NAS-121200 / 23.10 / Add adguard-home to community train (#1061)

* Add adguard-home to community train

* add GUI

* fix versions

* update wording

* remove uneeded values

* update description

* add a note

* add descriptions and bump common

library/ix-dev/community/adguard-home/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: file://../../../common
+  version: 1.0.3
+digest: sha256:1a090020cfa582aff29906320874ffe9b543fcc6c2423c281f434514f2653e02
+generated: "2023-04-06T19:01:50.673798323+03:00"

library/ix-dev/community/adguard-home/Chart.yaml

@@ -0,0 +1,25 @@
+name: adguard-home
+description: Free and open source, powerful network-wide ads & trackers blocking DNS server.
+annotations:
+  title: AdGuard Home
+type: application
+version: 1.0.0
+apiVersion: v2
+appVersion: 'v0.107.26'
+kubeVersion: '>=1.16.0-0'
+maintainers:
+  - name: truenas
+    url: https://www.truenas.com/
+dependencies:
+  - name: common
+    repository: file://../../../common
+    version: 1.0.3
+home: https://github.com/AdguardTeam/AdGuardHome
+icon: https://github.com/AdguardTeam/AdGuardHome/raw/master/doc/adguard_home_darkmode.svg
+sources:
+  - https://github.com/AdguardTeam/AdGuardHome
+  - https://github.com/truenas/charts/tree/master/library/ix-dev/community/adguard-home
+  - https://hub.docker.com/r/adguard/adguardhome
+keywords:
+  - dns
+  - adblock

library/ix-dev/community/adguard-home/README.md

@@ -0,0 +1,12 @@
+# AdGuard Home
+
+During the setup wizard, AdGuard Home presents an option to select on which port the web interface will be available.
+(Defaults to 80. Which is a privileged port and also usually the TrueNAS SCALE UI uses that port)
+Because of that, App will force the webUI to listen to port 30000 (or the port selected by user in the TrueNAS SCALE UI).
+
+If you select a different port in the wizard, the Dashboard will not work initially but
+after a couple of minutes container will automatically restart and the Dashboard will
+be available on the port you selected on the TrueNAS SCALE UI.
+
+> - AdGuard runs as `root` user.
+> - AdGuard runs with host networking enabled.

library/ix-dev/community/adguard-home/app-readme.md

@@ -0,0 +1,12 @@
+# AdGuard Home
+
+During the setup wizard, AdGuard Home presents an option to select on which port the web interface will be available.
+(Defaults to 80. Which is a privileged port and also usually the TrueNAS SCALE UI uses that port)
+Because of that, App will force the webUI to listen to port 30000 (or the port selected by user in the TrueNAS SCALE UI).
+
+If you select a different port in the wizard, the Dashboard will not work initially but
+after a couple of minutes container will automatically restart and the Dashboard will
+be available on the port you selected on the TrueNAS SCALE UI.
+
+> - AdGuard runs as `root` user.
+> - AdGuard runs with host networking enabled.

library/ix-dev/community/adguard-home/ci/basic-values.yaml

@@ -0,0 +1,7 @@
+adguardStorage:
+  work:
+    type: hostPath
+    hostPath: /mnt/{{ .Release.Name }}/work
+  conf:
+    type: hostPath
+    hostPath: /mnt/{{ .Release.Name }}/conf

library/ix-dev/community/adguard-home/item.yaml

@@ -0,0 +1,4 @@
+icon_url: https://github.com/AdguardTeam/AdGuardHome/raw/master/doc/adguard_home_darkmode.svg
+categories:
+  - dns
+  - adblock

library/ix-dev/community/adguard-home/questions.yaml

@@ -0,0 +1,181 @@
+groups:
+  - name: AdGuard Home Configuration
+    description: Configure AdGuard Home
+  # - name: User and Group Configuration
+  #   description: Configure User and Group for AdGuard Home
+  - name: Network Configuration
+    description: Configure Network for AdGuard Home
+  - name: Storage Configuration
+    description: Configure Storage for AdGuard Home
+  - name: Resources Configuration
+    description: Configure Resources for AdGuard Home
+
+portals:
+  web_portal:
+    protocols:
+      - "$kubernetes-resource_configmap_portal_protocol"
+    host:
+      - "$kubernetes-resource_configmap_portal_host"
+    ports:
+      - "$kubernetes-resource_configmap_portal_port"
+    path: "$kubernetes-resource_configmap_portal_path"
+
+questions:
+  # - variable: adguardRunAs
+  #   label: ""
+  #   group: User and Group Configuration
+  #   schema:
+  #     type: dict
+  #     attrs:
+  #       - variable: user
+  #         label: User ID
+  #         description: The user id that AdGuard Home will run as.
+  #         schema:
+  #           type: int
+  #           min: 1
+  #           default: 568
+  #           required: true
+  #       - variable: group
+  #         label: Group ID
+  #         description: The group id that AdGuard Home will run as.
+  #         schema:
+  #           type: int
+  #           min: 1
+  #           default: 568
+  #           required: true
+
+  - variable: adguardNetwork
+    label: ""
+    group: Network Configuration
+    schema:
+      type: dict
+      attrs:
+        - variable: webPort
+          label: Web Port
+          description: |
+            The port for the AdGuard Home WebUI. Set the same during the setup wizard.
+            In case you set a different port, you will need to stop/start the app for the
+            port set here to take effect. (Or wait for the container to restart automatically)
+          schema:
+            type: int
+            default: 30000
+            min: 9000
+            max: 65535
+            required: true
+        - variable: enableDHCP
+          label: Enable DHCP
+          description: |
+            This will only append the needed capabilities for DHCP to work </br>
+            The configuration for DHCP is done in the AdGuard Home WebUI
+          schema:
+            type: boolean
+            default: false
+
+  - variable: adguardStorage
+    label: ""
+    group: Storage Configuration
+    schema:
+      type: dict
+      attrs:
+        - variable: work
+          label: AdGuard Home Data Storage
+          description: The path to store AdGuard Home work.
+          schema:
+            type: dict
+            attrs:
+              - variable: type
+                label: Type
+                description: |
+                  ixVolume: Is dataset created automatically by the system.</br>
+                  Host Path: Is a path that already exists on the system.
+                schema:
+                  type: string
+                  required: true
+                  default: ixVolume
+                  enum:
+                    - value: hostPath
+                      description: Host Path (Path that already exists on the system)
+                    - value: ixVolume
+                      description: ixVolume (Dataset created automatically by the system)
+              - variable: datasetName
+                label: Dataset Name
+                schema:
+                  type: string
+                  show_if: [["type", "=", "ixVolume"]]
+                  required: true
+                  hidden: true
+                  immutable: true
+                  default: work
+                  $ref:
+                    - "normalize/ixVolume"
+              - variable: hostPath
+                label: Host Path
+                schema:
+                  type: hostpath
+                  show_if: [["type", "=", "hostPath"]]
+                  immutable: true
+                  required: true
+        - variable: conf
+          label: AdGuard Home Configuration Storage
+          description: The path to store AdGuard Home configuration
+          schema:
+            type: dict
+            attrs:
+              - variable: type
+                label: Type
+                description: |
+                  ixVolume: Is dataset created automatically by the system.</br>
+                  Host Path: Is a path that already exists on the system.
+                schema:
+                  type: string
+                  required: true
+                  default: ixVolume
+                  enum:
+                    - value: hostPath
+                      description: Host Path (Path that already exists on the system)
+                    - value: ixVolume
+                      description: ixVolume (Dataset created automatically by the system)
+              - variable: datasetName
+                label: Dataset Name
+                schema:
+                  type: string
+                  show_if: [["type", "=", "ixVolume"]]
+                  required: true
+                  hidden: true
+                  immutable: true
+                  default: conf
+                  $ref:
+                    - "normalize/ixVolume"
+              - variable: hostPath
+                label: Host Path
+                schema:
+                  type: hostpath
+                  show_if: [["type", "=", "hostPath"]]
+                  immutable: true
+                  required: true
+
+  - variable: resources
+    label: ""
+    group: Resources Configuration
+    schema:
+      type: dict
+      attrs:
+        - variable: limits
+          label: Limits
+          schema:
+            type: dict
+            attrs:
+              - variable: cpu
+                label: CPU
+                description: CPU limit for AdGuard Home.
+                schema:
+                  type: string
+                  default: 4000m
+                  required: true
+              - variable: memory
+                label: Memory
+                description: Memory limit for AdGuard Home.
+                schema:
+                  type: string
+                  default: 8Gi
+                  required: true

