will.anderson/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove adguard — home DNS server, no purpose on GCP

Browse Source
This commit is contained in:
Will Anderson
2026-04-27 18:27:21 -05:00
parent fb5b93f9d7
commit 60f4e0693e
8 changed files with 0 additions and 364 deletions
Download Patch File Download Diff File Expand all files Collapse all files
servers/legion/apps/adguard-config.yaml
-20
View File
@@ -1,20 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: adguard-config
namespace: argocd
spec:
project: default
source:
repoURL: http://gitea.git.svc.cluster.local:3000/will/infrastructure.git
targetRevision: main
path: servers/legion/k8s/adguard
destination:
server: https://kubernetes.default.svc
namespace: dns
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
servers/legion/apps/adguard.yaml
-147
View File
@@ -1,147 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: adguard
namespace: dns
labels:
app: adguard
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: adguard
template:
metadata:
labels:
app: adguard
spec:
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
initContainers:
- name: apply-config
image: python:3.12-alpine
command: ["sh", "-c"]
args:
- |
pip install -q pyyaml && python3 - <<'EOF'
import yaml, os, shutil
CONFIG = "/opt/adguardhome/conf/AdGuardHome.yaml"
DEFAULT = "/opt/adguard-defaults/AdGuardHome.yaml"
with open(DEFAULT) as f:
desired = yaml.safe_load(f)
if not os.path.exists(CONFIG):
# First run — seed from defaults
shutil.copy(DEFAULT, CONFIG)
print("First run: seeded config from defaults")
else:
with open(CONFIG) as f:
cfg = yaml.safe_load(f)
# Enforce bind_hosts
cfg.setdefault("dns", {})["bind_hosts"] = ["0.0.0.0"]
# Enforce upstream + bootstrap DNS
cfg["dns"]["upstream_dns"] = desired["dns"]["upstream_dns"]
cfg["dns"]["bootstrap_dns"] = desired["dns"]["bootstrap_dns"]
# Ensure desired filter lists are all present and enabled
existing = {f["url"]: f for f in cfg.get("filters", [])}
for df in desired.get("filters", []):
if df["url"] in existing:
existing[df["url"]]["enabled"] = True
else:
cfg.setdefault("filters", []).append(df)
# Enforce TLS / DoT settings
cfg.setdefault("tls", {}).update({
"enabled": True,
"server_name": "dot.nook.family",
"port_dns_over_tls": 853,
"certificate_path": "/etc/adguard/tls/tls.crt",
"private_key_path": "/etc/adguard/tls/tls.key",
"allow_unencrypted_doh": True,
})
# Fix/ensure rewrites
cfg.setdefault("filtering", {})
existing_rw = {rw["domain"]: rw for rw in cfg["filtering"].get("rewrites", [])}
for rw in desired.get("filtering", {}).get("rewrites", []):
if rw["domain"] in existing_rw:
existing_rw[rw["domain"]]["answer"] = rw["answer"]
else:
cfg["filtering"].setdefault("rewrites", []).append(rw)
with open(CONFIG, "w") as f:
yaml.dump(cfg, f, default_flow_style=False, allow_unicode=True)
print("Config patched: DNS upstreams, filter lists, rewrites enforced")
volumeMounts:
- name: config
mountPath: /opt/adguardhome/conf
- name: defaults
mountPath: /opt/adguard-defaults
- name: tls
mountPath: /etc/adguard/tls
readOnly: true
containers:
- name: adguard
image: adguard/adguardhome:latest
ports:
- name: dns-tcp
containerPort: 53
protocol: TCP
- name: dns-udp
containerPort: 53
protocol: UDP
- name: dot
containerPort: 853
protocol: TCP
- name: http
containerPort: 3000
protocol: TCP
volumeMounts:
- name: config
mountPath: /opt/adguardhome/conf
- name: data
mountPath: /opt/adguardhome/work
- name: tls
mountPath: /etc/adguard/tls
readOnly: true
resources:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 512Mi
cpu: 500m
volumes:
- name: config
persistentVolumeClaim:
claimName: adguard-config
- name: data
persistentVolumeClaim:
claimName: adguard-data
- name: defaults
configMap:
name: adguard-defaults
- name: tls
secret:
secretName: adguard-dot-tls
---
apiVersion: v1
kind: Service
metadata:
name: adguard-ui
namespace: dns
spec:
selector:
app: adguard
ports:
- name: http
port: 3000
targetPort: 3000
type: ClusterIP
