dns: true
+    tls:
+      enabled: true
+      server_name: dns.steffenillium.de
+      force_https: false
+      port_https: 0
+      port_dns_over_tls: 853
+      port_dns_over_quic: 784
+      port_dnscrypt: 0
+      dnscrypt_config_file: ""
+      allow_unencrypted_doh: true
+      certificate_chain: ""
+      private_key: ""
+      certificate_path: ""
+      private_key_path: ""
+      strict_sni_check: false
+    querylog:
+      ignored: []
+      interval: 2160h
+      size_memory: 1000
+      enabled: true
+      file_enabled: true
+    statistics:
+      ignored: []
+      interval: 2160h
+      enabled: true
+    filters:
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
+        name: AdGuard DNS filter
+        id: 1
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
+        name: AdAway Default Blocklist
+        id: 2
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_32.txt
+        name: The NoTracking blocklist
+        id: 1680003877
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt
+        name: 1Hosts (Lite)
+        id: 1680459591
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_29.txt
+        name: 'CHN: AdRules DNS List'
+        id: 1680459592
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_30.txt
+        name: Phishing URL Blocklist (PhishTank and OpenPhish)
+        id: 1680459593
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt
+        name: Dandelion Sprout's Anti-Malware List
+        id: 1680459594
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_21.txt
+        name: 'CHN: anti-AD'
+        id: 1680459595
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_8.txt
+        name: NoCoin Filter List
+        id: 1680459596
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_10.txt
+        name: Scam Blocklist by DurableNapkin
+        id: 1680459597
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_31.txt
+        name: Stalkerware Indicators List
+        id: 1680459598
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt
+        name: The Big List of Hacked Malware Web Sites
+        id: 1680459599
+      - enabled: true
+        url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt
+        name: Malicious URL Blocklist (URLHaus)
+        id: 1680459600
+      - enabled: true
+        url: https://gitlab.com/magnolia1234/bypass-paywalls-clean-filters/-/raw/main/bpc-paywall-filter.txt
+        name: Paywall Sentry
+        id: 1696527404
+    whitelist_filters: []
+    user_rules:
+      - '||diag.meethue.com^$important'
+      - '||awsde0.fds.api.xiaomi.com^$important'
+      - '@@||firebasedynamiclinks.googleapis.com^$important'
+    dhcp:
+      enabled: false
+      interface_name: ""
+      local_domain_name: lan
+      dhcpv4:
+        gateway_ip: ""
+        subnet_mask: ""
+        range_start: ""
+        range_end: ""
+        lease_duration: 86400
+        icmp_timeout_msec: 1000
+        options: []
+      dhcpv6:
+        range_start: ""
+        lease_duration: 86400
+        ra_slaac_only: false
+        ra_allow_slaac: false
+    filtering:
+      rewrites:
+        - domain: steffenillium.de
+          answer: 82.165.0.71
+        - domain: '*.steffenillium.de'
+          answer: 192.168.178.102
+      safebrowsing_cache_size: 1048576
+      safesearch_cache_size: 1048576
+      parental_cache_size: 1048576
+      cache_time: 30
+      filters_update_interval: 12
+      blocked_response_ttl: 10
+      filtering_enabled: true
+      parental_enabled: false
+      safebrowsing_enabled: true
+      protection_enabled: true
+    log:
+      file: ""
+      max_backups: 0
+      max_size: 100
+      max_age: 3
+      compress: false
+      local_time: false
+      verbose: false

apps/adguard/base/adguard-deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: adguard-deployment
+  namespace: adguard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: adguard
+  template:
+    metadata:
+      labels:
+        app: adguard
+    spec:
+      containers:
+      - name: adguard-home
+        image: adguard/adguardhome:latest
+        env:
+        - name: AGH_CONFIG
+          valueFrom:
+            configMapKeyRef:
+              name: adguard-config
+              key: AdGuardHome.yaml
+        ports:
+        - containerPort: 53
+          name: dns
+          protocol: UDP
+        - containerPort: 3000
+          name: http-initial
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        volumeMounts:
+        - name: adguard-pvc
+          mountPath: /opt/adguardhome/work
+      volumes:
+      - name: adguard-pvc
+        persistentVolumeClaim:
+          claimName: adguard-pvc

apps/adguard/base/adguard-ingress.yaml

@@ -0,0 +1,32 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: adguard-ui
+  namespace: adguard
+spec:
+  entryPoints:
+    - web
+    - websecure
+  routes:
+  - match: Host(`adguard.steffenillium.de`) || Host(`dns.steffenillium.de`)
+    kind: Rule
+    services:
+    - name: adguard
+      port: 80
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: adguard-ui-init
+  namespace: adguard
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`adguard-init.steffenillium.de`)
+    kind: Rule
+    services:
+    - name: adguard
+      port: 3000

apps/adguard/base/adguard-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: adguard

apps/adguard/base/adguard-pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: adguard-pvc
+  namespace: adguard
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 1Gi

apps/adguard/base/adguard-service.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: adguard-service
+  namespace: adguard
+spec:
+  selector:
+    app: adguard
+  ports:
+  - protocol: TCP
+    port: 3000
+    targetPort: 3000
+    name: http-initial
+  - protocol: TCP
+    port: 80
+    targetPort: 80
+    name: http
+  - protocol: UDP
+    port: 53
+    targetPort: 53
+    name: dns
+  type: LoadBalancer
+  loadBalancerIP: 192.168.178.101

infrastructure/02-argocd/kustomization.yaml

@@ -11,5 +11,5 @@ resources:
 
 patches:
 - path: patches/argocd-cmd-params-cm-patch.yaml
-- path: patches/argocd-server-service-type.yaml
+- path: patches/argocd-server-service.yaml
 - path: patches/argocd-cm-patch.yaml

infrastructure/02-argocd/patches/argocd-server-service.yaml

@@ -4,3 +4,5 @@ metadata:
   name: argocd-server
 spec:
   type: LoadBalancer
+  loadBalancerIP: 192.168.178.103
+

infrastructure/03-traefik/base/traefik-adguard-service-udp-dns.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: adguard-udp-dns
+  namespace: traefik
+spec:
+  selector:
+    app: adguard
+  ports:
+    - port: 53
+      targetPort: 53
+  type: LoadBalancer

infrastructure/03-traefik/base/values.yaml

@@ -39,6 +39,11 @@ additionalArguments:
 
 
 ports:
+  dns:
+    port: 53
+    expose: true
+    exposedPort: 53
+    protocol: UDP
   web:
    tls:
      enabled: false

infrastructure/03-traefik/kustomization.yaml

@@ -5,6 +5,7 @@ namespace: traefik
 
 resources:
   - base/traefik-middleware-default-headers.yaml
+  - base/traefik-adguard-service-udp-dns,yaml
 
 helmCharts:
 - name: traefik