coredns, blocky: deploy coredns and blocky on kube

2026-05-06 08:41:30 +00:00 · 2026-05-02 11:19:08 +02:00
parent 47a86ddf27
commit 20a8963b64
16 changed files with 430 additions and 0 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -51,6 +51,8 @@ updates:
      - "/kubernetes/personal/notesnook"
      - "/kubernetes/personal/photoprism"
      - "/kubernetes/production/umami"
+      - "/kubernetes/system/blocky"
+      - "/kubernetes/system/coredns"
      - "/kubernetes/system/csi-driver-nfs"
      - "/kubernetes/system/external-dns"
      - "/kubernetes/system/traefik"
--- a/kubernetes/system/blocky/kustomization.yaml
+++ b/kubernetes/system/blocky/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: blocky
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+secretGenerator:
+  - name: blocky-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
--- a/kubernetes/system/blocky/kustomizeconfig.yaml
+++ b/kubernetes/system/blocky/kustomizeconfig.yaml
@@ -0,0 +1,6 @@
+nameReference:
+  - kind: HelmRepository
+    version: v1
+    fieldSpecs:
+      - path: spec/chart/spec/sourceRef/name
+        kind: HelmRelease
--- a/kubernetes/system/blocky/namespace.yaml
+++ b/kubernetes/system/blocky/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: blocky
+  labels:
+    app.kubernetes.io/name: blocky
+    app.kubernetes.io/component: dns
--- a/kubernetes/system/blocky/release.yaml
+++ b/kubernetes/system/blocky/release.yaml
@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: blocky
+  namespace: blocky
+spec:
+  interval: 1m
+  chart:
+    spec:
+      sourceRef:
+        kind: HelmRepository
+        name: blocky
+        namespace: blocky
+      chart: blocky
+      version: "0.x.x"
+      interval: 1m
+  valuesFrom:
+    - kind: Secret
+      name: blocky-values
--- a/kubernetes/system/blocky/repository.yaml
+++ b/kubernetes/system/blocky/repository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: blocky
+  namespace: blocky
+spec:
+  interval: 1h
+  url: https://0xerr0r.github.io/blocky
--- a/kubernetes/system/blocky/values.yaml
+++ b/kubernetes/system/blocky/values.yaml
@@ -0,0 +1,101 @@
+replicaCount: 1
+image:
+    repository: ghcr.io/0xerr0r/blocky
+    tag: v0.24
+    pullPolicy: IfNotPresent
+service:
+    type: LoadBalancer
+    annotations:
+        io.cilium/lb-ipam-ips: 10.1.2.172
+    ports:
+        dns:
+            port: 53
+            protocol: UDP
+        dns-tcp:
+            port: 53
+            protocol: TCP
+resources:
+    limits:
+        cpu: 200m
+        memory: 256Mi
+    requests:
+        cpu: 50m
+        memory: 64Mi
+config:
+    upstream:
+        default:
+            - 1.1.1.1
+            - 1.0.0.1
+        # Conditional forwarding for .lan zone to CoreDNS
+        lan:
+            - coredns.coredns.svc.cluster.local
+    conditional:
+        mapping:
+            lan: coredns.coredns.svc.cluster.local
+    blocking:
+        # Whitelist - domains that should never be blocked
+        whiteLists:
+            ads:
+                - dealabs.digidip.net
+                - s.click.aliexpress.com
+                - fonts.googleapis.com
+                - fonts.gstatic.com
+                - wl.spotify.com
+                - www.googleadservices.com
+        # Blocklists
+        blackLists:
+            ads:
+                - https://big.oisd.nl/
+                - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
+                - https://adaway.org/hosts.txt
+        # Block all query types for blocked domains
+        blockType: any
+        # Refresh blocklists every 4 hours
+        refreshPeriod: 4h
+        # Download timeout for blocklists
+        downloadTimeout: 60s
+    # DNS caching
+    caching:
+        minTime: 5m
+        maxTime: 30m
+        prefetching: true
+        prefetchExpires: 2h
+        prefetchThreshold: 5
+    # Prometheus metrics
+    prometheus:
+        enabled: true
+        path: /metrics
+    # Logging
+    log:
+        level: info
+        format: text
+        timestamp: true
+    # HTTP API for web UI and API
+    http:
+        address: 0.0.0.0:4000
+sops:
+    lastmodified: "2026-05-02T09:18:55Z"
+    mac: ENC[AES256_GCM,data:IDPC5eGBYJRslmWBDyVMV4Hee2wWXiXqsn0hVKLdq9aP5DCqNT9tAUvm/v8+EyU/zNIQwwJq4iTlpvh+bJ1VVnbGBKAWoviCOtQdF8I2TR0iBFERP0KUEb96HoCyZBGgaaaIcsMbu0btdcJP6H0438jZdx7W/xmXKpLtlfad/B4=,iv:l7a2hRF8czlWE3iucxHL0L5edBe/aVW+PgTl3H26J+I=,tag:tYsBcwp1ySLYADbKuBVxKw==,type:str]
+    pgp:
+        - created_at: "2026-05-02T09:18:53Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7uy4qQr71wiAQ//fnWp8+ny12XyIJoWgC3YHF3gg+1QlkTozBxyEHzTHTlp
+            GFPDZGzzX4KFwLwIeDV4rQMYVyvQ4mz8LqPI8tw/421GfhW32hFo+IqzvlEdfwyl
+            y/sJVrBs8vRqZTHsWpkel2P1qwhdN42jvFGKSeP04SHZGjYBQnGWI10nUH9NTU3I
+            8QD3P8J0+OiGBrbOyRGsbis6SVcqQJTwLsQkpY0gLpiu6RcIh2FF97jNFPr2gxby
+            AVtPP5JPToS/rIlJIvj5+B/VF6ayauZkrOsn26eyzlBVh425PfVc1UbDgtXv1HWW
+            HDef/QHQmK1ipTsH4U6cycY0l/y1eR4/OIAEgYce13BLFAPotIqJnsCxmTTLIsh+
+            ZaS3JnrRVo+63nGiakAJFitkLna3dwHXC5nB7DgKpbfuDjJDwhmOvcf7c9KtnImg
+            CrWNVOtE66caq6N242pmQhV45sM/U51OAXGF3ONXoNgHdvFDN07jM9csxsLIT4mo
+            pbsQhwrpbpy9JNYuJOEfuXWtWf95b2ISH7FruKQS4AEcrMqT5DrfrK+Ez8Weuftd
+            TQn0eg2CsB1o7uJX1/vb7sLeRfzImxi7X0lS6b/4xPamUJemnFi4rSgxohgAIxLo
+            Inur9D2rwLE/Yfm/LdPb8vltYNpeJhOPZo/zC85QlTRwDpxfBDSo4ehhho+zgJ/S
+            XgFX8ZIUaRomYa8F9soY5QBUqlg3tzBBs3QN9EEl1qM89wcjjnm5U79jpT+zPTEp
+            rDnSl7EDaEmYFnwOM8QQsCk56fGVHL3PyaLtXq6go0xjYONUM6DOhcRCF5QizUQ=
+            =K+43
+            -----END PGP MESSAGE-----
+          fp: DC6910268E657FF70BA7EC289974494E76938DDC
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
+    version: 3.10.2
--- a/kubernetes/system/cilium/pool.yaml
+++ b/kubernetes/system/cilium/pool.yaml
@@ -5,3 +5,4 @@ metadata:
 spec:
  blocks:
  - cidr: "10.1.2.171/32"
+  - cidr: "10.1.2.172/32"
--- a/kubernetes/system/coredns/etcd.yaml
+++ b/kubernetes/system/coredns/etcd.yaml
@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: etcd
+  namespace: coredns
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/component: dns-backend
+spec:
+  serviceName: etcd
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: etcd
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: etcd
+    spec:
+      containers:
+        - name: etcd
+          image: quay.io/coreos/etcd:v3.5.17
+          ports:
+            - containerPort: 2379
+              name: client
+            - containerPort: 2380
+              name: peer
+          env:
+            - name: ETCD_DATA_DIR
+              value: /etcd-data
+            - name: ETCD_LISTEN_CLIENT_URLS
+              value: http://0.0.0.0:2379
+            - name: ETCD_ADVERTISE_CLIENT_URLS
+              value: http://etcd.coredns.svc.cluster.local:2379
+            - name: ETCD_LISTEN_PEER_URLS
+              value: http://0.0.0.0:2380
+            - name: ETCD_INITIAL_ADVERTISE_PEER_URLS
+              value: http://etcd-0.etcd.coredns.svc.cluster.local:2380
+            - name: ETCD_INITIAL_CLUSTER
+              value: etcd-0=http://etcd-0.etcd.coredns.svc.cluster.local:2380
