image: # repository: spx01/blocky # tag: development@sha256:ddb35986cbc924de11cd37ccf625ff6bd0896fad456e57ee9c0bd67bd034770e repository: tccr.io/truecharts/blocky tag: v0.19@sha256:77a474542f12f480deca33ff0a6375846918b86988c13f858620839d8818ca84 pullPolicy: IfNotPresent WebUIImage: repository: tccr.io/truecharts/blocky-frontend tag: v0.0.3@sha256:81058f20520dcdb80c9883b6f21b338446fefc333e3ca8bd7d17336a24a5d842 pullPolicy: IfNotPresent k8sgatewayImage: repository: tccr.io/truecharts/k8s_gateway pullPolicy: IfNotPresent tag: 0.3.2@sha256:594fd6990eb2e0af1df7df8ba76cb3ca66232f46c5df5ebf786a45dd19777ae5 controller: # -- Set additional annotations on the deployment/statefulset/daemonset # -- Number of desired pods replicas: 2 # -- Set the controller upgrade strategy # For Deployments, valid values are Recreate (default) and RollingUpdate. # For StatefulSets, valid values are OnDelete and RollingUpdate (default). # DaemonSets ignore this. strategy: RollingUpdate # -- Blocky Config File content blockyConfig: {} # upstream: # default: # - 1.1.1.1 # -- Configures blocky webUI # Requires apiURL or ingress webUI: # -- Enable the WebUI enabled: true # -- url to the api, used by the WebUI. Only required when not using ingress apiURL: "127.0.0.1:4000" # -- some general blocky settings blocky: # -- Enable prometheus annotations enablePrometheus: true probes: liveness: enabled: false # TODO: Enable after v0.20 is released. # Current version does not include the healthcheck command # enabled: true # custom: true # spec: # exec: # command: # - /app/blocky # - healthcheck readiness: enabled: false # TODO: Enable after v0.20 is released. # Current version does not include the healthcheck command # enabled: true # custom: true # spec: # exec: # command: # - /app/blocky # - healthcheck startup: enabled: false # TODO: Enable after v0.20 is released. # Current version does not include the healthcheck command # enabled: true # custom: true # spec: # exec: # command: # - /app/blocky # - healthcheck service: main: ports: main: port: 10315 protocol: HTTP targetPort: 80 dnstcp: enabled: true ports: dnstcp: enabled: true port: 53 targetPort: 53 dnsudp: enabled: true ports: dnsudp: enabled: true port: 53 protocol: UDP targetPort: 53 dot: enabled: true ports: dot: enabled: true port: 853 protocol: TCP targetPort: 853 http: enabled: true ports: http: enabled: true port: 4000 protocol: HTTP targetPort: 4000 https: enabled: true ports: https: enabled: true port: 4443 protocol: HTTPS targetPort: 4443 k8sgateway: enabled: true ports: k8sgateway: enabled: true port: 5353 protocol: UDP targetPort: 5353 ## TODO Add support for SCALE certificates and certificates secrets here certFile: "" keyFile: "" logLevel: info logFormat: text logTimestamp: true logPrivacy: false dohUserAgent: "" minTlsServeVersion: 1.2 # -- set the default DNS upstream servers # Primarily designed for inclusion in the TrueNAS SCALE GUI defaultUpstreams: - 1.1.1.1 - 1.0.0.1 - 8.8.8.8 - 8.8.4.4 - 9.9.9.9 - 149.112.112.112 - 208.67.222.222 - 208.67.220.220 - 8.26.56.26 - 8.20.247.20 - 185.228.168.9 - 185.228.169.9 - 76.76.19.19 - 76.223.122.150 - 76.76.2.0 - 76.76.10.0 # -- set additional upstreams # Primarily designed for inclusion in the TrueNAS SCALE GUI upstreams: # - name: group2 # dnsservers: # - 1.1.1.1 # -- set bootstrap dns (not needed) # Ensures bootstrap encryption and ensure it doesn't use k8s dns bootstrapDns: # -- Upstream upstream: "" # -- IP's linked to upstream DoT/DoH DNS name ips: [] # -- Return empty answer for these queries filtering: # -- Ensures filtering by query type queryTypes: [] # -- Set manual custom DNS resolution customDNS: customTTL: 1h filterUnmappedTypes: true rewrite: [] # - in: something.com # out: somethingelse.com mapping: [] # - domain: something.com # dnsserver: 192.168.178.1 # -- Setup client-name