simono41/docker-pihole-unbound
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: simono41:main
Branches Tags
simono41:main
simono41:2023.11.0
simono41:2023.05.2
simono41:2023.02.2
simono41:2023.01.10
simono41:2022.12
simono41:2022.11.2
simono41:2022.11.1
simono41:2022.10
simono41:2022.09.3
simono41:2022.08.2
simono41:2022.07.1
simono41:2022.07
simono41:2022.05
simono41:2022.04.3
simono41:2022.04.2
simono41:2022.02.1-2
simono41:2022.02.1
simono41:2022.01.1
simono41:2021.12.1
simono41:2021.10.1
simono41:2021.10
simono41:2021.09
simono41:v5.8.1-1
simono41:v5.8.1
simono41:v5.8
simono41:v5.7-bridge
simono41:v5.7
simono41:v5.6
simono41:v5.5.1
simono41:1.0.0
..
compare: simono41:v5.7-bridge
Branches Tags
simono41:main
simono41:2023.11.0
simono41:2023.05.2
simono41:2023.02.2
simono41:2023.01.10
simono41:2022.12
simono41:2022.11.2
simono41:2022.11.1
simono41:2022.10
simono41:2022.09.3
simono41:2022.08.2
simono41:2022.07.1
simono41:2022.07
simono41:2022.05
simono41:2022.04.3
simono41:2022.04.2
simono41:2022.02.1-2
simono41:2022.02.1
simono41:2022.01.1
simono41:2021.12.1
simono41:2021.10.1
simono41:2021.10
simono41:2021.09
simono41:v5.8.1-1
simono41:v5.8.1
simono41:v5.8
simono41:v5.7-bridge
simono41:v5.7
simono41:v5.6
simono41:v5.5.1
simono41:1.0.0

No commits in common. "main" and "v5.7-bridge" have entirely different histories.
main ... v5.7-bridg

11 changed files with 51 additions and 83 deletions
Show stats Expand all files Collapse all files

5
README.md
View file

@ -2,11 +2,10 @@
### Use Docker to run [Pi-Hole](https://pi-hole.net) with an upstream [Unbound](https://nlnetlabs.nl/projects/unbound/about/) resolver. ### Use Docker to run [Pi-Hole](https://pi-hole.net) with an upstream [Unbound](https://nlnetlabs.nl/projects/unbound/about/) resolver.
This repo has 2 different `docker-compose` configs-- choose your favorite. The `two-container` config may work better on Synology due to usage of `macvlan` networking which helps prevent port conflicts with the host. Changing this repo to support 2 different docker-compose configurations now:
- [`one-container`](one-container/) (new) - Install Unbound directly into the Pi-Hole container - [`one-container`](one-container/) (new) - Install Unbound directly into the Pi-Hole container
- This configuration contacts the DNS root servers directly, please read the Pi-Hole docs on [Pi-hole as All-Around DNS Solution](https://docs.pi-hole.net/guides/unbound/) to understand what this means. - This configuration contacts the DNS root servers directly, please read the Pi-Hole docs on [Pi-hole as All-Around DNS Solution](https://docs.pi-hole.net/guides/unbound/) to understand what this means.
- With this approach, we can also simplify our Docker networking since `macvlan` is no longer necessary. - With this approach, we can also simply our networking since `macvlan` is no longer necessary.
- [`two-container`](two-container/) (legacy) - Use separate containers for Pi-Hole and Unbound - [`two-container`](two-container/) (legacy) - Use separate containers for Pi-Hole and Unbound
- This configuration uses MatthewVance's [unbound-docker](https://github.com/MatthewVance/unbound-docker) container to implement encrypted DNS to third party DNS resolvers (eg Cloudflare). This is arguably less privacy-friendly since you're handing your DNS queries to those 3rd party providers. - This configuration uses MatthewVance's [unbound-docker](https://github.com/MatthewVance/unbound-docker) container to implement encrypted DNS to third party DNS resolvers (eg Cloudflare). This is arguably less privacy-friendly since you're handing your DNS queries to those 3rd party providers.

