GHP publish

roles/adguard-home/defaults/main.yaml

@@ -0,0 +1,276 @@
+adguard_enabled: false
+adguard_publish: false
+adguard_default_values:
+  # upgrade strategy type (e.g. Recreate or RollingUpdate)
+  strategyType: RollingUpdate
+  configAsCode:
+    enabled: true
+    resources: {}
+    # requests:
+    #   memory: 128Mi
+    #   cpu: 100m
+    image:
+      repository: busybox
+      tag: latest
+      pullPolicy: Always
+    config:
+      bind_host: 0.0.0.0
+      bind_port: 3000
+      users:
+      - name: admin
+        password: "{{ adguard_admin_htpasswd_hash }}"
+      http_proxy: ""
+      language: "en"
+      rlimit_nofile: 0
+      debug_pprof: false
+      web_session_ttl: 720
+      dns:
+        bind_host: 0.0.0.0
+        port: 53
+        statistics_interval: 1
+        querylog_enabled: true
+        querylog_interval: 90
+        querylog_size_memory: 1000
+        anonymize_client_ip: false
+        protection_enabled: true
+        blocking_mode: default
+        blocking_ipv4: ""
+        blocking_ipv6: ""
+        blocked_response_ttl: 10
+        parental_block_host: family-block.dns.adguard.com
+        safebrowsing_block_host: standard-block.dns.adguard.com
+        ratelimit: 0
+        ratelimit_whitelist: []
+        refuse_any: true
+        upstream_dns:
+        - https://dns10.quad9.net/dns-query
+        bootstrap_dns:
+        - 9.9.9.10
+        - 149.112.112.10
+        - 2620:fe::10
+        - 2620:fe::fe:10
+        all_servers: false
+        fastest_addr: false
+        allowed_clients: []
+        # - 10.0.0.1
+        # - 10.0.1.1/24
+        disallowed_clients: []
+        # - 10.0.1.1
+        # - 10.0.11.1/24
+        blocked_hosts: []
+        # - example.org
+        # - '*.example.org'
+        # - '||example.org^'
+        cache_size: 4194304
+        cache_ttl_min: 0
+        cache_ttl_max: 0
+        bogus_nxdomain: []
+        aaaa_disabled: false
+        enable_dnssec: false
+        edns_client_subnet: false
+        filtering_enabled: true
+        filters_update_interval: 8
+        parental_enabled: false
+        safesearch_enabled: false
+        safebrowsing_enabled: false
+        safebrowsing_cache_size: 1048576
+        safesearch_cache_size: 1048576
+        parental_cache_size: 1048576
+        cache_time: 30
+        rewrites: []
+        # - domain: example.org
+        #   answer: 127.0.0.1
+        # - domain: '*.example.org'
+        #   answer: 127.0.0.1
+        blocked_services: 
+        - facebook
+        - origin
+        - twitter
+        - snapchat
+        - skype
+        - whatsapp
+        - instagram
+        - youtube
+        - netflix
+        - twitch
+        - discord
+        - amazon
+        - ebay
+        - cloudflare
+        - steam
+        - epic_games
+        - reddit
+        - ok
+        - vk
+        - mail_ru
+        - tiktok
+      tls:
+        enabled: true
+        server_name: "{{ adguard_dns_name | default('dns.' + domain) }}"
+        force_https: false
+        port_https: 443
+        port_dns_over_tls: 853
+        allow_unencrypted_doh: false
+        strict_sni_check: false
+        certificate_chain: ""
+        private_key: ""
+        certificate_path: "/certs/tls.crt"
+        private_key_path: "/certs/tls.key"
+      filters:
+      - enabled: true
+        url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
+        name: AdGuard DNS filter
+        id: 1
+      - enabled: false
+        url: https://adaway.org/hosts.txt
+        name: AdAway
+        id: 2
+      - enabled: false
+        url: https://www.malwaredomainlist.com/hostslist/hosts.txt
+        name: MalwareDomainList.com Hosts List
+        id: 4
+      whitelist_filters: []
+      # - enabled: true
+      #   url: https://easylist-downloads.adblockplus.org/exceptionrules.txt
+      #   name: Allow nonintrusive advertising
+      #   id: 1595760241
+      user_rules: []
+      # - '||example.org^'
+      # - '@@||example.org^'
+      # - 127.0.0.1 example.org
+      # - '! Here goes a comment'
+      # - '# Also a comment'
+      dhcp:
+        enabled: false
+        interface_name: ""
+        gateway_ip: ""
+        subnet_mask: ""
+        range_start: ""
+        range_end: ""
+        lease_duration: 86400
+        icmp_timeout_msec: 1000
+      clients: []
+      # - name: myuser
+      #   tags:
+      #   - user_admin
+      #   ids:
+      #   - 192.168.91.1
+      #   use_global_settings: true
+      #   filtering_enabled: false
+      #   parental_enabled: false
+      #   safesearch_enabled: false
+      #   safebrowsing_enabled: false
+      #   use_global_blocked_services: true
+      #   blocked_services: []
+      #   upstreams: []
+      log_file: ""
+      verbose: false
+      schema_version: 6
+  
+  tlsSecretName: "{{ adguard_dns_name | default('dns.' + domain) }}-secret"
+  timezone: "UTC"
+  ingress:
+    enabled: true
+    annotations:
+      cert-manager.io/acme-challenge-type: dns01
+      cert-manager.io/acme-dns01-provider: rfc2136
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      kubernetes.io/ingress.class:  "{{ external_ingress_class if adguard_publish else internal_ingress_class }}"
+      kubernetes.io/tls-acme: "true"
+    path: /
+    hosts:
+      - adguard.{{ domain }}
+    tls:
+      - secretName: adguard.{{ domain }}-tls
+        hosts:
+          - adguard.{{ domain }}
+  
+  service:
+    type: ClusterIP
+    # externalTrafficPolicy: Local
+    # externalIPs: []
+    # loadBalancerIP: ""
+      # a fixed LoadBalancer IP
+    # loadBalancerSourceRanges: []
+    annotations:
+      # metallb.universe.tf/address-pool: network-services
+      # metallb.universe.tf/allow-shared-ip: adguard-home-svc
+  
+  serviceTCP:
+    enabled: true
+    type: LoadBalancer
+    # externalTrafficPolicy: Local
+    # externalIPs: []
+    loadBalancerIP: "{{ adguard_loadbalancer_ip }}"
+      # a fixed LoadBalancer IP
+    # loadBalancerSourceRanges: []
+    annotations:
+      # metallb.universe.tf/address-pool: network-services
+      metallb.universe.tf/allow-shared-ip: adguard-home-svc
+  
+  serviceUDP:
+    enabled: true
+    type: LoadBalancer
+    # externalTrafficPolicy: Local
+    # externalIPs: []
+    loadBalancerIP: "{{ adguard_loadbalancer_ip }}"
+      # a fixed LoadBalancer IP
+    # loadBalancerSourceRanges: []
+    annotations:
+      # metallb.universe.tf/address-pool: network-services
+      metallb.universe.tf/allow-shared-ip: adguard-home-svc
+  
+  serviceDNSOverTLS:
+    enabled: true
+    ## Enable if you use AdGuard as a DNS over TLS/HTTPS server
+    type: LoadBalancer
+    # externalTrafficPolicy: Local
+    # externalIPs: []
+    loadBalancerIP: "{{ adguard_loadbalancer_ip }}"
+      # a fixed LoadBalancer IP
+    # loadBalancerSourceRanges: []
+    annotations:
+      # metallb.universe.tf/address-pool: network-services
+      metallb.universe.tf/allow-shared-ip: adguard-home-svc
+  
+  serviceDNSOverHTTPS:
+    enabled: true
+    ## Enable if you use AdGuard as a DNS over TLS/HTTPS server
+    type: LoadBalancer
+    # externalTrafficPolicy: Local
+    # externalIPs: []
+    loadBalancerIP: "{{ adguard_loadbalancer_ip }}"
+      # a fixed LoadBalancer IP
+    # loadBalancerSourceRanges: []
+    annotations:
+      # metallb.universe.tf/address-pool: network-services
+      metallb.universe.tf/allow-shared-ip: adguard-home-svc
+      external-dns.alpha.kubernetes.io/hostname: "{{ adguard_dns_name | default('dns.' + domain) }}"
+  
+  serviceDHCP:
+    enabled: false
+    ## Enable if you use AdGuard as a DHCP Server
+    type: NodePort
+    # externalTrafficPolicy: Local
+    # externalIPs: []
+    loadBalancerIP: ""
+      # a fixed LoadBalancer IP
+    annotations: {}
+      # metallb.universe.tf/address-pool: network-services
+      # metallb.universe.tf/allow-shared-ip: adguard-home-svc
+
+  persistence:
+    config:
+      enabled: true
+      accessMode: "{{ adguard_config_storage_mode | default('ReadWriteMany') }}"
+      size: "{{ adguard_config_size | default('20Mi') }}"
+      storageClass: "{{ adguard_config_storage | default('nfs-ssd') }}"
+      ## Do not delete the pvc upon helm uninstall
+      skipuninstall: false
+    work:
+      enabled: true
+      accessMode: "{{ adguard_work_storage_mode | default('ReadWriteMany') }}"
+      size: "{{ adguard_work_size | default('10Gi') }}"
+      storageClass: "{{ adguard_work_storage | default('nfs-ssd') }}"
+      ## Do not delete the pvc upon helm uninstall
+      skipuninstall: false

