Compare commits
37 commits
v5.7-bridg
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
33cebb3cfe | ||
|
|
55c88afaf8 | ||
|
|
96038ebbfa | ||
|
|
226fddf83a | ||
|
|
025a0a20c3 | ||
|
e936dbb95c | ||
|
d60ebfcd7d | ||
|
|
ecee22c5f9 | ||
|
2dd3f775c6 | ||
|
77c9778f61 | ||
|
|
8c1172acbc | ||
|
|
0e8351772a | ||
|
|
068d970f9e | ||
|
|
45a04753ff | ||
|
|
9c405c39e4 | ||
|
84741c9c1f | ||
|
0206d8049a | ||
|
|
d7741de332 | ||
|
|
d378aa3efb | ||
|
|
0a0b7ceb0c | ||
|
|
0814098044 | ||
|
|
0c87b090e1 | ||
|
|
5969c76ee1 | ||
|
5292809c0a | ||
|
adabe4c786 | ||
|
|
5d990c297b | ||
|
|
8cb2c34de4 | ||
|
|
4769b48e9a | ||
|
|
5e36fcb3e7 | ||
|
|
3a3e03fd09 | ||
|
|
4d7fac1d67 | ||
|
e26a459bf3 | ||
|
|
2bd88b7d1b | ||
|
|
ab6bf5c5bc | ||
|
|
9a585c9992 | ||
|
|
3204f19476 | ||
|
|
69063701da |
11 changed files with 83 additions and 51 deletions
|
|
@ -2,10 +2,11 @@
|
|||
|
||||
### Use Docker to run [Pi-Hole](https://pi-hole.net) with an upstream [Unbound](https://nlnetlabs.nl/projects/unbound/about/) resolver.
|
||||
|
||||
Changing this repo to support 2 different docker-compose configurations now:
|
||||
This repo has 2 different `docker-compose` configs-- choose your favorite. The `two-container` config may work better on Synology due to usage of `macvlan` networking which helps prevent port conflicts with the host.
|
||||
|
||||
- [`one-container`](one-container/) (new) - Install Unbound directly into the Pi-Hole container
|
||||
- This configuration contacts the DNS root servers directly, please read the Pi-Hole docs on [Pi-hole as All-Around DNS Solution](https://docs.pi-hole.net/guides/unbound/) to understand what this means.
|
||||
- With this approach, we can also simply our networking since `macvlan` is no longer necessary.
|
||||
- With this approach, we can also simplify our Docker networking since `macvlan` is no longer necessary.
|
||||
- [`two-container`](two-container/) (legacy) - Use separate containers for Pi-Hole and Unbound
|
||||
- This configuration uses MatthewVance's [unbound-docker](https://github.com/MatthewVance/unbound-docker) container to implement encrypted DNS to third party DNS resolvers (eg Cloudflare). This is arguably less privacy-friendly since you're handing your DNS queries to those 3rd party providers.
|
||||
|
||||
|
|
|
|||
|
|
@ -10,35 +10,41 @@ The base image for the container is the [official Pi-Hole container](https://hub
|
|||
|
||||
First create a `.env` file to substitute variables for your deployment.
|
||||
|
||||
### Pi-hole environment variables
|
||||
|
||||
### Required environment variables
|
||||
> Vars and descriptions replicated from the [official pihole container](https://github.com/pi-hole/docker-pi-hole/#environment-variables):
|
||||
|
||||
> Vars and descriptions replicated from the [official pihole container](https://github.com/pi-hole/docker-pi-hole/):
|
||||
|
||||
| Docker Environment Var | Description|
|
||||
| --- | --- |
|
||||
| `ServerIP: <Host's IP>`<br/> | **--net=host mode requires** Set to your server's LAN IP, used by web block modes and lighttpd bind address
|
||||
| `TZ: <Timezone>`<br/> | Set your [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to make sure logs rotate at local midnight instead of at UTC midnight.
|
||||
| `WEBPASSWORD: <Admin password>`<br/> | http://pi.hole/admin password. Run `docker logs pihole \| grep random` to find your random pass.
|
||||
| `REV_SERVER: <"true"\|"false">`<br/> | Enable DNS conditional forwarding for device name resolution
|
||||
| `REV_SERVER_DOMAIN: <Network Domain>`<br/> | If conditional forwarding is enabled, set the domain of the local network router
|
||||
| `REV_SERVER_TARGET: <Router's IP>`<br/> | If conditional forwarding is enabled, set the IP of the local network router
|
||||
| `REV_SERVER_CIDR: <Reverse DNS>`<br/>| If conditional forwarding is enabled, set the reverse DNS zone (e.g. `192.168.0.0/24`)
|
||||
| Variable | Default | Value | Description |
|
||||
| -------- | ------- | ----- | ---------- |
|
||||
| `TZ` | UTC | `<Timezone>` | Set your [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to make sure logs rotate at local midnight instead of at UTC midnight.
|
||||
| `WEBPASSWORD` | random | `<Admin password>` | http://pi.hole/admin password. Run `docker logs pihole \| grep random` to find your random pass.
