-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from CrashenX/setup
Initial setup including pi-hole chart
- Loading branch information
Showing
18 changed files
with
352 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
*.cnf | ||
*.srl | ||
*.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,53 @@ | ||
# microk8s | ||
# microk8s | ||
|
||
## Enable addons | ||
|
||
At a minimum you'll probably want: | ||
|
||
- dns | ||
- ingress | ||
- storage | ||
|
||
The list of addons and instructions on enabling can be found in the | ||
[docs](https://github.com/ubuntu/microk8s#kubernetes-addons). | ||
|
||
## Setting up Helm / Tiller | ||
|
||
sudo snap install helm --classic | ||
cd helm/; ./setup.sh # Setup tiller with tls | ||
helm --tiller-namespace=tiller ls --tls # Verify working | ||
|
||
### Typing less | ||
|
||
Add this to your bashrc: | ||
|
||
shelm () { | ||
( helm --tiller-namespace=tiller "$@" --tls ) | ||
} | ||
|
||
NB: You might want to logout and back in to reload bashrc | ||
|
||
Verify it works: | ||
|
||
shelm ls | ||
|
||
## Setting up nginx ingress controller | ||
|
||
shelm install stable/nginx-ingress --name my-nginx --set rbac.create=true | ||
|
||
## Setting up Pi-hole | ||
|
||
IFACE='eno1' # set to server's inbound interface | ||
read -d "\n" PHIPV4 PHIPV6 <<<$(ip a show $IFACE | grep inet | awk '{ print $2 }' | sed -e 's/\/.*//') | ||
echo -e "$PHIPV4\n$PHIPV6" # verify correct IPs | ||
cd helm/charts/pihole | ||
curl https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt > files/whitelist.txt | ||
curl https://v.firebog.net/hosts/lists.php?type=nocross > files/adlists.list | ||
shelm install . --namespace=pihole \ | ||
--set host.ipv4=$PHIPV4 \ | ||
# --set host.ipv6=$PHIPV6 # don't set if link-local address | ||
|
||
## Gotchas | ||
|
||
- I had to change the forwarding policy (`iptables -P FORWARD ACCEPT`), per | ||
[this bug](https://github.com/ubuntu/microk8s/issues/75). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: admin-user | ||
namespace: kube-system | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: admin-user | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: cluster-admin | ||
subjects: | ||
- kind: ServiceAccount | ||
name: admin-user | ||
namespace: kube-system |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
#!/bin/bash | ||
microk8s.kubectl -n kube-system get secret \ | ||
$(microk8s.kubectl -n kube-system get secret | grep admin-user-token | awk '{print $1}') \ | ||
-o json | jq -r '.data.token' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: v1 | ||
appVersion: "0.0.1" | ||
description: Pi-hole over HTTPS | ||
name: pihole | ||
version: 0.0.1 |
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "pihole.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this | ||
(by the DNS naming spec). | ||
*/}} | ||
{{- define "pihole.fullname" -}} | ||
{{- $name := default .Chart.Name .Values.nameOverride -}} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "pihole.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: {{ template "pihole.fullname" . }}-dnsmasq | ||
labels: | ||
app: {{ template "pihole.name" . }} | ||
chart: {{ template "pihole.chart" . }} | ||
heritage: {{ .Release.Service }} | ||
release: {{ .Release.Name }} | ||
data: | ||
02-custom.conf: | ||
address=/pi.hole/{{ .Values.host.ipv4 }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: {{ template "pihole.fullname" . }}-lists | ||
labels: | ||
app: {{ template "pihole.name" . }} | ||
chart: {{ template "pihole.chart" . }} | ||
heritage: {{ .Release.Service }} | ||
release: {{ .Release.Name }} | ||
data: | ||
whitelist.txt: |- | ||
{{ .Files.Get "files/whitelist.txt" | indent 4 }} | ||
adlists.list: |- | ||
{{ .Files.Get "files/adlists.list" | indent 4 }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: {{ template "pihole.fullname" . }} | ||
labels: | ||
app: {{ template "pihole.name" . }} | ||
chart: {{ template "pihole.chart" . }} | ||
heritage: {{ .Release.Service }} | ||
release: {{ .Release.Name }} | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: {{ template "pihole.fullname" . }} | ||
template: | ||
metadata: | ||
labels: | ||
app: {{ template "pihole.fullname" . }} | ||
spec: | ||
dnsPolicy: "None" | ||
dnsConfig: | ||
nameservers: | ||
- 127.0.0.1 | ||
- 1.1.1.1 | ||
- 8.8.8.8 | ||
containers: | ||
- name: {{ .Chart.Name }} | ||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" | ||
imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
resources: | ||
limits: | ||
memory: 1Gi | ||
env: | ||
- name: 'ServerIP' | ||
value: {{ required "A valid .Values.host.ipv4 entry required!" .Values.host.ipv4 }} | ||
{{ if .Values.host.ipv6 }} | ||
- name: 'ServerIPv6' | ||
value: {{ .Values.host.ipv6 }} | ||
- name: 'IPv6' | ||
value: True | ||
{{ end }} | ||
- name: 'DNS1' | ||