32
one-container/README.md
View file

@ -10,41 +10,35 @@ The base image for the container is the [official Pi-Hole container](https://hub
First create a `.env` file to substitute variables for your deployment. First create a `.env` file to substitute variables for your deployment.
### Pi-hole environment variables
> Vars and descriptions replicated from the [official pihole container](https://github.com/pi-hole/docker-pi-hole/#environment-variables): ### Required environment variables
| Variable | Default | Value | Description | > Vars and descriptions replicated from the [official pihole container](https://github.com/pi-hole/docker-pi-hole/):
| -------- | ------- | ----- | ---------- |
| `TZ` | UTC | `<Timezone>` | Set your [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to make sure logs rotate at local midnight instead of at UTC midnight. | Docker Environment Var | Description|
| `WEBPASSWORD` | random | `<Admin password>` | http://pi.hole/admin password. Run `docker logs pihole \| grep random` to find your random pass. | --- | --- |
| `FTLCONF_LOCAL_IPV4` | unset | `<Host's IP>` | Set to your server's LAN IP, used by web block modes and lighttpd bind address. | `ServerIP: <Host's IP>`<br/> | **--net=host mode requires** Set to your server's LAN IP, used by web block modes and lighttpd bind address
| `REV_SERVER` | `false` | `<"true"\|"false">` | Enable DNS conditional forwarding for device name resolution | | `TZ: <Timezone>`<br/> | Set your [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to make sure logs rotate at local midnight instead of at UTC midnight.
| `REV_SERVER_DOMAIN` | unset | Network Domain | If conditional forwarding is enabled, set the domain of the local network router | | `WEBPASSWORD: <Admin password>`<br/> | http://pi.hole/admin password. Run `docker logs pihole \| grep random` to find your random pass.
| `REV_SERVER_TARGET` | unset | Router's IP | If conditional forwarding is enabled, set the IP of the local network router | | `REV_SERVER: <"true"\|"false">`<br/> | Enable DNS conditional forwarding for device name resolution
| `REV_SERVER_CIDR` | unset | Reverse DNS | If conditional forwarding is enabled, set the reverse DNS zone (e.g. `192.168.0.0/24`) | | `REV_SERVER_DOMAIN: <Network Domain>`<br/> | If conditional forwarding is enabled, set the domain of the local network router
| `WEBTHEME` | `default-light` | `<"default-dark"\|"default-darker"\|"default-light"\|"default-auto"\|"lcars">`| User interface theme to use. | `REV_SERVER_TARGET: <Router's IP>`<br/> | If conditional forwarding is enabled, set the IP of the local network router
| `REV_SERVER_CIDR: <Reverse DNS>`<br/>| If conditional forwarding is enabled, set the reverse DNS zone (e.g. `192.168.0.0/24`)
Example `.env` file in the same directory as your `docker-compose.yaml` file: Example `.env` file in the same directory as your `docker-compose.yaml` file:
``` ```
FTLCONF_LOCAL_IPV4=192.168.1.10 ServerIP=192.168.1.10
TZ=America/Los_Angeles TZ=America/Los_Angeles
WEBPASSWORD=QWERTY123456asdfASDF WEBPASSWORD=QWERTY123456asdfASDF
REV_SERVER=true REV_SERVER=true
REV_SERVER_DOMAIN=local REV_SERVER_DOMAIN=local
REV_SERVER_TARGET=192.168.1.1 REV_SERVER_TARGET=192.168.1.1
REV_SERVER_CIDR=192.168.0.0/16 REV_SERVER_CIDR=192.168.0.0/16
HOSTNAME=pihole
DOMAIN_NAME=pihole.local
PIHOLE_WEBPORT=80
WEBTHEME=default-light
``` ```
### Using Portainer stacks? ### Using Portainer stacks?
> 2022-3-11: I'm being told that the advice below is no longer true in Portainer. If you're using Portainer, first try it without removing the volumes declaration and see if it works.
