How well does that run in docker? I’ve always liked docker, but it seems to me that certain apps should touch metal than be containerized. Maybe I’m too old school.
Comment on Pihole + Unbound Docker Compose file
chris@lemmy.grey.fail 1 month ago
services: pihole: container_name: pihole image: pihole/pihole:latest hostname: sheldon environment: HOST_CONTAINERNAME: pihole TZ: ${TZ} WEBPASSWORD: ${WEBPASSWORD} DNSMASQ_LISTENING: "all" PIHOLE_DNS_1: "unbound#53" ports: - "53:53/tcp" - "53:53/udp" - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server - "8080:80/tcp" # network_mode: host dns: - 127.0.0.1 networks: dns: ipv4_address: 172.22.0.2 volumes: - /mnt/appdata/pihole/etc-pihole:/etc/pihole - /mnt/appdata/pihole/etc-dnsmasq.d:/etc/dnsmasq.d restart: unless-stopped depends_on: unbound: condition: service_healthy unbound: container_name: unbound image: klutchell/unbound:latest networks: dns: ipv4_address: 172.22.0.3 volumes: - /mnt/appdata/unbound:/opt/unbound/etc/unbound/custom restart: unless-stopped healthcheck: test: ["CMD", "dig", "google.com", "@127.0.0.1"] interval: 10s timeout: 5s retries: 5 wg-easy: container_name: wg-easy image: ghcr.io/wg-easy/wg-easy:15 ports: - "51820:51820/udp" - "51821:51821/tcp" # environment: # TZ: ${TZ} # LANG: en # WG_HOST: ${WG_HOST} # PASSWORD_HASH: ${PASSWORD_HASH} # WG_DEFAULT_DNS: 172.22.0.2 # WG_MTU: 1420 networks: dns: ipv4_address: 172.22.0.4 volumes: - /mnt/appdata/wg-easy:/etc/wireguard - /lib/modules:/lib/modules:ro cap_add: - NET_ADMIN - SYS_MODULE sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 - net.ipv6.conf.all.disable_ipv6=0 - net.ipv6.conf.all.forwarding=1 - net.ipv6.conf.default.forwarding=1 restart: unless-stopped networks: dns: external: true
Feel free to just delete the wg-easy service.
irmadlad@lemmy.world 1 month ago
chris@lemmy.grey.fail 1 month ago
I love the portability of running this in Docker. I rsync a backup of this and the Appdata folder every night. When or if this server fails, I can be up and running again in minutes on another machine.
Zanathos@lemmy.world 1 month ago
I do exactly the same thing for all three of these services! My implementation is on podman rather than docker, but basically the same deal.
B0rax@feddit.org 1 month ago
I have all these services in docker as well (although not with the docker compose file here) and they run perfectly fine with a very low resource footprint.
irmadlad@lemmy.world 1 month ago
0K that’s cool. I love docker. I would like to upgrade to k8s but I haven’t yet plumbed the depths of docker. I was just with the overhead of docker, since Pi-Hole/Unbound is a dedicated system, I thought maybe it’d get better thru put baked in. I wouldn’t listen to me tho, I’m medicated.
B0rax@feddit.org 1 month ago
As an anecdote: I have one system (x86) with pi-hole and unbound in a docker, and a secondary raspberry pi with pi-hole running on bare metal. The docker system (although much more performant in general) has a lower latency as the raspberry bare metal install.
Appoxo@lemmy.dbzer0.com 1 month ago
Focker container in host mode is sufficient for most cases requiring bare deployment.
irmadlad@lemmy.world 1 month ago
I’ve heard of Docker, Incus, k8s, VM, but not Focker. Is this some new containerization software?
Octavusss@lemm.ee 1 month ago
Thank you very much.
chris@lemmy.grey.fail 1 month ago
How’d it work out?
Octavusss@lemm.ee 1 month ago
Deleted the WireGuard and modified few other things in docker compose file and so far it’s running fine without any errors. So far do good.
Outwit1294@lemmy.today 1 month ago
You seem knowledgeable. I have a question about this. I have ran this type of setup before. Every time, I ended up ditching unbound because it throws DNSSEC error. I have tried troubleshooting but it doesn’t work.
Zanathos@lemmy.world 1 month ago
I just went through my setup to verify dnssec settings in unbound to troubleshoot strange latency when removing random names while browsing. Did you verify the unbound certificate file was created and had the proper permissions? There are also a couple other configuration items in unbound related to dnssec that can be tweaked to improve the implementation.
Outwit1294@lemmy.today 1 month ago
I tried again today with baremetal and docker install but I always end up with SERVFAIL after some time.
Zanathos@lemmy.world 1 month ago
Instead of port 53, I need to run unbound on 5335 (or another obscure port).I believe I also had to make some host level changed for DNS to operate correctly for incoming requests.
Here’s my podman run commands. These might have changed a bit with Pihole v6, but should still be ok AFAIK.
#PiHole1 Deployment/Upgrade Script podman run -d --name pihole -p 53:53/tcp -p 53:53/udp -p 8080:80/tcp --hostname pihole --cap-add=CAP_AUDIT_WRITE -e FTLCONF_REPLY_ADDR4=192.168.0.201 -e PIHOLE_DNS_=“192.168.0.201#5335;192.168.0.202#5335” -e TZ=“America/New York” -e WEBPASSWORD=" MyPassword" -v /var/pihole/pihole1:/etc/pihole -v /var/pihole/pihole1/piholedns/:/etc/dnsmasq.d --restart=unless-stopped --label=“io.containers.autoupdate=registry” docker.io/pihole/pihole:latest
#UnBound1 Deployment/Upgrade Script podman run -d --name unbound -v /var/pihole/pihole1/unbound:/opt/unbound/etc/unbound/ -v /var/pihole/pihole1/unbound/unbound.log:/var/log/unbound/unbound.log -v /var/pihole/pihole1/unbound/root.hints:/opt/unbound/etc/unbound/root.hints -v /var/pihole/pihole1/unbound/a-records.conf:/opt/unbound/etc/unbound/a-records.conf -p 5335:5335/tcp -p 5335:5335/udp --restart=unless-stopped --label=“io.containers.autoupdate=registry” docker.io/mvance/unbound:latest
chris@lemmy.grey.fail 1 month ago
Is your ISP interfering?
Outwit1294@lemmy.today 1 month ago
Not as far as I know. I have never been throttled or anything ever. I have never seen any charges.
chris@lemmy.grey.fail 1 month ago
I mean in terms of hijacking DNS. Might be worth a look.