|
||||
| `FTLCONF_LOCAL_IPV4` | unset | `<Host's IP>` | Set to your server's LAN IP, used by web block modes and lighttpd bind address.
|
||||
| `REV_SERVER` | `false` | `<"true"\|"false">` | Enable DNS conditional forwarding for device name resolution |
|
||||
| `REV_SERVER_DOMAIN` | unset | Network Domain | If conditional forwarding is enabled, set the domain of the local network router |
|
||||
| `REV_SERVER_TARGET` | unset | Router's IP | If conditional forwarding is enabled, set the IP of the local network router |
|
||||
| `REV_SERVER_CIDR` | unset | Reverse DNS | If conditional forwarding is enabled, set the reverse DNS zone (e.g. `192.168.0.0/24`) |
|
||||
| `WEBTHEME` | `default-light` | `<"default-dark"\|"default-darker"\|"default-light"\|"default-auto"\|"lcars">`| User interface theme to use.
|
||||
|
||||
Example `.env` file in the same directory as your `docker-compose.yaml` file:
|
||||
|
||||
```
|
||||
ServerIP=192.168.1.10
|
||||
FTLCONF_LOCAL_IPV4=192.168.1.10
|
||||
TZ=America/Los_Angeles
|
||||
WEBPASSWORD=QWERTY123456asdfASDF
|
||||
REV_SERVER=true
|
||||
REV_SERVER_DOMAIN=local
|
||||
REV_SERVER_TARGET=192.168.1.1
|
||||
REV_SERVER_CIDR=192.168.0.0/16
|
||||
HOSTNAME=pihole
|
||||
DOMAIN_NAME=pihole.local
|
||||
PIHOLE_WEBPORT=80
|
||||
WEBTHEME=default-light
|
||||
```
|
||||
|
||||
### Using Portainer stacks?
|
||||
|
||||
> 2022-3-11: I'm being told that the advice below is no longer true in Portainer. If you're using Portainer, first try it without removing the volumes declaration and see if it works.
|
||||
|
||||
Portainer stacks are a little weird and don't want you to declare your named volumes, so remove this block from the top of the `docker-compose.yaml` file before copy/pasting into Portainer's stack editor:
|
||||
|
||||
```yaml
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
version: '2'
|
||||
version: '3.0'
|
||||
|
||||
volumes:
|
||||
etc_pihole-unbound:
|
||||
|
|
@ -10,28 +10,26 @@ services:
|
|||
image: cbcrowe/pihole-unbound:latest
|
||||
hostname: ${HOSTNAME}
|
||||
domainname: ${DOMAIN_NAME}
|
||||
dns:
|
||||
- 127.0.0.1
|
||||
- 1.1.1.1
|
||||
ports:
|
||||
- 443:443/tcp
|
||||
- 53:53/tcp
|
||||
- 53:53/udp
|
||||
- 80:80/tcp
|
||||
- ${PIHOLE_WEBPORT:-80}:80/tcp #Allows use of different port to access pihole web interface when other docker containers use port 80
|
||||
# - 5335:5335/tcp # Uncomment to enable unbound access on local server
|
||||
# - 22/tcp # Uncomment to enable SSH
|
||||
environment:
|
||||
ServerIP: ${ServerIP}
|
||||
TZ: ${TZ}
|
||||
WEBPASSWORD: ${WEBPASSWORD}
|
||||
REV_SERVER: ${REV_SERVER}
|
||||
REV_SERVER_TARGET: ${REV_SERVER_TARGET}
|
||||
REV_SERVER_DOMAIN: ${REV_SERVER_DOMAIN}
|
||||
REV_SERVER_CIDR: ${REV_SERVER_CIDR}
|
||||
DNS1: 127.0.0.1#5335 # Hardcoded to our Unbound server
|
||||
DNS2: 127.0.0.1#5335 # Hardcoded to our Unbound server
|
||||
DNSSEC: "true" # Enable DNSSEC
|
||||
- FTLCONF_LOCAL_IPV4=${FTLCONF_LOCAL_IPV4}
|
||||
- TZ=${TZ:-UTC}
|
||||
- WEBPASSWORD=${WEBPASSWORD}
|
||||
- WEBTHEME=${WEBTHEME:-default-light}
|
||||
- REV_SERVER=${REV_SERVER:-false}
|
||||
- REV_SERVER_TARGET=${REV_SERVER_TARGET}
|
||||
- REV_SERVER_DOMAIN=${REV_SERVER_DOMAIN}
|
||||
- REV_SERVER_CIDR=${REV_SERVER_CIDR}
|
||||
- PIHOLE_DNS_=127.0.0.1#5335
|
||||
- DNSSEC="true"
|
||||
- DNSMASQ_LISTENING=single
|
||||
volumes:
|
||||
- etc_pihole-unbound:/etc/pihole:rw
|
||||
- etc_pihole_dnsmasq-unbound:/etc/dnsmasq.d:rw
|
||||
restart: unless-stopped
|
||||
|
||||
|
|
|
|||
1
one-container/pihole-unbound/99-edns.conf
Normal file
1
one-container/pihole-unbound/99-edns.conf
Normal file
|
|
@ -0,0 +1 @@
|
|||
edns-packet-max=1232
|
||||
|
|
@ -1,9 +1,12 @@