roles/adguard-home/tasks/main.yaml

@@ -0,0 +1,32 @@
+- name: Request cert for Adguard Home
+  k8s:
+    state: present
+    definition:
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: "{{ adguard_dns_name | default('dns.' + domain) }}-crt"
+        namespace: "{{ adguard_namespace | default(namespace) }}"
+      spec:
+        secretName: "{{ adguard_dns_name | default('dns.' + domain) }}-secret"
+        dnsNames:
+        - "{{ adguard_dns_name | default('dns.' + domain) }}"
+        issuerRef:
+          name: letsencrypt-prod
+          # We can reference ClusterIssuers by changing the kind here.
+          # The default value is Issuer (i.e. a locally namespaced Issuer)
+          kind: ClusterIssuer
+          group: cert-manager.io
+
+- set_fact:
+    adguard_combined_values: "{{ adguard_default_values | combine(adguard_values, recursive=true) }}"
+
+- name: Deploy Adguard Home
+  community.kubernetes.helm:
+    create_namespace: true
+    release_namespace: "{{ adguard_namespace | default(namespace) }}"
+    release_name: "{{ adguard_name | default('adguard') }}"
+    chart_ref: "{{ adguard_chart | default('ghp/adguard-home') }}"
+    chart_version: "{{ adguard_version | default(omit) }}"
+    release_values: "{{ adguard_combined_values | from_yaml }}"
+