{
globals,
config,
lib,
...
}: {
options.pihole.enable = lib.mkEnableOption "pihole";
config = lib.mkIf config.pihole.enable {
kubernetes.resources = {
secrets.pihole.stringData.webPassword = "ref+sops://secrets.yml#/pihole/password";
deployments.pihole.spec = {
selector.matchLabels.app = "pihole";
strategy = {
type = "RollingUpdate";
rollingUpdate = {
maxSurge = 0;
maxUnavailable = 1;
};
};
template = {
metadata.labels.app = "pihole";
spec = {
containers.pihole = {
image = globals.images.pihole;
env = {
TZ.value = "Europe/Amsterdam";
PIHOLE_DNS_.value = "192.168.30.1";
WEBPASSWORD.valueFrom.secretKeyRef = {
name = "pihole";
key = "webPassword";
};
};
ports = {
web.containerPort = 80;
dns = {
containerPort = 53;
protocol = "UDP";
};
};
volumeMounts = [
{
name = "data";
mountPath = "/etc/pihole";
}
{
name = "dnsmasq";
mountPath = "/etc/dnsmasq.d";
}
];
};
volumes = {
data.persistentVolumeClaim.claimName = "pihole-data";
dnsmasq.persistentVolumeClaim.claimName = "pihole-dnsmasq";
};
securityContext = {
fsGroup = 1000;
fsGroupChangePolicy = "OnRootMismatch";
};
};
};
};
services = {
pihole.spec = {
type = "LoadBalancer";
loadBalancerIP = globals.piholeIPv4;
selector.app = "pihole";
ports = {
dns = {
protocol = "UDP";
port = 53;
targetPort = "dns";
};
web = {
port = 80;
targetPort = "web";
};
};
};
};
};
lab = {
longhorn.persistentVolumeClaim = {
pihole-data = {
volumeName = "pihole-data";
storage = "750Mi";
};
pihole-dnsmasq = {
volumeName = "pihole-dnsmasq";
storage = "16Mi";
};
};
tailscaleIngresses.tailscale-pihole = {
host = "pihole";
service.name = "pihole";
};
};
};
}