+            - name: ETCD_NAME
+              value: etcd-0
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 50m
+              memory: 64Mi
+          volumeMounts:
+            - name: etcd-data
+              mountPath: /etcd-data
+  volumeClaimTemplates:
+    - metadata:
+        name: etcd-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: etcd
+  namespace: coredns
+  labels:
+    app.kubernetes.io/name: etcd
+spec:
+  type: ClusterIP
+  ports:
+    - port: 2379
+      targetPort: 2379
+      name: client
+    - port: 2380
+      targetPort: 2380
+      name: peer
+  selector:
+    app.kubernetes.io/name: etcd
--- a/kubernetes/system/coredns/kustomization.yaml
+++ b/kubernetes/system/coredns/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: coredns
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+  - zone-configmap.yaml
+  - etcd.yaml
+secretGenerator:
+  - name: coredns-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml
--- a/kubernetes/system/coredns/kustomizeconfig.yaml
+++ b/kubernetes/system/coredns/kustomizeconfig.yaml
@@ -0,0 +1,6 @@
+nameReference:
+  - kind: HelmRepository
+    version: v1
+    fieldSpecs:
+      - path: spec/chart/spec/sourceRef/name
+        kind: HelmRelease
--- a/kubernetes/system/coredns/namespace.yaml
+++ b/kubernetes/system/coredns/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: coredns
+  labels:
+    app.kubernetes.io/name: coredns
+    app.kubernetes.io/component: dns
--- a/kubernetes/system/coredns/release.yaml
+++ b/kubernetes/system/coredns/release.yaml
@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: coredns
+  namespace: coredns
+spec:
+  interval: 1m
+  chart:
+    spec:
+      sourceRef:
+        kind: HelmRepository
+        name: coredns
+        namespace: coredns
+      chart: coredns
+      version: "1.x.x"
+      interval: 1m
+  valuesFrom:
+    - kind: Secret
+      name: coredns-values
--- a/kubernetes/system/coredns/repository.yaml
+++ b/kubernetes/system/coredns/repository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: coredns
+  namespace: coredns
+spec:
+  interval: 1h
+  url: https://coredns.github.io/helm
--- a/kubernetes/system/coredns/values.yaml
+++ b/kubernetes/system/coredns/values.yaml
@@ -0,0 +1,72 @@
+replicaCount: 1
+image:
+    repository: coredns/coredns
+    tag: 1.12.0
+    pullPolicy: IfNotPresent
+resources:
+    limits:
+        cpu: 100m
+        memory: 128Mi
+    requests:
+        cpu: 50m
+        memory: 64Mi
+serviceType: ClusterIP
+service:
+    annotations:
+        io.cilium/lb-ipam-ips: ""
+servers:
+    - zones:
+        - zone: .
+      port: 53
+      plugins:
+        - name: errors
+        - name: health
+          configBlock: lameduck 5s
+        - name: ready
+        - name: etcd
+          parameters: lan
+          configBlock: |-
+            path /skydns
+            endpoint http://etcd.coredns.svc.cluster.local:2379
+        - name: file
+          parameters: /etc/coredns/zones/lan.zone lan
+          configBlock: reload 10s
+        - name: cache
+          parameters: 30
+        - name: loadbalance
+        - name: log
+          configBlock: class error
+extraVolumeMounts:
+    - name: zone-config
+      mountPath: /etc/coredns/zones
+      readOnly: true
+extraVolumes:
+    - name: zone-config
+      configMap:
+        name: coredns-lan-zone
+sops:
+    lastmodified: "2026-05-02T09:18:53Z"
+    mac: ENC[AES256_GCM,data:gu19hSBFBBp516DyevduvKSHh1PAqGfBQQs1H2UdpyHHM5fueUYhJtbJxwvN8BIi9zT2GFIkcefP4VKcI+uD3+pdqpuzr9+T2im9jPj57aS0qFYRbzt7wLwkrYAE/U2fAW1uExfmIEoOKJP9StDvk5fUKnBxyAD5BmO1sc+nifo=,iv:w5Xl1KyfrynR+sHGMlwc0tYNRdI0O5+f5nFuq/R6UFQ=,tag:Gb7CvFP1CWTGkKaC2sHIQQ==,type:str]