servers/legion/k8s/adguard/certificate.yaml
-15
View File
@@ -1,15 +0,0 @@
---
# TLS certificate for DoT (DNS-over-TLS) on dot.nook.family:853
# Issued via cert-manager DNS-01 challenge (Cloudflare)
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: adguard-dot-tls
namespace: dns
spec:
secretName: adguard-dot-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- dot.nook.family
servers/legion/k8s/adguard/configmap.yaml
-53
View File
@@ -1,53 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: adguard-defaults
namespace: dns
data:
AdGuardHome.yaml: |
dns:
bind_hosts:
- 0.0.0.0
port: 53
upstream_dns:
- https://dns.cloudflare.com/dns-query
- https://dns.google/dns-query
bootstrap_dns:
- 1.1.1.1
- 8.8.8.8
- 9.9.9.10
- 149.112.112.10
upstream_mode: load_balance
cache_enabled: true
cache_size: 4194304
filters:
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
name: AdGuard DNS filter
id: 1
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
name: AdAway Default Blocklist
id: 2
- enabled: true
url: https://big.oisd.nl/domainswild
name: OISD Big
id: 3
- enabled: true
url: https://easylist.to/easylist/easylist.txt
name: EasyList
id: 4
- enabled: true
url: https://easylist.to/easylist/easyprivacy.txt
name: EasyPrivacy
id: 5
tls:
enabled: true
server_name: dot.nook.family
port_dns_over_tls: 853
certificate_path: /etc/adguard/tls/tls.crt
private_key_path: /etc/adguard/tls/tls.key
allow_unencrypted_doh: true
filtering:
filtering_enabled: true
rewrites: []
servers/legion/k8s/adguard/ddclient-deployment.yaml
-39
View File
@@ -1,39 +0,0 @@
---
# ddclient — dynamic DNS daemon keeping dot.nook.family pointed at home public IP
# Updates Cloudflare A record every 5 minutes (required for DoT port 853, no CF proxy)
apiVersion: apps/v1
kind: Deployment
metadata:
name: ddclient
namespace: dns
labels:
app: ddclient
spec:
replicas: 1
selector:
matchLabels:
app: ddclient
template:
metadata:
labels:
app: ddclient
spec:
containers:
- name: ddclient
image: ghcr.io/linuxserver/ddclient:latest
command: ["ddclient", "-file", "/etc/ddclient/ddclient.conf", "-daemon", "300", "-noquiet", "-foreground"]
volumeMounts:
- name: config
mountPath: /etc/ddclient/ddclient.conf
subPath: ddclient.conf
readOnly: true
resources:
requests:
memory: 32Mi
cpu: 10m
limits:
memory: 64Mi
volumes:
- name: config
secret:
secretName: ddclient-config
servers/legion/k8s/adguard/ddclient-external-secret.yaml
-39
View File
@@ -1,39 +0,0 @@
---
# ddclient-config — Cloudflare credentials for dynamic DNS updates
# cloudflare_api_key and cloudflare_email stored in Vault at secret/cloudflare
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: ddclient-config
namespace: dns
spec:
refreshInterval: 1h
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: ddclient-config
creationPolicy: Owner
template:
data:
ddclient.conf: |
daemon=300
syslog=yes
pid=/var/run/ddclient/ddclient.pid
use=web, web=https://api.ipify.org
protocol=cloudflare
zone=nook.family
ttl=120
login={{ .cloudflare_email }}
password={{ .cloudflare_api_key }}
dot.nook.family
data:
- secretKey: cloudflare_api_key
remoteRef:
key: secret/data/cloudflare
property: api_key
- secretKey: cloudflare_email
remoteRef:
key: secret/data/cloudflare
property: email
servers/legion/k8s/adguard/ingress.yaml
-25
View File
@@ -1,25 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: adguard
namespace: dns
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: traefik
tls:
- hosts:
- dns.nook.family
secretName: adguard-tls
rules:
- host: dns.nook.family
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: adguard-ui
port:
number: 3000
servers/legion/k8s/adguard/pvc.yaml
-26
View File
@@ -1,26 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: adguard-config
namespace: dns
spec:
storageClassName: local-path
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: adguard-data
namespace: dns
spec:
storageClassName: local-path
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi