Pihole: put it behind oauth2-proxy
diff --git a/scripts/homelab/installer/pihole-oauth2-proxy.yaml b/scripts/homelab/installer/pihole-oauth2-proxy.yaml
new file mode 100644
index 0000000..a438b1c
--- /dev/null
+++ b/scripts/homelab/installer/pihole-oauth2-proxy.yaml
@@ -0,0 +1,87 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: pihole-oauth2-proxy
+ namespace: app-pihole
+spec:
+ type: ClusterIP
+ selector:
+ app: pihole-oauth2-proxy
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress
+ namespace: app-pihole
+ annotations:
+ cert-manager.io/cluster-issuer: "selfsigned-ca"
+ acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+ ingressClassName: nginx-private
+ tls:
+ - hosts:
+ - pihole.pcloud
+ secretName: cert-pihole.pcloud
+ rules:
+ - host: pihole.pcloud
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: pihole-oauth2-proxy
+ port:
+ name: http
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: pihole-oauth2-proxy
+ namespace: app-pihole
+spec:
+ selector:
+ matchLabels:
+ app: pihole-oauth2-proxy
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: pihole-oauth2-proxy
+ spec:
+ volumes:
+ - name: config
+ configMap:
+ name: oauth2-proxy-config
+ containers:
+ - name: pihole-oauth2-proxy
+ image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0-arm64
+ imagePullPolicy: Always
+ ports:
+ - name: http
+ containerPort: 8080
+ protocol: TCP
+ command:
+ - "oauth2-proxy"
+ - "--config=/etc/oauth2-proxy/pihole-oauth2.cfg"
+ volumeMounts:
+ - name: config
+ mountPath: /etc/oauth2-proxy
+ readOnly: true
+ resources:
+ requests:
+ memory: "10Mi"
+ cpu: "10m"
+ limits:
+ memory: "20Mi"
+ cpu: "100m"
+ tolerations:
+ - key: "pcloud"
+ operator: "Equal"
+ value: "role"
+ effect: "NoSchedule"
diff --git a/scripts/homelab/installer/pihole-oauth2.cfg b/scripts/homelab/installer/pihole-oauth2.cfg
new file mode 100644
index 0000000..a4ce674
--- /dev/null
+++ b/scripts/homelab/installer/pihole-oauth2.cfg
@@ -0,0 +1,64 @@
+http_address = "0.0.0.0:8080"
+
+reverse_proxy = true
+
+## the OAuth Redirect URL.
+# defaults to the "https://" + requested host header + "/oauth2/callback"
+# redirect_url = "http://pihole.pcloud/oauth2/callback"
+
+upstreams = [
+ "http://pihole-web.app-pihole.svc.cluster.local/"
+]
+
+email_domains = [
+ "*"
+]
+
+logging_filename = ""
+logging_max_size = 100
+logging_max_age = 7
+logging_local_time = true
+logging_compress = false
+standard_logging = true
+standard_logging_format = "[{{.Timestamp}}] [{{.File}}] {{.Message}}"
+request_logging = true
+request_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] {{.Host}} {{.RequestMethod}} {{.Upstream}} {{.RequestURI}} {{.Protocol}} {{.UserAgent}} {{.StatusCode}} {{.ResponseSize}} {{.RequestDuration}}"
+auth_logging = true
+auth_logging_format = "{{.Client}} - {{.Username}} [{{.Timestamp}}] [{{.Status}}] {{.Message}}"
+
+pass_basic_auth = true
+pass_user_headers = true
+pass_host_header = true
+
+## The OAuth Client ID, Secret
+client_id = "pihole"
+client_secret = "1QpkwzJoZVlgjTnzfhhF3UfmVDVuKQQEWx4Qu3Oi9RM="
+
+## Pass OAuth Access token to upstream via "X-Forwarded-Access-Token"
+pass_access_token = false
+
+## Cookie Settings
+## Name - the cookie name
+## Secret - the seed string for secure cookies; should be 16, 24, or 32 bytes
+## for use with an AES cipher when cookie_refresh or pass_access_token
+## is set
+## Domain - (optional) cookie domain to force cookies to (ie: .yourcompany.com)
+## Expire - (duration) expire timeframe for cookie
+## Refresh - (duration) refresh the cookie when duration has elapsed after cookie was initially set.
