variable "tls_secret_name" {} variable "web_password" {} resource "kubernetes_namespace" "pihole" { metadata { name = "pihole" } } module "tls_secret" { source = "../setup_tls_secret" namespace = kubernetes_namespace.pihole.metadata[0].name tls_secret_name = var.tls_secret_name } resource "kubernetes_config_map" "external_conf" { metadata { name = "external-conf" namespace = kubernetes_namespace.pihole.metadata[0].name labels = { app = "pihole" } } data = { "external.conf" = "$HTTP[\"host\"] == \"pihole.viktorbarzin.me\" {\n server.document-root = \"/var/www/html/admin/\"\n}\n" } } resource "kubernetes_deployment" "pihole" { metadata { name = "pihole" namespace = kubernetes_namespace.pihole.metadata[0].name labels = { app = "pihole" } } spec { replicas = 1 selector { match_labels = { app = "pihole" } } template { metadata { labels = { app = "pihole" } } spec { container { image = "pihole/pihole:latest" name = "pihole" resources { limits = { cpu = "1" memory = "1Gi" } requests = { cpu = "1" memory = "1Gi" } } port { container_port = 80 } env { name = "DNS1" value = "10.0.20.200#5354" # bind } env { name = "VIRTUAL_HOST" value = "pihole.viktorbarzin.me" } env { name = "WEBPASSWORD" value = var.web_password } env { name = "TZ" value = "Europe/Sofia" } volume_mount { name = "external-conf" mount_path = "/tmp/external.conf" sub_path = "external.conf" } volume_mount { name = "pihole-local-etc-volume" mount_path = "/etc/pihole" } volume_mount { name = "pihole-local-dnsmasq-volume" mount_path = "/etc/dnsmasq.d" } } volume { name = "external-conf" config_map { name = "external-conf" } } volume { name = "pihole-local-etc-volume" empty_dir {} # no hard dependencies on truenas which needs dns } volume { name = "pihole-local-dnsmasq-volume" empty_dir {} # no hard dependencies on truenas which needs dns } } } } } resource "kubernetes_service" "pihole-dns" { metadata { name = "pihole-dns" namespace = kubernetes_namespace.pihole.metadata[0].name labels = { "app" = "pihole" } annotations = { "metallb.universe.tf/allow-shared-ip" : "shared" } } spec { # type = "LoadBalancer" # external_traffic_policy = "Cluster" selector = { app = "pihole" } port { name = "dns-udp" port = "53" protocol = "UDP" } } } resource "kubernetes_service" "pihole-web" { metadata { name = "pihole-web" namespace = kubernetes_namespace.pihole.metadata[0].name labels = { "app" = "pihole" } annotations = { "metallb.universe.tf/allow-shared-ip" : "shared" } } spec { selector = { app = "pihole" } port { name = "dns-web" port = "80" } } } resource "kubernetes_ingress_v1" "pihole" { metadata { name = "pihole-ingress" namespace = kubernetes_namespace.pihole.metadata[0].name annotations = { "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" "traefik.ingress.kubernetes.io/router.tls.options" = "traefik-mtls@kubernetescrd" } } spec { ingress_class_name = "traefik" tls { hosts = ["pihole.viktorbarzin.me"] secret_name = var.tls_secret_name } rule { host = "pihole.viktorbarzin.me" http { path { path = "/" backend { service { name = "pihole-web" port { number = 80 } } } } } } } }