diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ee3e626..b3c524b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -51,6 +51,8 @@ updates: - "/kubernetes/personal/notesnook" - "/kubernetes/personal/photoprism" - "/kubernetes/production/umami" + - "/kubernetes/system/blocky" + - "/kubernetes/system/coredns" - "/kubernetes/system/csi-driver-nfs" - "/kubernetes/system/external-dns" - "/kubernetes/system/traefik" diff --git a/kubernetes/system/blocky/kustomization.yaml b/kubernetes/system/blocky/kustomization.yaml new file mode 100644 index 0000000..705f421 --- /dev/null +++ b/kubernetes/system/blocky/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: blocky +resources: + - namespace.yaml + - repository.yaml + - release.yaml +secretGenerator: + - name: blocky-values + files: + - values.yaml=values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/system/blocky/kustomizeconfig.yaml b/kubernetes/system/blocky/kustomizeconfig.yaml new file mode 100644 index 0000000..165ed1d --- /dev/null +++ b/kubernetes/system/blocky/kustomizeconfig.yaml @@ -0,0 +1,6 @@ +nameReference: + - kind: HelmRepository + version: v1 + fieldSpecs: + - path: spec/chart/spec/sourceRef/name + kind: HelmRelease diff --git a/kubernetes/system/blocky/namespace.yaml b/kubernetes/system/blocky/namespace.yaml new file mode 100644 index 0000000..16732f8 --- /dev/null +++ b/kubernetes/system/blocky/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: blocky + labels: + app.kubernetes.io/name: blocky + app.kubernetes.io/component: dns diff --git a/kubernetes/system/blocky/release.yaml b/kubernetes/system/blocky/release.yaml new file mode 100644 index 0000000..107b309 --- /dev/null +++ b/kubernetes/system/blocky/release.yaml @@ -0,0 +1,19 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: blocky + namespace: blocky +spec: + interval: 1m + chart: + spec: + sourceRef: + kind: HelmRepository + name: blocky + namespace: blocky + chart: blocky + version: "0.x.x" + interval: 1m + valuesFrom: + - kind: Secret + name: blocky-values diff --git a/kubernetes/system/blocky/repository.yaml b/kubernetes/system/blocky/repository.yaml new file mode 100644 index 0000000..d696726 --- /dev/null +++ b/kubernetes/system/blocky/repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: blocky + namespace: blocky +spec: + interval: 1h + url: https://0xerr0r.github.io/blocky diff --git a/kubernetes/system/blocky/values.yaml b/kubernetes/system/blocky/values.yaml new file mode 100644 index 0000000..ac32cad --- /dev/null +++ b/kubernetes/system/blocky/values.yaml @@ -0,0 +1,101 @@ +replicaCount: 1 +image: + repository: ghcr.io/0xerr0r/blocky + tag: v0.24 + pullPolicy: IfNotPresent +service: + type: LoadBalancer + annotations: + io.cilium/lb-ipam-ips: 10.1.2.172 + ports: + dns: + port: 53 + protocol: UDP + dns-tcp: + port: 53 + protocol: TCP +resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 64Mi +config: + upstream: + default: + - 1.1.1.1 + - 1.0.0.1 + # Conditional forwarding for .lan zone to CoreDNS + lan: + - coredns.coredns.svc.cluster.local + conditional: + mapping: + lan: coredns.coredns.svc.cluster.local + blocking: + # Whitelist - domains that should never be blocked + whiteLists: + ads: + - dealabs.digidip.net + - s.click.aliexpress.com + - fonts.googleapis.com + - fonts.gstatic.com + - wl.spotify.com + - www.googleadservices.com + # Blocklists + blackLists: + ads: + - https://big.oisd.nl/ + - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts + - https://adaway.org/hosts.txt + # Block all query types for blocked domains + blockType: any + # Refresh blocklists every 4 hours + refreshPeriod: 4h + # Download timeout for blocklists + downloadTimeout: 60s + # DNS caching + caching: + minTime: 5m + maxTime: 30m + prefetching: true + prefetchExpires: 2h + prefetchThreshold: 5 + # Prometheus metrics + prometheus: + enabled: true + path: /metrics + # Logging + log: + level: info + format: text + timestamp: true + # HTTP API for web UI and API + http: + address: 0.0.0.0:4000 +sops: + lastmodified: "2026-05-02T09:18:55Z" + mac: ENC[AES256_GCM,data:IDPC5eGBYJRslmWBDyVMV4Hee2wWXiXqsn0hVKLdq9aP5DCqNT9tAUvm/v8+EyU/zNIQwwJq4iTlpvh+bJ1VVnbGBKAWoviCOtQdF8I2TR0iBFERP0KUEb96HoCyZBGgaaaIcsMbu0btdcJP6H0438jZdx7W/xmXKpLtlfad/B4=,iv:l7a2hRF8czlWE3iucxHL0L5edBe/aVW+PgTl3H26J+I=,tag:tYsBcwp1ySLYADbKuBVxKw==,type:str] + pgp: + - created_at: "2026-05-02T09:18:53Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7uy4qQr71wiAQ//fnWp8+ny12XyIJoWgC3YHF3gg+1QlkTozBxyEHzTHTlp + GFPDZGzzX4KFwLwIeDV4rQMYVyvQ4mz8LqPI8tw/421GfhW32hFo+IqzvlEdfwyl + y/sJVrBs8vRqZTHsWpkel2P1qwhdN42jvFGKSeP04SHZGjYBQnGWI10nUH9NTU3I + 8QD3P8J0+OiGBrbOyRGsbis6SVcqQJTwLsQkpY0gLpiu6RcIh2FF97jNFPr2gxby + AVtPP5JPToS/rIlJIvj5+B/VF6ayauZkrOsn26eyzlBVh425PfVc1UbDgtXv1HWW + HDef/QHQmK1ipTsH4U6cycY0l/y1eR4/OIAEgYce13BLFAPotIqJnsCxmTTLIsh+ + ZaS3JnrRVo+63nGiakAJFitkLna3dwHXC5nB7DgKpbfuDjJDwhmOvcf7c9KtnImg + CrWNVOtE66caq6N242pmQhV45sM/U51OAXGF3ONXoNgHdvFDN07jM9csxsLIT4mo + pbsQhwrpbpy9JNYuJOEfuXWtWf95b2ISH7FruKQS4AEcrMqT5DrfrK+Ez8Weuftd + TQn0eg2CsB1o7uJX1/vb7sLeRfzImxi7X0lS6b/4xPamUJemnFi4rSgxohgAIxLo + Inur9D2rwLE/Yfm/LdPb8vltYNpeJhOPZo/zC85QlTRwDpxfBDSo4ehhho+zgJ/S + XgFX8ZIUaRomYa8F9soY5QBUqlg3tzBBs3QN9EEl1qM89wcjjnm5U79jpT+zPTEp + rDnSl7EDaEmYFnwOM8QQsCk56fGVHL3PyaLtXq6go0xjYONUM6DOhcRCF5QizUQ= + =K+43 + -----END PGP MESSAGE----- + fp: DC6910268E657FF70BA7EC289974494E76938DDC + encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$ + version: 3.10.2 diff --git a/kubernetes/system/cilium/pool.yaml b/kubernetes/system/cilium/pool.yaml index 46c75cb..7c24b60 100644 --- a/kubernetes/system/cilium/pool.yaml +++ b/kubernetes/system/cilium/pool.yaml @@ -5,3 +5,4 @@ metadata: spec: blocks: - cidr: "10.1.2.171/32" + - cidr: "10.1.2.172/32" diff --git a/kubernetes/system/coredns/etcd.yaml b/kubernetes/system/coredns/etcd.yaml new file mode 100644 index 0000000..441dbeb --- /dev/null +++ b/kubernetes/system/coredns/etcd.yaml @@ -0,0 +1,79 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: etcd + namespace: coredns + labels: + app.kubernetes.io/name: etcd + app.kubernetes.io/component: dns-backend +spec: + serviceName: etcd + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: etcd + template: + metadata: + labels: + app.kubernetes.io/name: etcd + spec: + containers: + - name: etcd + image: quay.io/coreos/etcd:v3.5.17 + ports: + - containerPort: 2379 + name: client + - containerPort: 2380 + name: peer + env: + - name: ETCD_DATA_DIR + value: /etcd-data + - name: ETCD_LISTEN_CLIENT_URLS + value: http://0.0.0.0:2379 + - name: ETCD_ADVERTISE_CLIENT_URLS + value: http://etcd.coredns.svc.cluster.local:2379 + - name: ETCD_LISTEN_PEER_URLS + value: http://0.0.0.0:2380 + - name: ETCD_INITIAL_ADVERTISE_PEER_URLS + value: http://etcd-0.etcd.coredns.svc.cluster.local:2380 + - name: ETCD_INITIAL_CLUSTER + value: etcd-0=http://etcd-0.etcd.coredns.svc.cluster.local:2380 + - name: ETCD_NAME + value: etcd-0 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + volumeMounts: + - name: etcd-data + mountPath: /etcd-data + volumeClaimTemplates: + - metadata: + name: etcd-data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: etcd + namespace: coredns + labels: + app.kubernetes.io/name: etcd +spec: + type: ClusterIP + ports: + - port: 2379 + targetPort: 2379 + name: client + - port: 2380 + targetPort: 2380 + name: peer + selector: + app.kubernetes.io/name: etcd diff --git a/kubernetes/system/coredns/kustomization.yaml b/kubernetes/system/coredns/kustomization.yaml new file mode 100644 index 0000000..89ed5e6 --- /dev/null +++ b/kubernetes/system/coredns/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: coredns +resources: + - namespace.yaml + - repository.yaml + - release.yaml + - zone-configmap.yaml + - etcd.yaml +secretGenerator: + - name: coredns-values + files: + - values.yaml=values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/system/coredns/kustomizeconfig.yaml b/kubernetes/system/coredns/kustomizeconfig.yaml new file mode 100644 index 0000000..165ed1d --- /dev/null +++ b/kubernetes/system/coredns/kustomizeconfig.yaml @@ -0,0 +1,6 @@ +nameReference: + - kind: HelmRepository + version: v1 + fieldSpecs: + - path: spec/chart/spec/sourceRef/name + kind: HelmRelease diff --git a/kubernetes/system/coredns/namespace.yaml b/kubernetes/system/coredns/namespace.yaml new file mode 100644 index 0000000..48ff74f --- /dev/null +++ b/kubernetes/system/coredns/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: coredns + labels: + app.kubernetes.io/name: coredns + app.kubernetes.io/component: dns diff --git a/kubernetes/system/coredns/release.yaml b/kubernetes/system/coredns/release.yaml new file mode 100644 index 0000000..fba3593 --- /dev/null +++ b/kubernetes/system/coredns/release.yaml @@ -0,0 +1,19 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: coredns + namespace: coredns +spec: + interval: 1m + chart: + spec: + sourceRef: + kind: HelmRepository + name: coredns + namespace: coredns + chart: coredns + version: "1.x.x" + interval: 1m + valuesFrom: + - kind: Secret + name: coredns-values diff --git a/kubernetes/system/coredns/repository.yaml b/kubernetes/system/coredns/repository.yaml new file mode 100644 index 0000000..90413ce --- /dev/null +++ b/kubernetes/system/coredns/repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: coredns + namespace: coredns +spec: + interval: 1h + url: https://coredns.github.io/helm diff --git a/kubernetes/system/coredns/values.yaml b/kubernetes/system/coredns/values.yaml new file mode 100644 index 0000000..3763378 --- /dev/null +++ b/kubernetes/system/coredns/values.yaml @@ -0,0 +1,72 @@ +replicaCount: 1 +image: + repository: coredns/coredns + tag: 1.12.0 + pullPolicy: IfNotPresent +resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi +serviceType: ClusterIP +service: + annotations: + io.cilium/lb-ipam-ips: "" +servers: + - zones: + - zone: . + port: 53 + plugins: + - name: errors + - name: health + configBlock: lameduck 5s + - name: ready + - name: etcd + parameters: lan + configBlock: |- + path /skydns + endpoint http://etcd.coredns.svc.cluster.local:2379 + - name: file + parameters: /etc/coredns/zones/lan.zone lan + configBlock: reload 10s + - name: cache + parameters: 30 + - name: loadbalance + - name: log + configBlock: class error +extraVolumeMounts: + - name: zone-config + mountPath: /etc/coredns/zones + readOnly: true +extraVolumes: + - name: zone-config + configMap: + name: coredns-lan-zone +sops: + lastmodified: "2026-05-02T09:18:53Z" + mac: ENC[AES256_GCM,data:gu19hSBFBBp516DyevduvKSHh1PAqGfBQQs1H2UdpyHHM5fueUYhJtbJxwvN8BIi9zT2GFIkcefP4VKcI+uD3+pdqpuzr9+T2im9jPj57aS0qFYRbzt7wLwkrYAE/U2fAW1uExfmIEoOKJP9StDvk5fUKnBxyAD5BmO1sc+nifo=,iv:w5Xl1KyfrynR+sHGMlwc0tYNRdI0O5+f5nFuq/R6UFQ=,tag:Gb7CvFP1CWTGkKaC2sHIQQ==,type:str] + pgp: + - created_at: "2026-05-02T09:18:51Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7uy4qQr71wiARAAw7GQOytNOmyr2inudzYnI1/c5ttiTSGXJC+yXiH1vF8B + Rwu6RM/7y2/7NY7h4DeUo7kW8AtgMGsAG0hZ1vIY9NWacSLKfvNyHzHMVxaUgnqe + 4v62jC2HDLfB+NLe2L6oxKmi6ZtYq1hpEMzPTAVVz5fNCWMsepNAKPGc/yOB3Vm2 + UzdXS/yIuiG/cWKnGXRnCx3cTZ0ypU6tw5Mxu2dyIn11su/B/T65NfsvZdWJ05gt + BGqSddI0pNPD3UmEivKD4zKB34MQFvtohsNLtPDrIzIRG/0Unx1Hzfm6MM1Atj3W + gCDkkYI8C5tgXbp7p2WI8WSvX/V6eF6Ueh6C8bMpGvGxIOaTMwfkskS8Anw6TCfj + uYVkJ7XYMVtvCILGmSIoSDNChFB0koOoUp2gbTtsWNvOrUQnOHsad55N+BN/5BiP + quXHHtluq4cGrZsVprdplz42qalJK9KxlZ6L7ydrJnMTU+E02sHOTJt6iwsI9XM+ + 3ZscNIS4QvGJAb4tzzERaIo7jmRlX/YxKtcePNhV1TQUG3/5yrcMo2XXM8hn9Rk4 + DEA79wtgnryA4TeqwKMLhIvCXFu5B/nYOtAHj/I4nhKazIVtwSXndboM6WD4xPfM + bf4lc4KuvvBu3rx2d2u+DOh3k+ebU9MBONQ3B1WLjOFOe8LUnbGCsN/2KfhRRw7S + XgFTna/svDiYYIF7sqpRHKY3qdJ39/GRrhI06QcYQHVGpbpPv9G/4K2K7p2G1fBH + zUZqfwLtTvwmpCE8ko+m8WWx5OMouTWiY4GXDGybQCkUa07EfgIkYK8IwqEDwlo= + =Ns+9 + -----END PGP MESSAGE----- + fp: DC6910268E657FF70BA7EC289974494E76938DDC + encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$ + version: 3.10.2 diff --git a/kubernetes/system/coredns/zone-configmap.yaml b/kubernetes/system/coredns/zone-configmap.yaml new file mode 100644 index 0000000..bd92f91 --- /dev/null +++ b/kubernetes/system/coredns/zone-configmap.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns-lan-zone + namespace: coredns + labels: + app.kubernetes.io/name: coredns + app.kubernetes.io/component: dns-zone +data: + lan.zone: | + $ORIGIN lan. + @ IN SOA ns.lan. admin.lan. ( + 2024010101 ; serial + 3600 ; refresh + 1800 ; retry + 604800 ; expire + 86400 ) ; minimum + IN NS ns.lan. + + ; Nameserver record + ns IN A 10.1.2.172 + + ; Static hosts + openwrt IN A 10.1.1.1 + + ; R740 and virtual machines + r740 IN A 10.1.1.223 + bw-r740 IN A 10.1.2.233 + kube-r740 IN A 10.1.2.171 + docker-r740 IN A 10.1.2.212 + truenas IN A 10.1.2.139 + + ; PVE + pve IN A 10.1.2.10 + docker-homeprod IN A 10.1.2.12 + + ; Ligory + pve-ligory IN A 10.2.2.10 + docker-ligory IN A 10.2.2.232 + + ; IoT + c210 IN A 10.1.1.106 + elegoo-neptune-4pro IN A 10.1.1.155 + + ; docker-r740 services + esphome IN A 10.1.2.212 + excalidraw IN A 10.1.2.212 + gramps IN A 10.1.2.212 + jackett IN A 10.1.2.212 + jellyseerr IN A 10.1.2.212 + mqtt IN A 10.1.2.212 + n8n IN A 10.1.2.212 + obsidian-livesync IN A 10.1.2.212 + paperless IN A 10.1.2.212 + proxy IN A 10.1.2.212 + radarr IN A 10.1.2.212 + radicale IN A 10.1.2.212 + sonarr IN A 10.1.2.212 + stirling-pdf IN A 10.1.2.212 + syncthing-valentin IN A 10.1.2.212 + tandoor IN A 10.1.2.212 + traefik IN A 10.1.2.212 + transmission IN A 10.1.2.212 + tubearchivist IN A 10.1.2.212 + webmail IN A 10.1.2.212 + wizarr IN A 10.1.2.212 + zigbee2mqtt IN A 10.1.2.212