value: '1.1.1.1' | ||
- name: 'DNS2' | ||
value: '8.8.8.8' | ||
- name: 'VIRTUAL_HOST' | ||
value: 'pi.hole' | ||
ports: | ||
- name: http | ||
containerPort: 80 | ||
- name: dns-tcp | ||
containerPort: 53 | ||
protocol: TCP | ||
- name: dns-udp | ||
containerPort: 53 | ||
protocol: UDP | ||
livenessProbe: | ||
httpGet: | ||
path: / | ||
port: http | ||
readinessProbe: | ||
httpGet: | ||
path: / | ||
port: http | ||
volumeMounts: | ||
- mountPath: "/etc/pihole" | ||
name: {{ template "pihole.fullname" . }}-pvc | ||
subPath: "pihole" | ||
- mountPath: "/etc/dnsmasq.d" | ||
name: {{ template "pihole.fullname" . }}-pvc | ||
subPath: "dnsmasq" | ||
- mountPath: "/etc/dnsmasq.d/02-custom.conf" | ||
name: {{ template "pihole.fullname" . }}-dnsmasq | ||
subPath: 02-custom.conf | ||
- mountPath: "/etc/pihole/whitelist.txt" | ||
name: {{ template "pihole.fullname" . }}-lists | ||
subPath: whitelist.txt | ||
- mountPath: "/etc/pihole/adlists.list" | ||
name: {{ template "pihole.fullname" . }}-lists | ||
subPath: adlists.list | ||
volumes: | ||
- name: {{ template "pihole.fullname" . }}-dnsmasq | ||
configMap: | ||
name: {{ template "pihole.fullname" . }}-dnsmasq | ||
- name: {{ template "pihole.fullname" . }}-lists | ||
configMap: | ||
name: {{ template "pihole.fullname" . }}-lists | ||
- name: {{ template "pihole.fullname" . }}-pvc | ||
persistentVolumeClaim: | ||
claimName: {{ template "pihole.fullname" . }}-pvc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: extensions/v1beta1 | ||
kind: Ingress | ||
metadata: | ||
name: {{ template "pihole.fullname" . }} | ||
labels: | ||
app: {{ template "pihole.name" . }} | ||
chart: {{ template "pihole.chart" . }} | ||
heritage: {{ .Release.Service }} | ||
release: {{ .Release.Name }} | ||
annotations: | ||
nginx.ingress.kubernetes.io/rewrite-target: / | ||
kubernetes.io/ingress.class: 'nginx' | ||
spec: | ||
rules: | ||
- host: pi.hole | ||
http: | ||
paths: | ||
- path: / | ||
backend: | ||
serviceName: {{ template "pihole.fullname" . }} | ||
servicePort: http |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
kind: PersistentVolumeClaim | ||
apiVersion: v1 | ||
metadata: | ||
name: {{ template "pihole.fullname" . }}-pvc | ||
spec: | ||
accessModes: | ||
- ReadWriteOnce | ||
volumeMode: Filesystem | ||
resources: | ||
requests: | ||
storage: 5Gi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: {{ template "pihole.fullname" . }} | ||
labels: | ||
app: {{ template "pihole.name" . }} | ||
chart: {{ template "pihole.chart" . }} | ||
heritage: {{ .Release.Service }} | ||
release: {{ .Release.Name }} | ||
spec: | ||
ports: | ||
- name: http | ||
port: 80 | ||
targetPort: http | ||
protocol: TCP | ||
- name: https | ||
port: 443 | ||
targetPort: https | ||
protocol: TCP | ||
- name: dns | ||
port: 53 | ||
targetPort: dns | ||
protocol: TCP | ||
- name: dns-udp | ||
port: 53 | ||
targetPort: dns-udp | ||
protocol: UDP | ||
- name: client-udp | ||
port: 67 | ||
targetPort: client-udp | ||
protocol: UDP | ||
externalIPs: | ||
- {{ required "A valid .Values.host.ipv4 entry required!" .Values.host.ipv4 }} | ||
{{ if .Values.host.ipv6 }} | ||
- {{ .Values.host.ipv6 }} | ||
{{ end }} | ||
selector: | ||
app: {{ template "pihole.fullname" . }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
image: | ||
pullPolicy: IfNotPresent | ||
repository: pihole/pihole | ||
tag: 4.2.2-1_amd64 | ||
host: | ||
# ipv4: required | ||
# ipv6: optional |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: tiller | ||
namespace: tiller | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: tiller | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: cluster-admin | ||
subjects: | ||
- kind: ServiceAccount | ||
name: tiller | ||
namespace: tiller |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
microk8s.kubectl create namespace tiller | ||
microk8s.kubectl create -f rbac-config.yaml | ||
openssl genrsa -out ./ca.key.pem 4096 | ||
cp /etc/ssl/openssl.cnf openssl-with-ca.cnf | ||
openssl req -key ca.key.pem -new -x509 -days 14 -sha256 -out ca.cert.pem -extensions v3_ca -config openssl-with-ca.cnf | ||
openssl genrsa -out ./tiller.key.pem 4096 | ||
openssl genrsa -out ./helm.key.pem 4096 | ||
openssl req -key tiller.key.pem -new -sha256 -out tiller.csr.pem | ||
openssl req -key helm.key.pem -new -sha256 -out helm.csr.pem | ||
openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in tiller.csr.pem -out tiller.cert.pem -days 14 | ||
openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in helm.csr.pem -out helm.cert.pem -days 14 | ||
mkdir $(helm home); cp ca.cert.pem $(helm home)/ca.pem; cp helm.cert.pem $(helm home)/cert.pem; cp helm.key.pem $(helm home)/key.pem | ||
helm init --tiller-namespace tiller --service-account tiller --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert ca.cert.pem |