lookup clientLookup: # -- upstream used for client-name lookup upstream: "" singleNameOrder: [] clients: # - domain: laptop # ips: [] # -- Setup caching caching: minTime: 5m maxTime: 30m maxItemsCount: 0 prefetching: false prefetchExpires: 2h prefetchThreshold: 5 prefetchMaxItemsCount: 0 cacheTimeNegative: 30m # -- set conditional settings # Primarily designed for inclusion in the TrueNAS SCALE GUI conditional: rewrite: [] # - in: something.com # out: somethingelse.com mapping: [] # - domain: something.com # dnsserver: 192.168.178.1 # -- set blocking settings using Lists # Primarily designed for inclusion in the TrueNAS SCALE GUI blocking: # -- Sets the blocktype blockType: nxDomain # -- Sets the block ttl blockTTL: 6h # -- Sets the block refreshPeriod refreshPeriod: 4h # -- Sets the block download timeout downloadTimeout: 60s # -- Sets the block download attempt count downloadAttempts: 3 # -- Sets the block download cooldown downloadCooldown: 2s # -- Set to fail start of lists cannot be downloaded failStartOnListError: false # -- Sets how many list-groups can be processed at the same time processingConcurrency: 4 # -- Add blocky whitelists whitelist: [] # - name: ads # lists: # - https://someurl.com/list.txt # - /somefile.txt # -- Blocky blacklists blacklist: [] # - name: ads # lists: # - https://someurl.com/list.txt # - /somefile.txt # -- Blocky clientGroupsBlock clientGroupsBlock: [] # - name: default # groups: # - ads # -- configure using hostsfile for lookups # Allows for using the hosts configured in kubernetes and such hostsFile: enabled: false filePath: /etc/hosts hostsTTL: 60m refreshPeriod: 30m ## TODO: add this with postgresql support as well # queryLog: # type: csv # target: /logs # logRetentionDays: 0 # creationAttempts: 3 # CreationCooldown: 2 portal: enabled: true serviceAccount: main: # -- Specifies whether a service account should be created enabled: true # -- Create a ClusterRole and ClusterRoleBinding # @default -- See below rbac: main: # -- Enables or disables the ClusterRole and ClusterRoleBinding enabled: true # -- Set Rules on the ClusterRole rules: - apiGroups: - "" resources: - services - namespaces verbs: - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses verbs: - list - watch k8sgateway: enabled: true # -- TTL for non-apex responses (in seconds) ttl: 300 # -- Limit what kind of resources to watch, e.g. watchedResources: ["Ingress"] watchedResources: [] # -- Service name of a secondary DNS server (should be `serviceName.namespace`) secondary: "" # -- Override the default `serviceName.namespace` domain apex apex: "" # -- list of processed domains domains: [] # -- Delegated domain # - domain: "example.com" # # -- Optional configuration option for DNS01 challenge that will redirect all acme # # challenge requests to external cloud domain (e.g. managed by cert-manager) # # See: https://cert-manager.io/docs/configuration/acme/dns01/ # dnsChallenge: # enabled: false # domain: dns01.clouddns.com forward: enabled: false primary: tls://1.1.1.1 secondary: tls://1.0.0.1 options: - name: tls_servername value: cloudflare-dns.com metrics: # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. # @default -- See values.yaml enabled: true serviceMonitor: interval: 1m scrapeTimeout: 30s labels: {} # -- Enable and configure Prometheus Rules for the chart under this key. # @default -- See values.yaml prometheusRule: enabled: false labels: {} # -- Configure additionial rules for the chart under this key. # @default -- See prometheusrules.yaml rules: [] # - alert: UnifiPollerAbsent # annotations: # description: Unifi Poller has disappeared from Prometheus service discovery. # summary: Unifi Poller is down. # expr: | # absent(up{job=~".*unifi-poller.*"} == 1) # for: 5m # labels: # severity: critical redis: enabled: true existingSecret: "rediscreds"