mrsimonemms · mrsimonemms · Nov 17, 2024 · Nov 17, 2024 · Nov 17, 2024 · Nov 17, 2024
diff --git a/modules/hetzner/networks.tf b/modules/hetzner/networks.tf
@@ -101,6 +101,23 @@ locals {
       port     = 10001
       protocol = "udp"
     },
+    {
+      description = "PiHole DNS TCP"
+      source_ips = [
+        local.global_ipv4_cidr,
+        local.global_ipv6_cidr,
+      ]
+      port = 53
+    },
+    {
+      description = "PiHole DNS UDP"
+      source_ips = [
+        local.global_ipv4_cidr,
+        local.global_ipv6_cidr,
+      ]
+      port     = 53
+      protocol = "udp"
+    },
     # Direct public access only allowed if single manager node
     {
       description = "Allow access to Kubernetes API"

diff --git a/modules/kubernetes/files/cloud-controller-manager.yaml b/modules/kubernetes/files/cloud-controller-manager.yaml
@@ -0,0 +1,6 @@
+networking:
+  enabled: true
+
+env:
+  HCLOUD_LOAD_BALANCERS_ENABLED:
+    value: "false"
diff --git a/modules/kubernetes/hetzner.tf b/modules/kubernetes/hetzner.tf
@@ -35,10 +35,10 @@ resource "helm_release" "hcloud_ccm" {
   version         = var.hetzner_cloud_config_manager_version
   wait            = true
 
-  set {
-    name  = "networking.enabled"
-    value = "true"
-  }
+
+  values = [
+    templatefile("${path.module}/files/cloud-controller-manager.yaml", {})
+  ]
 
   set {
     name  = "networking.clusterCIDR"

diff --git a/registry/clusters/dev/components/pihole.yaml b/registry/clusters/dev/components/pihole.yaml
@@ -0,0 +1,62 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: pihole-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/mrsimonemms/infrastructure
+    path: registry/components/pihole
+    targetRevision: HEAD
+    kustomize:
+      patches:
+        - target:
+            group: argoproj.io
+            version: v1alpha1
+            kind: Application
+            name: pihole
+          patch: |-
+            - op: replace
+              path: /spec/source/helm/valuesObject/virtualHost
+              value: pihole.dev.simonemms.com
+        - target:
+            group: argoproj.io
+            version: v1alpha1
+            kind: Application
+            name: pihole
+          patch: |-
+            - op: replace
+              path: /spec/source/helm/valuesObject/ingress/annotations/cert-manager.io~1cluster-issuer
+              value: letsencrypt-staging
+        - target:
+            group: argoproj.io
+            version: v1alpha1
+            kind: Application
+            name: pihole
+          patch: |-
+            - op: replace
+              path: /spec/source/helm/valuesObject/ingress/hosts/0
+              value: pihole.dev.simonemms.com
+        - target:
+            group: argoproj.io
+            version: v1alpha1
+            kind: Application
+            name: pihole
+          patch: |-
+            - op: replace
+              path: /spec/source/helm/valuesObject/ingress/tls/0/hosts/0
+              value: pihole.dev.simonemms.com
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: pihole
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/registry/clusters/prod/components/pihole.yaml b/registry/clusters/prod/components/pihole.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: pihole-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/mrsimonemms/infrastructure
+    path: registry/components/pihole
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: pihole
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/registry/components/pihole/application.yaml b/registry/components/pihole/application.yaml
@@ -0,0 +1,64 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: pihole
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  project: default
+  source:
+    chart: pihole
+    repoURL: https://mojo2600.github.io/pihole-kubernetes/
+    targetRevision: 2.26.2
+    helm:
+      valuesObject:
+        admin:
+          enabled: true
+          existingSecret: password
+          passwordKey: password
+        virtualHost: pihole.simonemms.com
+        podAnnotations:
+          secret.reloader.stakater.com/reload: password
+        DNS1: 208.67.222.222 # OpenDNS
+        DNS2: 1.1.1.1 # Cloudflare
+        extraEnvVars:
+          FTLCONF_PRIVACYLEVEL: 3
+          QUERY_LOGGING: false
+          WEBLOGS_STDOUT: 1
+          WEBTHEME: default-darker
+        serviceWeb:
+          https:
+            enabled: false
+        serviceDns:
+          type: LoadBalancer
+          externalTrafficPolicy: Cluster
+          annotations:
+            metallb.universe.tf/allow-shared-ip: primary
+            metallb.universe.tf/ip-allocated-from-pool: nodes
+        ingress:
+          enabled: true
+          annotations:
+            kubernetes.io/tls-acme: "true"
+            cert-manager.io/cluster-issuer: letsencrypt
+            gethomepage.dev/description: Network-wide ad blocking
+            gethomepage.dev/enabled: "true"
+            gethomepage.dev/group: Cluster Management
+            gethomepage.dev/icon: pi-hole
+            gethomepage.dev/name: Pi-hole
+          ingressClassName: nginx
+          hosts:
+            - pihole.simonemms.com
+          tls:
+            - hosts:
+                - pihole.simonemms.com
+              secretName: pihole-tls
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: pihole
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/registry/components/pihole/kustomization.yaml b/registry/components/pihole/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml
+  - namespace.yaml
+  - secret.yaml
diff --git a/registry/components/pihole/namespace.yaml b/registry/components/pihole/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pihole
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
diff --git a/registry/components/pihole/secret.yaml b/registry/components/pihole/secret.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: password
+  namespace: pihole
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  refreshInterval: 10s
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: infisical
+  target:
+    name: password
+  data:
+    - secretKey: password
+      remoteRef:
+        key: PIHOLE_PASSWORD