From 60f4e0693ea0ea094c0567ef3e9d810c080302a1 Mon Sep 17 00:00:00 2001 From: Will Anderson Date: Mon, 27 Apr 2026 18:27:21 -0500 Subject: [PATCH] =?UTF-8?q?Remove=20adguard=20=E2=80=94=20home=20DNS=20ser?= =?UTF-8?q?ver,=20no=20purpose=20on=20GCP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- servers/legion/apps/adguard-config.yaml | 20 --- servers/legion/apps/adguard.yaml | 147 ------------------ servers/legion/k8s/adguard/certificate.yaml | 15 -- servers/legion/k8s/adguard/configmap.yaml | 53 ------- .../k8s/adguard/ddclient-deployment.yaml | 39 ----- .../k8s/adguard/ddclient-external-secret.yaml | 39 ----- servers/legion/k8s/adguard/ingress.yaml | 25 --- servers/legion/k8s/adguard/pvc.yaml | 26 ---- 8 files changed, 364 deletions(-) delete mode 100644 servers/legion/apps/adguard-config.yaml delete mode 100644 servers/legion/apps/adguard.yaml delete mode 100644 servers/legion/k8s/adguard/certificate.yaml delete mode 100644 servers/legion/k8s/adguard/configmap.yaml delete mode 100644 servers/legion/k8s/adguard/ddclient-deployment.yaml delete mode 100644 servers/legion/k8s/adguard/ddclient-external-secret.yaml delete mode 100644 servers/legion/k8s/adguard/ingress.yaml delete mode 100644 servers/legion/k8s/adguard/pvc.yaml diff --git a/servers/legion/apps/adguard-config.yaml b/servers/legion/apps/adguard-config.yaml deleted file mode 100644 index d0e25ee..0000000 --- a/servers/legion/apps/adguard-config.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: adguard-config - namespace: argocd -spec: - project: default - source: - repoURL: http://gitea.git.svc.cluster.local:3000/will/infrastructure.git - targetRevision: main - path: servers/legion/k8s/adguard - destination: - server: https://kubernetes.default.svc - namespace: dns - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/servers/legion/apps/adguard.yaml b/servers/legion/apps/adguard.yaml deleted file mode 100644 index 0f834bb..0000000 --- a/servers/legion/apps/adguard.yaml +++ /dev/null @@ -1,147 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: adguard - namespace: dns - labels: - app: adguard -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: adguard - template: - metadata: - labels: - app: adguard - spec: - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - initContainers: - - name: apply-config - image: python:3.12-alpine - command: ["sh", "-c"] - args: - - | - pip install -q pyyaml && python3 - <<'EOF' - import yaml, os, shutil - - CONFIG = "/opt/adguardhome/conf/AdGuardHome.yaml" - DEFAULT = "/opt/adguard-defaults/AdGuardHome.yaml" - - with open(DEFAULT) as f: - desired = yaml.safe_load(f) - - if not os.path.exists(CONFIG): - # First run — seed from defaults - shutil.copy(DEFAULT, CONFIG) - print("First run: seeded config from defaults") - else: - with open(CONFIG) as f: - cfg = yaml.safe_load(f) - - # Enforce bind_hosts - cfg.setdefault("dns", {})["bind_hosts"] = ["0.0.0.0"] - - # Enforce upstream + bootstrap DNS - cfg["dns"]["upstream_dns"] = desired["dns"]["upstream_dns"] - cfg["dns"]["bootstrap_dns"] = desired["dns"]["bootstrap_dns"] - - # Ensure desired filter lists are all present and enabled - existing = {f["url"]: f for f in cfg.get("filters", [])} - for df in desired.get("filters", []): - if df["url"] in existing: - existing[df["url"]]["enabled"] = True - else: - cfg.setdefault("filters", []).append(df) - - # Enforce TLS / DoT settings - cfg.setdefault("tls", {}).update({ - "enabled": True, - "server_name": "dot.nook.family", - "port_dns_over_tls": 853, - "certificate_path": "/etc/adguard/tls/tls.crt", - "private_key_path": "/etc/adguard/tls/tls.key", - "allow_unencrypted_doh": True, - }) - - # Fix/ensure rewrites - cfg.setdefault("filtering", {}) - existing_rw = {rw["domain"]: rw for rw in cfg["filtering"].get("rewrites", [])} - for rw in desired.get("filtering", {}).get("rewrites", []): - if rw["domain"] in existing_rw: - existing_rw[rw["domain"]]["answer"] = rw["answer"] - else: - cfg["filtering"].setdefault("rewrites", []).append(rw) - - with open(CONFIG, "w") as f: - yaml.dump(cfg, f, default_flow_style=False, allow_unicode=True) - print("Config patched: DNS upstreams, filter lists, rewrites enforced") - volumeMounts: - - name: config - mountPath: /opt/adguardhome/conf - - name: defaults - mountPath: /opt/adguard-defaults - - name: tls - mountPath: /etc/adguard/tls - readOnly: true - containers: - - name: adguard - image: adguard/adguardhome:latest - ports: - - name: dns-tcp - containerPort: 53 - protocol: TCP - - name: dns-udp - containerPort: 53 - protocol: UDP - - name: dot - containerPort: 853 - protocol: TCP - - name: http - containerPort: 3000 - protocol: TCP - volumeMounts: - - name: config - mountPath: /opt/adguardhome/conf - - name: data - mountPath: /opt/adguardhome/work - - name: tls - mountPath: /etc/adguard/tls - readOnly: true - resources: - requests: - memory: 128Mi - cpu: 100m - limits: - memory: 512Mi - cpu: 500m - volumes: - - name: config - persistentVolumeClaim: - claimName: adguard-config - - name: data - persistentVolumeClaim: - claimName: adguard-data - - name: defaults - configMap: - name: adguard-defaults - - name: tls - secret: - secretName: adguard-dot-tls ---- -apiVersion: v1 -kind: Service -metadata: - name: adguard-ui - namespace: dns -spec: - selector: - app: adguard - ports: - - name: http - port: 3000 - targetPort: 3000 - type: ClusterIP diff --git a/servers/legion/k8s/adguard/certificate.yaml b/servers/legion/k8s/adguard/certificate.yaml deleted file mode 100644 index fd69de2..0000000 --- a/servers/legion/k8s/adguard/certificate.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# TLS certificate for DoT (DNS-over-TLS) on dot.nook.family:853 -# Issued via cert-manager DNS-01 challenge (Cloudflare) -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: adguard-dot-tls - namespace: dns -spec: - secretName: adguard-dot-tls - issuerRef: - name: letsencrypt-prod - kind: ClusterIssuer - dnsNames: - - dot.nook.family diff --git a/servers/legion/k8s/adguard/configmap.yaml b/servers/legion/k8s/adguard/configmap.yaml deleted file mode 100644 index a2df0cd..0000000 --- a/servers/legion/k8s/adguard/configmap.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: adguard-defaults - namespace: dns -data: - AdGuardHome.yaml: | - dns: - bind_hosts: - - 0.0.0.0 - port: 53 - upstream_dns: - - https://dns.cloudflare.com/dns-query - - https://dns.google/dns-query - bootstrap_dns: - - 1.1.1.1 - - 8.8.8.8 - - 9.9.9.10 - - 149.112.112.10 - upstream_mode: load_balance - cache_enabled: true - cache_size: 4194304 - filters: - - enabled: true - url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt - name: AdGuard DNS filter - id: 1 - - enabled: true - url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt - name: AdAway Default Blocklist - id: 2 - - enabled: true - url: https://big.oisd.nl/domainswild - name: OISD Big - id: 3 - - enabled: true - url: https://easylist.to/easylist/easylist.txt - name: EasyList - id: 4 - - enabled: true - url: https://easylist.to/easylist/easyprivacy.txt - name: EasyPrivacy - id: 5 - tls: - enabled: true - server_name: dot.nook.family - port_dns_over_tls: 853 - certificate_path: /etc/adguard/tls/tls.crt - private_key_path: /etc/adguard/tls/tls.key - allow_unencrypted_doh: true - filtering: - filtering_enabled: true - rewrites: [] diff --git a/servers/legion/k8s/adguard/ddclient-deployment.yaml b/servers/legion/k8s/adguard/ddclient-deployment.yaml deleted file mode 100644 index cce2449..0000000 --- a/servers/legion/k8s/adguard/ddclient-deployment.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -# ddclient — dynamic DNS daemon keeping dot.nook.family pointed at home public IP -# Updates Cloudflare A record every 5 minutes (required for DoT port 853, no CF proxy) -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ddclient - namespace: dns - labels: - app: ddclient -spec: - replicas: 1 - selector: - matchLabels: - app: ddclient - template: - metadata: - labels: - app: ddclient - spec: - containers: - - name: ddclient - image: ghcr.io/linuxserver/ddclient:latest - command: ["ddclient", "-file", "/etc/ddclient/ddclient.conf", "-daemon", "300", "-noquiet", "-foreground"] - volumeMounts: - - name: config - mountPath: /etc/ddclient/ddclient.conf - subPath: ddclient.conf - readOnly: true - resources: - requests: - memory: 32Mi - cpu: 10m - limits: - memory: 64Mi - volumes: - - name: config - secret: - secretName: ddclient-config diff --git a/servers/legion/k8s/adguard/ddclient-external-secret.yaml b/servers/legion/k8s/adguard/ddclient-external-secret.yaml deleted file mode 100644 index 6e3939a..0000000 --- a/servers/legion/k8s/adguard/ddclient-external-secret.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -# ddclient-config — Cloudflare credentials for dynamic DNS updates -# cloudflare_api_key and cloudflare_email stored in Vault at secret/cloudflare -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: ddclient-config - namespace: dns -spec: - refreshInterval: 1h - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: ddclient-config - creationPolicy: Owner - template: - data: - ddclient.conf: | - daemon=300 - syslog=yes - pid=/var/run/ddclient/ddclient.pid - use=web, web=https://api.ipify.org - - protocol=cloudflare - zone=nook.family - ttl=120 - login={{ .cloudflare_email }} - password={{ .cloudflare_api_key }} - dot.nook.family - data: - - secretKey: cloudflare_api_key - remoteRef: - key: secret/data/cloudflare - property: api_key - - secretKey: cloudflare_email - remoteRef: - key: secret/data/cloudflare - property: email diff --git a/servers/legion/k8s/adguard/ingress.yaml b/servers/legion/k8s/adguard/ingress.yaml deleted file mode 100644 index 3873b91..0000000 --- a/servers/legion/k8s/adguard/ingress.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: adguard - namespace: dns - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure - cert-manager.io/cluster-issuer: letsencrypt-prod -spec: - ingressClassName: traefik - tls: - - hosts: - - dns.nook.family - secretName: adguard-tls - rules: - - host: dns.nook.family - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: adguard-ui - port: - number: 3000 diff --git a/servers/legion/k8s/adguard/pvc.yaml b/servers/legion/k8s/adguard/pvc.yaml deleted file mode 100644 index d7ab74e..0000000 --- a/servers/legion/k8s/adguard/pvc.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: adguard-config - namespace: dns -spec: - storageClassName: local-path - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: adguard-data - namespace: dns -spec: - storageClassName: local-path - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi