{ myLib, ... }: { kubernetes.resources = { configMaps.pihole.data = { TZ = "Europe/Amsterdam"; PIHOLE_DNS_ = "192.168.30.1"; }; secrets.pihole.stringData.webPassword = "ref+sops://secrets/sops.yaml#/pihole/password"; deployments.pihole = { metadata.labels.app = "pihole"; spec = { selector.matchLabels.app = "pihole"; template = { metadata.labels.app = "pihole"; spec = { containers.pihole = { image = "pihole/pihole:latest"; envFrom = [{ configMapRef.name = "pihole"; }]; ports = { web.containerPort = 80; dns = { containerPort = 53; protocol = "UDP"; }; }; env.WEBPASSWORD.valueFrom.secretKeyRef = { name = "pihole"; key = "webPassword"; }; volumeMounts = [ { name = "data"; mountPath = "/etc/pihole"; } { name = "dnsmasq"; mountPath = "/etc/dnsmasq.d"; } ]; }; volumes = { data.persistentVolumeClaim.claimName = "pihole-data"; dnsmasq.persistentVolumeClaim.claimName = "pihole-dnsmasq"; }; }; }; }; }; persistentVolumes = { pihole-data.spec = { capacity.storage = "1Mi"; accessModes = [ "ReadWriteMany" ]; nfs = { server = "lewis.dmz"; path = "/mnt/data/nfs/pihole/data"; }; }; pihole-dnsmasq.spec = { capacity.storage = "1Mi"; accessModes = [ "ReadWriteMany" ]; nfs = { server = "lewis.dmz"; path = "/mnt/data/nfs/pihole/dnsmasq"; }; }; }; persistentVolumeClaims = { pihole-data.spec = { accessModes = [ "ReadWriteMany" ]; storageClassName = ""; resources.requests.storage = "1Mi"; volumeName = "pihole-data"; }; pihole-dnsmasq.spec = { accessModes = [ "ReadWriteMany" ]; storageClassName = ""; resources.requests.storage = "1Mi"; volumeName = "pihole-dnsmasq"; }; }; services = { pihole-web.spec = { selector.app = "pihole"; ports.web = { port = 80; targetPort = "web"; }; }; pihole-dns.spec = { type = "LoadBalancer"; loadBalancerIP = myLib.globals.piholeIPv4; selector.app = "pihole"; ports.dns = { protocol = "UDP"; port = 53; targetPort = "dns"; }; }; }; ingresses.pihole-web = { metadata.annotations = { "cert-manager.io/cluster-issuer" = "letsencrypt"; "traefik.ingress.kubernetes.io/router.entrypoints" = "localsecure"; }; spec = { ingressClassName = "traefik"; rules = [{ host = "pihole.kun.is"; http.paths = [{ path = "/"; pathType = "Prefix"; backend.service = { name = "pihole-web"; port.name = "web"; }; }]; }]; tls = [{ secretName = "pihole-tls"; hosts = [ "pihole.kun.is" ]; }]; }; }; }; }