Portainer stacks are a little weird and don't want you to declare your named volumes, so remove this block from the top of the `docker-compose.yaml` file before copy/pasting into Portainer's stack editor: Portainer stacks are a little weird and don't want you to declare your named volumes, so remove this block from the top of the `docker-compose.yaml` file before copy/pasting into Portainer's stack editor:
```yaml ```yaml

30
one-container/docker-compose.yaml
View file

@ -1,4 +1,4 @@
version: '3.0' version: '2'
volumes: volumes:
etc_pihole-unbound: etc_pihole-unbound:
@ -10,26 +10,28 @@ services:
image: cbcrowe/pihole-unbound:latest image: cbcrowe/pihole-unbound:latest
hostname: ${HOSTNAME} hostname: ${HOSTNAME}
domainname: ${DOMAIN_NAME} domainname: ${DOMAIN_NAME}
dns:
- 127.0.0.1
- 1.1.1.1
ports: ports:
- 443:443/tcp - 443:443/tcp
- 53:53/tcp - 53:53/tcp
- 53:53/udp - 53:53/udp
- ${PIHOLE_WEBPORT:-80}:80/tcp #Allows use of different port to access pihole web interface when other docker containers use port 80 - 80:80/tcp
# - 5335:5335/tcp # Uncomment to enable unbound access on local server
# - 22/tcp # Uncomment to enable SSH # - 22/tcp # Uncomment to enable SSH
environment: environment:
- FTLCONF_LOCAL_IPV4=${FTLCONF_LOCAL_IPV4} ServerIP: ${ServerIP}
- TZ=${TZ:-UTC} TZ: ${TZ}
- WEBPASSWORD=${WEBPASSWORD} WEBPASSWORD: ${WEBPASSWORD}
- WEBTHEME=${WEBTHEME:-default-light} REV_SERVER: ${REV_SERVER}
- REV_SERVER=${REV_SERVER:-false} REV_SERVER_TARGET: ${REV_SERVER_TARGET}
- REV_SERVER_TARGET=${REV_SERVER_TARGET} REV_SERVER_DOMAIN: ${REV_SERVER_DOMAIN}
- REV_SERVER_DOMAIN=${REV_SERVER_DOMAIN} REV_SERVER_CIDR: ${REV_SERVER_CIDR}
- REV_SERVER_CIDR=${REV_SERVER_CIDR} DNS1: 127.0.0.1#5335 # Hardcoded to our Unbound server
- PIHOLE_DNS_=127.0.0.1#5335 DNS2: 127.0.0.1#5335 # Hardcoded to our Unbound server
- DNSSEC="true" DNSSEC: "true" # Enable DNSSEC
- DNSMASQ_LISTENING=single
volumes: volumes:
- etc_pihole-unbound:/etc/pihole:rw - etc_pihole-unbound:/etc/pihole:rw
- etc_pihole_dnsmasq-unbound:/etc/dnsmasq.d:rw - etc_pihole_dnsmasq-unbound:/etc/dnsmasq.d:rw
restart: unless-stopped restart: unless-stopped

1
one-container/pihole-unbound/99-edns.conf
View file

@ -1 +0,0 @@
edns-packet-max=1232

11
one-container/pihole-unbound/Dockerfile
View file

@ -1,12 +1,9 @@
ARG PIHOLE_VERSION FROM pihole/pihole:v5.6
FROM pihole/pihole:${PIHOLE_VERSION:-latest}
RUN apt update && apt install -y unbound RUN apt update && apt install -y unbound
COPY lighttpd-external.conf /etc/lighttpd/external.conf COPY lighttpd-external.conf /etc/lighttpd/external.conf
COPY unbound-pihole.conf /etc/unbound/unbound.conf.d/pi-hole.conf COPY unbound-pihole.conf /etc/unbound/unbound.conf.d/pi-hole.conf
COPY 99-edns.conf /etc/dnsmasq.d/99-edns.conf COPY start_unbound_and_s6_init.sh start_unbound_and_s6_init.sh
RUN mkdir -p /etc/services.d/unbound
COPY unbound-run /etc/services.d/unbound/run
ENTRYPOINT ./s6-init
RUN chmod +x start_unbound_and_s6_init.sh
ENTRYPOINT ./start_unbound_and_s6_init.sh

2
one-container/pihole-unbound/VERSION
View file

@ -1 +1 @@
2023.05.2 v5.6

5
one-container/pihole-unbound/build_and_push.sh
View file

@ -1,7 +1,6 @@
#!/bin/bash #!/bin/bash
# Run this once: docker buildx create --use --name build --node build --driver-opt network=host # Run this once: docker buildx create --use --name build --node build --driver-opt network=host
PIHOLE_VER=`cat VERSION` docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:`cat VERSION` --push .
docker buildx build --build-arg PIHOLE_VERSION=$PIHOLE_VER --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:$PIHOLE_VER --push . docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:latest --push .
docker buildx build --build-arg PIHOLE_VERSION=$PIHOLE_VER --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:latest --push .

3
one-container/pihole-unbound/start_unbound_and_s6_init.sh Executable file
View file

@ -0,0 +1,3 @@
#!/bin/bash -e
/etc/init.d/unbound start
/s6-init

5
one-container/pihole-unbound/unbound-pihole.conf
View file

@ -34,7 +34,7 @@ server:
# Reduce EDNS reassembly buffer size. # Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems # Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1232 edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries # Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried # This only applies to domains that have been frequently queried
@ -44,8 +44,7 @@ server:
num-threads: 1 num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes # Ensure kernel buffer is large enough to not lose messages in traffic spikes
# Be aware that if enabled (requires CAP_NET_ADMIN or privileged), the kernel buffer must have the defined amount of memory, if not, a warning will be raised. so-rcvbuf: 1m
#so-rcvbuf: 1m
# Ensure privacy of local IP ranges # Ensure privacy of local IP ranges
private-address: 192.168.0.0/16 private-address: 192.168.0.0/16

25
one-container/pihole-unbound/unbound-run
View file

@ -1,25 +0,0 @@
#!/command/with-contenv bash
s6-echo "Starting unbound"
NAME="unbound"
DESC="DNS server"
DAEMON="/usr/sbin/unbound"
PIDFILE="/run/unbound.pid"
HELPER="/usr/lib/unbound/package-helper"
test -x $DAEMON || exit 0
# Override this variable by editing or creating /etc/default/unbound.
DAEMON_OPTS=""
if [ -f /etc/default/unbound ]; then
. /etc/default/unbound
fi
$HELPER chroot_setup
$HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t unbound-anchor
$DAEMON -d $DAEMON_OPTS

7
two-container/docker-compose.yaml
View file

@ -16,9 +16,10 @@ services:
- 80/tcp - 80/tcp
- 22/tcp - 22/tcp
environment: environment:
- FTLCONF_LOCAL_IPV4=192.168.1.5 ServerIP: 192.168.1.5
- WEBPASSWORD=${WEBPASSWORD} WEBPASSWORD: ${WEBPASSWORD}
- PIHOLE_DNS_=192.168.1.6;192.168.1.13 DNS1: 192.168.1.6
DNS2: 192.168.1.13
volumes: volumes:
- /volume1/docker/pihole-unbound/pihole/volume:/etc/pihole:rw - /volume1/docker/pihole-unbound/pihole/volume:/etc/pihole:rw
- /volume1/docker/pihole-unbound/pihole/config/hosts:/etc/hosts:ro - /volume1/docker/pihole-unbound/pihole/config/hosts:/etc/hosts:ro