image: repository: spx01/blocky tag: v0.23@sha256:24855b63986c790093554a1f62b58379a06bc10a90ee073906e7c39bf692adcc pullPolicy: IfNotPresent k8sgatewayImage: repository: quay.io/oriedge/k8s_gateway pullPolicy: IfNotPresent tag: v0.4.0@sha256:7bdbd447c0244b8f89de9cd6f4826ed0ac66c9406fac3a4ac80081020c251c6b workload: main: replicas: 2 strategy: RollingUpdate podSpec: containers: main: probes: liveness: enabled: false type: exec command: - /app/blocky - healthcheck readiness: enabled: false type: exec command: - /app/blocky - healthcheck startup: enabled: false type: exec command: - /app/blocky - healthcheck # -- Blocky Config File content blockyConfig: {} # upstream: # default: # - 1.1.1.1 # -- some general blocky settings blocky: # -- Enable prometheus annotations enablePrometheus: true service: main: enabled: true ports: main: enabled: true port: 4000 protocol: http targetPort: 4000 dns: enabled: true ports: dns: enabled: true port: 53 protocol: udp targetPort: 53 dnstcp: enabled: true protocol: tcp port: "{{ .Values.service.dns.ports.dns.port }}" targetPort: 53 dot: enabled: true ports: dot: enabled: true port: 853 protocol: tcp targetPort: 853 https: enabled: true ports: https: enabled: true port: 4443 protocol: https targetPort: 4443 k8sgateway: enabled: true ports: k8sgateway: enabled: true port: 5353 protocol: udp targetPort: 5353 ## TODO Add support for SCALE certificates and certificates secrets here certFile: "" keyFile: "" logLevel: info logFormat: text logTimestamp: true logPrivacy: false dohUserAgent: "" minTlsServeVersion: 1.2 # -- set the default DNS upstream servers # Primarily designed for inclusion in the TrueNAS SCALE GUI defaultUpstreams: # Cloudflare - 1.1.1.1 - 1.0.0.1 # Google - 8.8.8.8 - 8.8.4.4 # Quad9 - 9.9.9.9 - 149.112.112.112 # OpenDNS - 208.67.222.222 - 208.67.220.220 # ComodoSecure DNS - 8.26.56.26 - 8.20.247.20 # -- set additional upstreams # Primarily designed for inclusion in the TrueNAS SCALE GUI upstreams: # - name: group2 # dnsservers: # - 1.1.1.1 # -- set bootstrap dns (not needed) # Ensures bootstrap encryption and ensure it doesn't use k8s dns bootstrapDns: # -- Upstream upstream: "" # -- IP's linked to upstream DoT/DoH DNS name ips: [] # -- set additional bootstrap dns (not needed, only used if bootstrapDns is set) additionalBootstrapDns: [] # - upstream: "" # ips: [] # -- Return empty answer for these queries filtering: # -- Ensures filtering by query type queryTypes: [] # -- Set manual custom DNS resolution customDNS: customTTL: 1h filterUnmappedTypes: true rewrite: [] # - in: something.com # out: somethingelse.com mapping: [] # - domain: something.com # dnsserver: 192.168.178.1 # -- Setup client-name lookup clientLookup: # -- upstream used for client-name lookup upstream: "" singleNameOrder: [] clients: # - domain: laptop # ips: [] # -- Setup caching caching: minTime: 15m maxTime: 0 maxItemsCount: 0 prefetching: true prefetchExpires: 12h prefetchThreshold: 5 prefetchMaxItemsCount: 0 cacheTimeNegative: 30m # -- set conditional settings # Primarily designed for inclusion in the TrueNAS SCALE GUI conditional: rewrite: [] # - in: something.com # out: somethingelse.com mapping: [] # - domain: something.com # dnsserver: 192.168.178.1 # -- set blocking settings using Lists # Primarily designed for inclusion in the TrueNAS SCALE GUI blocking: # -- Sets the blocktype blockType: nxDomain # -- Sets the block ttl blockTTL: 6h # -- Sets the block refreshPeriod refreshPeriod: 4h # -- Sets the block download timeout downloadTimeout: 60s # -- Sets the block download attempt count downloadAttempts: 3 # -- Sets the block download cooldown downloadCooldown: 5s # -- Set the start strategy (blocking | failOnError | fast) startStrategy: fast # -- Sets how many list-groups can be processed at the same time processingConcurrency: 8 # -- Add blocky whitelists # `default` name is reservered for TrueCharts included default whitelist # example shows the structure, though name should be changed when used whitelist: [] # - name: default # lists: # - https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt # - https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt # - https://raw.githubusercontent.com/rahilpathan/pihole-whitelist/main/1.LowWL.txt # -- Blocky blacklists # `default` name