Ad Guard Home

Adguard HomeAdguard Home is a network-wide software for blocking ads and tracking. After you set it up, it’ll cover ALL your home devices, and you don’t need any client-side software for that. With the rise of Internet-Of-Things and connected devices, it becomes more and more important to be able to control your whole network. Basically, this can replace your DNS server to prevent ads and trackers from resolving correctly. In addition you can do some things like DNS rewrites and other functions to take control of your DNS.

Product: Adguard Home
Install Type: Helm (Chart)
Container Image: Docker

Installation Details

As this is meant to replace your DNS server you use at home, you should be sure you have a LoadBalancer class (like MetalLB) configured prior to installation so all of your devices outside of your cluster can also connect to this for DNS.

First, if you don't already have the Geek Cookbook repository in Helm, let's add it now

helm repo add k8s-at-home https://k8s-at-home.com/charts/
helm repo update

I like to see the values and modify them myself as needed, so we can do:

helm show values k8s-at-home/adguard-home > values.yaml

You can now edit the settings you should change (like env.TZ and persistent storage options for example) in the values.yaml file. By default, an ingress is not defined for the User Interface. I have leveraged Authentik with the embedded outpost to provide a secure authentication limited to admins for this.

ingress:
  # -- Enable and configure ingress settings for the chart under this key.
  # @default -- See values.yaml
  main:
    enabled: true
    ingressClassName: Your-Ingress-Class
    annotations:
      cert-manager.io/cluster-issuer: your-cert-manager-issuer
      # This should be the in-cluster DNS name for the authentik outpost service
      # as when the external URL is specified here, nginx will overwrite some crucial headers
      nginx.ingress.kubernetes.io/auth-url: |-
        http://ak-outpost-authentik-embedded-outpost.identity.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
      # If you're using domain-level auth, use the authentication URL instead of the application URL
      nginx.ingress.kubernetes.io/auth-signin: |-
        https://your.ui.host.name/outpost.goauthentik.io/start?rd=$escaped_request_uri
      nginx.ingress.kubernetes.io/auth-response-headers: |-
        Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
      nginx.ingress.kubernetes.io/auth-snippet: |
        proxy_set_header X-Forwarded-Host $http_host;
    hosts:
      - host: your.ui.host.name
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: adgurad-home-tls
        hosts:
          - your.ui.host.name

Note:

This of course will only work if you have previously installed and configured Authentik, an Ingress, Cert Manager, and possibly an internal certificate provider. You can simply omit nginx.ingress.kubernetes.io/auth-url, nginx.ingress.kubernetes.io/auth-signin, and nginx.ingress.kubernetes.io/auth-response-headers keys and values if you are not leveraging Authentik for Single Sign On.

We can then install it with:

helm upgrade --install adguard-home k8s-at-home/adguard-home \
             -f values.yaml -n utility --create-namespace

This will create two services, one for UDP and one for TCP. Normal DNS implementations use the UDP instance on port 53. For me, since I wanted fault tolerance I left DNS running on my router (with DHCP) and configured AdGuard to point to that as my upstream DNS. Then for DHCP I define the AdGuard IP as the first DNS server and my router as the second DNS server. Be sure to not allow "loadbalancing" of DNS. This way if AdGuard fails for some reason, things like your Smart TV with Netflix will still work with no intervention.