|
|||
FROM pihole/pihole:v5.6
|
||||
ARG PIHOLE_VERSION
|
||||
FROM pihole/pihole:${PIHOLE_VERSION:-latest}
|
||||
RUN apt update && apt install -y unbound
|
||||
|
||||
COPY lighttpd-external.conf /etc/lighttpd/external.conf
|
||||
COPY unbound-pihole.conf /etc/unbound/unbound.conf.d/pi-hole.conf
|
||||
COPY start_unbound_and_s6_init.sh start_unbound_and_s6_init.sh
|
||||
COPY 99-edns.conf /etc/dnsmasq.d/99-edns.conf
|
||||
RUN mkdir -p /etc/services.d/unbound
|
||||
COPY unbound-run /etc/services.d/unbound/run
|
||||
|
||||
ENTRYPOINT ./s6-init
|
||||
|
||||
RUN chmod +x start_unbound_and_s6_init.sh
|
||||
ENTRYPOINT ./start_unbound_and_s6_init.sh
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
v5.6
|
||||
2023.05.2
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
#!/bin/bash
|
||||
# Run this once: docker buildx create --use --name build --node build --driver-opt network=host
|
||||
docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:`cat VERSION` --push .
|
||||
docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:latest --push .
|
||||
PIHOLE_VER=`cat VERSION`
|
||||
docker buildx build --build-arg PIHOLE_VERSION=$PIHOLE_VER --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:$PIHOLE_VER --push .
|
||||
docker buildx build --build-arg PIHOLE_VERSION=$PIHOLE_VER --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t cbcrowe/pihole-unbound:latest --push .
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
#!/bin/bash -e
|
||||
/etc/init.d/unbound start
|
||||
/s6-init
|
||||
|
|
@ -34,7 +34,7 @@ server:
|
|||
|
||||
# Reduce EDNS reassembly buffer size.
|
||||
# Suggested by the unbound man page to reduce fragmentation reassembly problems
|
||||
edns-buffer-size: 1472
|
||||
edns-buffer-size: 1232
|
||||
|
||||
# Perform prefetching of close to expired message cache entries
|
||||
# This only applies to domains that have been frequently queried
|
||||
|
|
@ -44,7 +44,8 @@ server:
|
|||
num-threads: 1
|
||||
|
||||
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
|
||||
so-rcvbuf: 1m
|
||||
# Be aware that if enabled (requires CAP_NET_ADMIN or privileged), the kernel buffer must have the defined amount of memory, if not, a warning will be raised.
|
||||
#so-rcvbuf: 1m
|
||||
|
||||
# Ensure privacy of local IP ranges
|
||||
private-address: 192.168.0.0/16
|
||||
|
|
|
|||
25
one-container/pihole-unbound/unbound-run
Executable file
25
one-container/pihole-unbound/unbound-run
Executable file
|
|
@ -0,0 +1,25 @@
|
|||
#!/command/with-contenv bash
|
||||
|
||||
s6-echo "Starting unbound"
|
||||
|
||||
NAME="unbound"
|
||||
DESC="DNS server"
|
||||
DAEMON="/usr/sbin/unbound"
|
||||
PIDFILE="/run/unbound.pid"
|
||||
|
||||
HELPER="/usr/lib/unbound/package-helper"
|
||||
|
||||
test -x $DAEMON || exit 0
|
||||
|
||||
# Override this variable by editing or creating /etc/default/unbound.
|
||||
DAEMON_OPTS=""
|
||||
|
||||
if [ -f /etc/default/unbound ]; then
|
||||
. /etc/default/unbound
|
||||
fi
|
||||
|
||||
$HELPER chroot_setup
|
||||
$HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t unbound-anchor
|
||||
|
||||
$DAEMON -d $DAEMON_OPTS
|
||||
|
||||
|
|
@ -16,10 +16,9 @@ services:
|
|||
- 80/tcp
|
||||
- 22/tcp
|
||||
environment:
|
||||
ServerIP: 192.168.1.5
|
||||
WEBPASSWORD: ${WEBPASSWORD}
|
||||
DNS1: 192.168.1.6
|
||||
DNS2: 192.168.1.13
|
||||
- FTLCONF_LOCAL_IPV4=192.168.1.5
|
||||
- WEBPASSWORD=${WEBPASSWORD}
|
||||
- PIHOLE_DNS_=192.168.1.6;192.168.1.13
|
||||
volumes:
|
||||
- /volume1/docker/pihole-unbound/pihole/volume:/etc/pihole:rw
|
||||
- /volume1/docker/pihole-unbound/pihole/config/hosts:/etc/hosts:ro
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue