380 lines
8.7 KiB
YAML
380 lines
8.7 KiB
YAML
image:
|
|
# repository: spx01/blocky
|
|
# tag: development@sha256:ddb35986cbc924de11cd37ccf625ff6bd0896fad456e57ee9c0bd67bd034770e
|
|
repository: tccr.io/truecharts/blocky
|
|
tag: v0.19@sha256:77a474542f12f480deca33ff0a6375846918b86988c13f858620839d8818ca84
|
|
pullPolicy: IfNotPresent
|
|
|
|
WebUIImage:
|
|
repository: tccr.io/truecharts/blocky-frontend
|
|
tag: v0.0.3@sha256:81058f20520dcdb80c9883b6f21b338446fefc333e3ca8bd7d17336a24a5d842
|
|
pullPolicy: IfNotPresent
|
|
|
|
k8sgatewayImage:
|
|
repository: tccr.io/truecharts/k8s_gateway
|
|
pullPolicy: IfNotPresent
|
|
tag: 0.3.3@sha256:246e7006afaf57a398b02e417a31d6f14fb43562901388772778f60be586b807
|
|
|
|
controller:
|
|
# -- Set additional annotations on the deployment/statefulset/daemonset
|
|
# -- Number of desired pods
|
|
replicas: 2
|
|
# -- Set the controller upgrade strategy
|
|
# For Deployments, valid values are Recreate (default) and RollingUpdate.
|
|
# For StatefulSets, valid values are OnDelete and RollingUpdate (default).
|
|
# DaemonSets ignore this.
|
|
strategy: RollingUpdate
|
|
|
|
# -- Blocky Config File content
|
|
blockyConfig: {}
|
|
# upstream:
|
|
# default:
|
|
# - 1.1.1.1
|
|
|
|
# -- Configures blocky webUI
|
|
# Requires apiURL or ingress
|
|
webUI:
|
|
# -- Enable the WebUI
|
|
enabled: true
|
|
# -- url to the api, used by the WebUI. Only required when not using ingress
|
|
apiURL: "127.0.0.1:4000"
|
|
|
|
# -- some general blocky settings
|
|
blocky:
|
|
# -- Enable prometheus annotations
|
|
enablePrometheus: true
|
|
|
|
probes:
|
|
liveness:
|
|
enabled: false
|
|
# TODO: Enable after v0.20 is released.
|
|
# Current version does not include the healthcheck command
|
|
# enabled: true
|
|
# custom: true
|
|
# spec:
|
|
# exec:
|
|
# command:
|
|
# - /app/blocky
|
|
# - healthcheck
|
|
readiness:
|
|
enabled: false
|
|
# TODO: Enable after v0.20 is released.
|
|
# Current version does not include the healthcheck command
|
|
# enabled: true
|
|
# custom: true
|
|
# spec:
|
|
# exec:
|
|
# command:
|
|
# - /app/blocky
|
|
# - healthcheck
|
|
startup:
|
|
enabled: false
|
|
# TODO: Enable after v0.20 is released.
|
|
# Current version does not include the healthcheck command
|
|
# enabled: true
|
|
# custom: true
|
|
# spec:
|
|
# exec:
|
|
# command:
|
|
# - /app/blocky
|
|
# - healthcheck
|
|
|
|
service:
|
|
main:
|
|
ports:
|
|
main:
|
|
port: 10315
|
|
protocol: HTTP
|
|
targetPort: 80
|
|
dnstcp:
|
|
enabled: true
|
|
ports:
|
|
dnstcp:
|
|
enabled: true
|
|
port: 53
|
|
targetPort: 53
|
|
dnsudp:
|
|
enabled: true
|
|
ports:
|
|
dnsudp:
|
|
enabled: true
|
|
port: 53
|
|
protocol: UDP
|
|
targetPort: 53
|
|
dot:
|
|
enabled: true
|
|
ports:
|
|
dot:
|
|
enabled: true
|
|
port: 853
|
|
protocol: TCP
|
|
targetPort: 853
|
|
http:
|
|
enabled: true
|
|
ports:
|
|
http:
|
|
enabled: true
|
|
port: 4000
|
|
protocol: HTTP
|
|
targetPort: 4000
|
|
https:
|
|
enabled: true
|
|
ports:
|
|
https:
|
|
enabled: true
|
|
port: 4443
|
|
protocol: HTTPS
|
|
targetPort: 4443
|
|
k8sgateway:
|
|
enabled: true
|
|
ports:
|
|
k8sgateway:
|
|
enabled: true
|
|
port: 5353
|
|
protocol: UDP
|
|
targetPort: 5353
|
|
|
|
## TODO Add support for SCALE certificates and certificates secrets here
|
|
certFile: ""
|
|
keyFile: ""
|
|
logLevel: info
|
|
logFormat: text
|
|
logTimestamp: true
|
|
logPrivacy: false
|
|
dohUserAgent: ""
|
|
minTlsServeVersion: 1.2
|
|
|
|
# -- set the default DNS upstream servers
|
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
|
defaultUpstreams:
|
|
- 1.1.1.1
|
|
- 1.0.0.1
|
|
- 8.8.8.8
|
|
- 8.8.4.4
|
|
- 9.9.9.9
|
|
- 149.112.112.112
|
|
- 208.67.222.222
|
|
- 208.67.220.220
|
|
- 8.26.56.26
|
|
- 8.20.247.20
|
|
- 185.228.168.9
|
|
- 185.228.169.9
|
|
- 76.76.19.19
|
|
- 76.223.122.150
|
|
- 76.76.2.0
|
|
- 76.76.10.0
|
|
|
|
# -- set additional upstreams
|
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
|
upstreams:
|
|
# - name: group2
|
|
# dnsservers:
|
|
# - 1.1.1.1
|
|
|
|
# -- set bootstrap dns (not needed)
|
|
# Ensures bootstrap encryption and ensure it doesn't use k8s dns
|
|
bootstrapDns:
|
|
# -- Upstream
|
|
upstream: ""
|
|
# -- IP's linked to upstream DoT/DoH DNS name
|
|
ips: []
|
|
|
|
# -- Return empty answer for these queries
|
|
filtering:
|
|
# -- Ensures filtering by query type
|
|
queryTypes: []
|
|
|
|
# -- Set manual custom DNS resolution
|
|
customDNS:
|
|
customTTL: 1h
|
|
filterUnmappedTypes: true
|
|
rewrite: []
|
|
# - in: something.com
|
|
# out: somethingelse.com
|
|
mapping: []
|
|
# - domain: something.com
|
|
# dnsserver: 192.168.178.1
|
|
|
|
# -- Setup client-name lookup
|
|
clientLookup:
|
|
# -- upstream used for client-name lookup
|
|
upstream: ""
|
|
singleNameOrder: []
|
|
clients:
|
|
# - domain: laptop
|
|
# ips: []
|
|
|
|
# -- Setup caching
|
|
caching:
|
|
minTime: 5m
|
|
maxTime: 30m
|
|
maxItemsCount: 0
|
|
prefetching: false
|
|
prefetchExpires: 2h
|
|
prefetchThreshold: 5
|
|
prefetchMaxItemsCount: 0
|
|
cacheTimeNegative: 30m
|
|
|
|
# -- set conditional settings
|
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
|
conditional:
|
|
rewrite: []
|
|
# - in: something.com
|
|
# out: somethingelse.com
|
|
mapping: []
|
|
# - domain: something.com
|
|
# dnsserver: 192.168.178.1
|
|
|
|
# -- set blocking settings using Lists
|
|
# Primarily designed for inclusion in the TrueNAS SCALE GUI
|
|
blocking:
|
|
# -- Sets the blocktype
|
|
blockType: nxDomain
|
|
# -- Sets the block ttl
|
|
blockTTL: 6h
|
|
# -- Sets the block refreshPeriod
|
|
refreshPeriod: 4h
|
|
# -- Sets the block download timeout
|
|
downloadTimeout: 60s
|
|
# -- Sets the block download attempt count
|
|
downloadAttempts: 3
|
|
# -- Sets the block download cooldown
|
|
downloadCooldown: 2s
|
|
# -- Set to fail start of lists cannot be downloaded
|
|
failStartOnListError: false
|
|
# -- Sets how many list-groups can be processed at the same time
|
|
processingConcurrency: 4
|
|
# -- Add blocky whitelists
|
|
whitelist: []
|
|
# - name: ads
|
|
# lists:
|
|
# - https://someurl.com/list.txt
|
|
# - /somefile.txt
|
|
|
|
# -- Blocky blacklists
|
|
blacklist: []
|
|
# - name: ads
|
|
# lists:
|
|
# - https://someurl.com/list.txt
|
|
# - /somefile.txt
|
|
|
|
# -- Blocky clientGroupsBlock
|
|
clientGroupsBlock: []
|
|
# - name: default
|
|
# groups:
|
|
# - ads
|
|
|
|
# -- configure using hostsfile for lookups
|
|
# Allows for using the hosts configured in kubernetes and such
|
|
hostsFile:
|
|
enabled: false
|
|
filePath: /etc/hosts
|
|
hostsTTL: 60m
|
|
refreshPeriod: 30m
|
|
|
|
## TODO: add this with postgresql support as well
|
|
# queryLog:
|
|
# type: csv
|
|
# target: /logs
|
|
# logRetentionDays: 0
|
|
# creationAttempts: 3
|
|
# CreationCooldown: 2
|
|
|
|
portal:
|
|
enabled: true
|
|
|
|
serviceAccount:
|
|
main:
|
|
# -- Specifies whether a service account should be created
|
|
enabled: true
|
|
|
|
# -- Create a ClusterRole and ClusterRoleBinding
|
|
# @default -- See below
|
|
rbac:
|
|
main:
|
|
# -- Enables or disables the ClusterRole and ClusterRoleBinding
|
|
enabled: true
|
|
|
|
# -- Set Rules on the ClusterRole
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
- namespaces
|
|
verbs:
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- extensions
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses
|
|
verbs:
|
|
- list
|
|
- watch
|
|
|
|
k8sgateway:
|
|
enabled: true
|
|
# -- TTL for non-apex responses (in seconds)
|
|
ttl: 300
|
|
|
|
# -- Limit what kind of resources to watch, e.g. watchedResources: ["Ingress"]
|
|
watchedResources: []
|
|
|
|
# -- Service name of a secondary DNS server (should be `serviceName.namespace`)
|
|
secondary: ""
|
|
|
|
# -- Override the default `serviceName.namespace` domain apex
|
|
apex: ""
|
|
|
|
# -- list of processed domains
|
|
domains: []
|
|
# -- Delegated domain
|
|
# - domain: "example.com"
|
|
# # -- Optional configuration option for DNS01 challenge that will redirect all acme
|
|
# # challenge requests to external cloud domain (e.g. managed by cert-manager)
|
|
# # See: https://cert-manager.io/docs/configuration/acme/dns01/
|
|
# dnsChallenge:
|
|
# enabled: false
|
|
# domain: dns01.clouddns.com
|
|
|
|
forward:
|
|
enabled: false
|
|
primary: tls://1.1.1.1
|
|
secondary: tls://1.0.0.1
|
|
options:
|
|
- name: tls_servername
|
|
value: cloudflare-dns.com
|
|
|
|
metrics:
|
|
# -- Enable and configure a Prometheus serviceMonitor for the chart under this key.
|
|
# @default -- See values.yaml
|
|
enabled: true
|
|
serviceMonitor:
|
|
interval: 1m
|
|
scrapeTimeout: 30s
|
|
labels: {}
|
|
# -- Enable and configure Prometheus Rules for the chart under this key.
|
|
# @default -- See values.yaml
|
|
prometheusRule:
|
|
enabled: false
|
|
labels: {}
|
|
# -- Configure additionial rules for the chart under this key.
|
|
# @default -- See prometheusrules.yaml
|
|
rules:
|
|
[]
|
|
# - alert: UnifiPollerAbsent
|
|
# annotations:
|
|
# description: Unifi Poller has disappeared from Prometheus service discovery.
|
|
# summary: Unifi Poller is down.
|
|
# expr: |
|
|
# absent(up{job=~".*unifi-poller.*"} == 1)
|
|
# for: 5m
|
|
# labels:
|
|
# severity: critical
|
|
|
|
redis:
|
|
enabled: true
|
|
existingSecret: "rediscreds"
|