+    pgp:
+        - created_at: "2026-05-02T09:18:51Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7uy4qQr71wiARAAw7GQOytNOmyr2inudzYnI1/c5ttiTSGXJC+yXiH1vF8B
+            Rwu6RM/7y2/7NY7h4DeUo7kW8AtgMGsAG0hZ1vIY9NWacSLKfvNyHzHMVxaUgnqe
+            4v62jC2HDLfB+NLe2L6oxKmi6ZtYq1hpEMzPTAVVz5fNCWMsepNAKPGc/yOB3Vm2
+            UzdXS/yIuiG/cWKnGXRnCx3cTZ0ypU6tw5Mxu2dyIn11su/B/T65NfsvZdWJ05gt
+            BGqSddI0pNPD3UmEivKD4zKB34MQFvtohsNLtPDrIzIRG/0Unx1Hzfm6MM1Atj3W
+            gCDkkYI8C5tgXbp7p2WI8WSvX/V6eF6Ueh6C8bMpGvGxIOaTMwfkskS8Anw6TCfj
+            uYVkJ7XYMVtvCILGmSIoSDNChFB0koOoUp2gbTtsWNvOrUQnOHsad55N+BN/5BiP
+            quXHHtluq4cGrZsVprdplz42qalJK9KxlZ6L7ydrJnMTU+E02sHOTJt6iwsI9XM+
+            3ZscNIS4QvGJAb4tzzERaIo7jmRlX/YxKtcePNhV1TQUG3/5yrcMo2XXM8hn9Rk4
+            DEA79wtgnryA4TeqwKMLhIvCXFu5B/nYOtAHj/I4nhKazIVtwSXndboM6WD4xPfM
+            bf4lc4KuvvBu3rx2d2u+DOh3k+ebU9MBONQ3B1WLjOFOe8LUnbGCsN/2KfhRRw7S
+            XgFTna/svDiYYIF7sqpRHKY3qdJ39/GRrhI06QcYQHVGpbpPv9G/4K2K7p2G1fBH
+            zUZqfwLtTvwmpCE8ko+m8WWx5OMouTWiY4GXDGybQCkUa07EfgIkYK8IwqEDwlo=
+            =Ns+9
+            -----END PGP MESSAGE-----
+          fp: DC6910268E657FF70BA7EC289974494E76938DDC
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
+    version: 3.10.2
--- a/kubernetes/system/coredns/zone-configmap.yaml
+++ b/kubernetes/system/coredns/zone-configmap.yaml
@@ -0,0 +1,67 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-lan-zone
+  namespace: coredns
+  labels:
+    app.kubernetes.io/name: coredns
+    app.kubernetes.io/component: dns-zone
+data:
+  lan.zone: |
+    $ORIGIN lan.
+    @       IN  SOA ns.lan. admin.lan. (
+                    2024010101 ; serial
+                    3600       ; refresh
+                    1800       ; retry
+                    604800     ; expire
+                    86400 )    ; minimum
+            IN  NS  ns.lan.
+    
+    ; Nameserver record
+    ns            IN  A   10.1.2.172
+    
+    ; Static hosts
+    openwrt         IN  A   10.1.1.1
+
+    ; R740 and virtual machines
+    r740            IN  A   10.1.1.223
+    bw-r740         IN  A   10.1.2.233
+    kube-r740       IN  A   10.1.2.171
+    docker-r740     IN  A   10.1.2.212
+    truenas         IN  A   10.1.2.139
+
+    ; PVE
+    pve             IN  A   10.1.2.10
+    docker-homeprod IN  A   10.1.2.12
+
+    ; Ligory
+    pve-ligory      IN  A   10.2.2.10
+    docker-ligory   IN  A   10.2.2.232
+
+    ; IoT
+    c210            IN  A   10.1.1.106
+    elegoo-neptune-4pro IN  A  10.1.1.155
+
+    ; docker-r740 services
+    esphome         IN  A   10.1.2.212
+    excalidraw      IN  A   10.1.2.212
+    gramps          IN  A   10.1.2.212
+    jackett         IN  A   10.1.2.212
+    jellyseerr      IN  A   10.1.2.212
+    mqtt            IN  A   10.1.2.212
+    n8n             IN  A   10.1.2.212
+    obsidian-livesync IN  A   10.1.2.212
+    paperless       IN  A   10.1.2.212
+    proxy           IN  A   10.1.2.212
+    radarr          IN  A   10.1.2.212
+    radicale        IN  A   10.1.2.212
+    sonarr          IN  A   10.1.2.212
+    stirling-pdf    IN  A   10.1.2.212
+    syncthing-valentin IN  A   10.1.2.212
+    tandoor         IN  A   10.1.2.212
+    traefik         IN  A   10.1.2.212
+    transmission    IN  A   10.1.2.212
+    tubearchivist   IN  A   10.1.2.212
+    webmail         IN  A   10.1.2.212
+    wizarr          IN  A   10.1.2.212
+    zigbee2mqtt     IN  A   10.1.2.212