+## Should be less than cookie_expire; set to 0 to disable.
+## On refresh, OAuth token is re-validated.
+## (ie: 1h means tokens are refreshed on request 1hr+ after it was set)
+## Secure - secure cookies are only sent by the browser of a HTTPS connection (recommended)
+## HttpOnly - httponly cookies are not readable by javascript (recommended)
+cookie_name = "_oauth2_proxy_pihole"
+cookie_secret = "123456789012345678901234567890--"
+cookie_domains = "pihole.pcloud"
+cookie_expire = "168h"
+cookie_refresh = "100h"
+cookie_secure = true
+cookie_httponly = true
+
+provider = "oidc"
+oidc_issuer_url = "https://hydra.lekva.me/"
+provider_display_name = "PCloud OIDC Provider"
+profile_url = "https://accounts-ui.lekva.me"
diff --git a/scripts/homelab/installer/pihole.sh b/scripts/homelab/installer/pihole.sh
index f1f0270..36e0c6c 100644
--- a/scripts/homelab/installer/pihole.sh
+++ b/scripts/homelab/installer/pihole.sh
@@ -1,23 +1,19 @@
#!/bin/sh
helm upgrade --create-namespace \
- --namespace pihole \
+ --namespace app-pihole \
pihole mojo2600/pihole \
--version 2.4.2 \
--set image.repository="pihole/pihole" \
--set image.tag=v5.8.1 \
--set persistentVolumeClaim.enabled=true \
--set persistentVolumeClaim.size="5Gi" \
- --set ingress.enabled=true \
- --set ingress.hosts={"pihole.pcloud"} \
- --set ingress.tls[0].hosts[0]="pihole.pcloud" \
- --set ingress.tls[0].secretName="cert-pihole.pcloud" \
- --set ingress.annotations."kubernetes\.io/ingress\.class"="nginx-private" \
- --set ingress.annotations."cert-manager\.io/cluster-issuer"="selfsigned-ca" \
- --set ingress.annotations."acme\.cert-manager\.io/http01-edit-in-place"="\"true\"" \
+ --set adminPassword="admin" \
+ --set ingress.enabled=false \
--set serviceDhcp.enabled=false \
--set serviceDns.type=ClusterIP \
--set serviceWeb.type=ClusterIP \
+ --set serviceWeb.http.enabled=true \
--set serviceWeb.https.enabled=false \
--set virtualHost="pihole.pcloud" \
--set resources.requests.cpu="250m" \
@@ -25,4 +21,14 @@
--set resources.requests.memory="100M" \
--set resources.limits.memory="250M"
+ # --set ingress.hosts={"internal.pihole.pcloud"} \
+ # --set ingress.tls[0].hosts[0]="internal.pihole.pcloud" \
+ # --set ingress.tls[0].secretName="cert-internal.pihole.pcloud" \
+ # --set ingress.annotations."kubernetes\.io/ingress\.class"="nginx-private" \
+ # --set ingress.annotations."cert-manager\.io/cluster-issuer"="selfsigned-ca" \
+ # --set ingress.annotations."acme\.cert-manager\.io/http01-edit-in-place"="\"true\"" \
+
# specify ingressClassName manually
+
+# kubectl create configmap oauth2-proxy-config -n app-pihole --from-file=installer/pihole-oauth2.cfg
+# kubectl apply -f installer/pihole-oauth2-proxy.yaml
diff --git a/scripts/homelab/k3s-install.sh b/scripts/homelab/k3s-install.sh
index fedd462..eb6e1bc 100755
--- a/scripts/homelab/k3s-install.sh
+++ b/scripts/homelab/k3s-install.sh
@@ -56,9 +56,9 @@
#source installer/ingress-nginx.sh
#source installer/cert-manager.sh
#source installer/longhorn.sh
-#source installer/pihole.sh
+source installer/pihole.sh
#source installer/matrix.sh
-#source installer/auth.sh
+# source installer/auth.sh
# kubectl apply -f ../../apps/rpuppy/install.yaml