library/ix-dev/community/adguard-home/templates/NOTES.txt

@@ -0,0 +1 @@
+{{ include "ix.v1.common.lib.chart.notes" $ }}

library/ix-dev/community/adguard-home/templates/_adguard.tpl

@@ -0,0 +1,105 @@
+{{- define "adguard.workload" -}}
+workload:
+  adguard:
+    enabled: true
+    primary: true
+    type: Deployment
+    podSpec:
+      # Host network is pretty much a requirement for apps like this.
+      # Because NodePort can't bind ports like 53(DNS) or 67(DHCP)
+      # and the majority of devices do not have option to change the port.
+      hostNetwork: true
+      containers:
+        adguard:
+          enabled: true
+          primary: true
+          imageSelector: image
+          # Args are copied from the official docker image
+          # So we can also specify the port.
+          # If we dont specify the port here, AdGuardHome
+          # will start initially at port 3000 and after
+          # the setup wizard is completed it will switch
+          # to user specified port.
+          args:
+            - --no-check-update
+            - --host
+            - "0.0.0.0"
+            - --config
+            - /opt/adguardhome/conf/AdGuardHome.yaml
+            - --work-dir
+            - /opt/adguardhome/work
+            - --port
+            - {{ .Values.adguardNetwork.webPort | quote }}
+            # Setup wizard shows an option to select the port that AdGuardHome
+            # Web UI will listen on. If the user selects anything other than the `webPort`,
+            # container will reload its new configuration and listen to the user specified port.
+            # But user won't have access to it because the port is not exposed. Few seconds later
+            # probes will kill the container and restart it with the correct `webPort` port.
+          securityContext:
+            # FIXME: It might be able to run rootless, probably blocked by:
+            # https://github.com/AdguardTeam/AdGuardHome/issues/4681
+            runAsNonRoot: false
+            runAsUser: 0
+            runAsGroup: 0
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
+                {{ if .Values.adguardNetwork.enableDHCP }}
+                - NET_RAW
+                {{ end }}
+          # FIXME: Switch to exec probe after this issue is solved, also note that healthcheck
+          # is only available on "edge" tag, as of 27/03/2023
+          # https://github.com/AdguardTeam/AdGuardHome/issues/3290#issuecomment-1485451976
+          probes:
+            liveness:
+              enabled: true
+              type: http
+              path: /
+              port: {{ .Values.adguardNetwork.webPort }}
+            readiness:
+              enabled: true
+              type: http
+              path: /
+              port: {{ .Values.adguardNetwork.webPort }}
+            startup:
+              enabled: true
+              type: http
+              path: /
+              port: {{ .Values.adguardNetwork.webPort }}
+      {{/* # FIXME: Disabled until it can run as non-root
+      initContainers:
+      {{- include "ix.v1.common.app.permissions" (dict "containerName" "01-permissions"
+                                                        "UID" .Values.ipfsRunAs.user
+                                                        "GID" .Values.ipfsRunAs.group
+                                                        "type" "install") | nindent 8 }}
+      */}}
+
+{{/* Persistence */}}
+persistence:
+  work:
+    enabled: true
+    type: {{ .Values.adguardStorage.work.type }}
+    datasetName: {{ .Values.adguardStorage.work.datasetName | default "" }}
+    hostPath: {{ .Values.adguardStorage.work.hostPath | default "" }}
+    targetSelector:
+      adguard:
+        adguard:
+          mountPath: /opt/adguardhome/work
+        {{/* # FIXME: See above
+        01-permissions:
+          mountPath: /mnt/directories/work
+        */}}
+  conf:
+    enabled: true
+    type: {{ .Values.adguardStorage.conf.type }}
+    datasetName: {{ .Values.adguardStorage.conf.datasetName | default "" }}
+    hostPath: {{ .Values.adguardStorage.conf.hostPath | default "" }}
+    targetSelector:
+      adguard:
+        adguard:
+          mountPath: /opt/adguardhome/conf
+        {{/* # FIXME: See above
+        01-permissions:
+          mountPath: /mnt/directories/conf
+        */}}
+{{- end -}}

library/ix-dev/community/adguard-home/templates/_portal.tpl

@@ -0,0 +1,12 @@
+{{- define "adguard.portal" -}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: portal
+data:
+  path: /
+  port: {{ .Values.adguardNetwork.webPort | quote }}
+  protocol: http
+  host: $node_ip
+{{- end -}}

library/ix-dev/community/adguard-home/templates/common.yaml

@@ -0,0 +1,9 @@
+{{- include "ix.v1.common.loader.init" . -}}
+
+{{/* Merge the templates with Values */}}
+{{- $_ := mustMergeOverwrite .Values (include "adguard.workload" $ | fromYaml) -}}
+
+{{/* Create the configmap for portal manually*/}}
+{{- include "adguard.portal" $ -}}
+
+{{- include "ix.v1.common.loader.apply" . -}}

library/ix-dev/community/adguard-home/upgrade_strategy

@@ -0,0 +1,31 @@
+#!/usr/bin/python3
+import json
+import re
+import sys
+
+from catalog_update.upgrade_strategy import semantic_versioning
+
+
+RE_STABLE_VERSION = re.compile(r'v[0-9]+\.[0-9]+\.[0-9]+')
+
+
+def newer_mapping(image_tags):
+    key = list(image_tags.keys())[0]
+    tags = {t: t for t in image_tags[key] if RE_STABLE_VERSION.fullmatch(t)}
+    version = semantic_versioning(list(tags))
+    if not version:
+        return {}
+
+    return {
+        'tags': {key: tags[version]},
+        'app_version': version,
+    }
+
+
+if __name__ == '__main__':
+    try:
+        versions_json = json.loads(sys.stdin.read())
+    except ValueError:
+        raise ValueError('Invalid json specified')
+
+    print(json.dumps(newer_mapping(versions_json)))

library/ix-dev/community/adguard-home/values.yaml

@@ -0,0 +1,28 @@
+image:
+  repository: adguard/adguardhome
+  tag: v0.107.26
+  pullPolicy: IfNotPresent
+
+resources:
+  limits:
+    cpu: 4000m
+    memory: 8Gi
+
+adguardNetwork:
+  webPort: 30000
+  enableDHCP: false
+
+# FIXME: See _adguard.tpl
+# adguardRunAs:
+#   user: 568
+#   group: 568
+
+adguardStorage:
+  work:
+    type: ixVolume
+    hostPath: ""
+    datasetName: work
+  conf:
+    type: ixVolume
+    hostPath: ""
+    datasetName: conf