is reservered for TrueCharts included default blacklist # example shows the structure, though name should be changed when used blacklist: [] # - name: default # lists: # - https://big.oisd.nl/domainswild # -- Blocky clientGroupsBlock clientGroupsBlock: - name: default groups: - default # -- configure using hostsfile for lookups # Allows for using the hosts configured in kubernetes and such hostsFile: enabled: false filePath: /etc/hosts hostsTTL: 60m refreshPeriod: 30m podOptions: automountServiceAccountToken: true portal: open: enabled: false serviceAccount: main: # -- Specifies whether a service account should be created enabled: true primary: true # -- Create a ClusterRole and ClusterRoleBinding # @default -- See below rbac: main: # -- Enables or disables the ClusterRole and ClusterRoleBinding enabled: true primary: true clusterWide: true # -- Set Rules on the ClusterRole rules: - apiGroups: - "" resources: - services - namespaces verbs: - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses verbs: - list - watch k8sgateway: enabled: true # -- TTL for non-apex responses (in seconds) ttl: 300 # -- Limit what kind of resources to watch, e.g. watchedResources: ["Ingress"] watchedResources: [] # -- Service name of a secondary DNS server (should be `serviceName.namespace`) secondary: "" # -- Override the default `serviceName.namespace` domain apex apex: "" # -- list of processed domains domains: [] # -- Delegated domain # - domain: "example.com" # # -- Optional configuration option for DNS01 challenge that will redirect all acme # # challenge requests to external cloud domain (e.g. managed by cert-manager) # # See: https://cert-manager.io/docs/configuration/acme/dns01/ # dnsChallenge: # enabled: false # domain: dns01.clouddns.com forward: enabled: false primary: tls://1.1.1.1 secondary: tls://1.0.0.1 options: - name: tls_servername value: cloudflare-dns.com configmap: dashboard: enabled: true labels: grafana_dashboard: "1" data: blocky.json: >- {{ .Files.Get "dashboard.json" | indent 8 }} blockypostgres.json: >- {{ .Files.Get "dashboardpsql.json" | indent 8 }} datasource: enabled: true labels: grafana_datasources: "1" data: datasourceblockypsql.yaml: |- apiVersion: 1 datasources: - name: BlockyPostgres type: postgres uid: blockypostgres url: {{ printf "%s.%s:5432" (.Values.cnpg.main.creds.host | trimAll "\"") .Release.Namespace }} access: proxy user: {{ .Values.cnpg.main.user }} secureJsonData: password: {{ .Values.cnpg.main.creds.password | default "na" }} jsonData: database: {{ .Values.cnpg.main.database }} sslmode: 'disable' # disable/require/verify-ca/verify-full maxOpenConns: 100 # Grafana v5.4+ maxIdleConns: 100 # Grafana v5.4+ maxIdleConnsAuto: true # Grafana v9.5.1+ connMaxLifetime: 14400 # Grafana v5.4+ postgresVersion: 1500 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10 timescaledb: false metrics: main: # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. # @default -- See values.yaml enabled: true type: "servicemonitor" endpoints: - port: main path: /metrics # -- Enable and configure Prometheus Rules for the chart under this key. # @default -- See values.yaml prometheusRule: enabled: false labels: {} # -- Configure additionial rules for the chart under this key. # @default -- See prometheusrules.yaml rules: [] # - alert: UnifiPollerAbsent # annotations: # description: Unifi Poller has disappeared from Prometheus service discovery. # summary: Unifi Poller is down. # expr: | # absent(up{job=~".*unifi-poller.*"} == 1) # for: 5m # labels: # severity: critical redis: enabled: true includeCommon: true # CANNOT be defined in above yaml section queryLog: # optional one of: mysql, postgresql, csv, csv-client. If empty, log to console type: "postgresql" # directory (should be mounted as volume in docker) for csv, db connection string for mysql, ignored for included postgresql # target: /var/log/something # postgresql target: postgres://user:password@db_host_or_ip:5432/db_name # if > 0, deletes log files which are older than ... days logRetentionDays: 0 # optional: Max attempts to create specific query log writer, default: 3 creationAttempts: 3 # optional: Time between the creation attempts, default: 2s creationCooldown: 2s cnpg: main: enabled: true user: blocky database: blocky