How well does that run in docker? I’ve always liked docker, but it seems to me that certain apps should touch metal than be containerized. Maybe I’m too old school.
Comment on Pihole + Unbound Docker Compose file
chris@lemmy.grey.fail 2 months ago
services: pihole: container_name: pihole image: pihole/pihole:latest hostname: sheldon environment: HOST_CONTAINERNAME: pihole TZ: ${TZ} WEBPASSWORD: ${WEBPASSWORD} DNSMASQ_LISTENING: "all" PIHOLE_DNS_1: "unbound#53" ports: - "53:53/tcp" - "53:53/udp" - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server - "8080:80/tcp" # network_mode: host dns: - 127.0.0.1 networks: dns: ipv4_address: 172.22.0.2 volumes: - /mnt/appdata/pihole/etc-pihole:/etc/pihole - /mnt/appdata/pihole/etc-dnsmasq.d:/etc/dnsmasq.d restart: unless-stopped depends_on: unbound: condition: service_healthy unbound: container_name: unbound image: klutchell/unbound:latest networks: dns: ipv4_address: 172.22.0.3 volumes: - /mnt/appdata/unbound:/opt/unbound/etc/unbound/custom restart: unless-stopped healthcheck: test: ["CMD", "dig", "google.com", "@127.0.0.1"] interval: 10s timeout: 5s retries: 5 wg-easy: container_name: wg-easy image: ghcr.io/wg-easy/wg-easy:15 ports: - "51820:51820/udp" - "51821:51821/tcp" # environment: # TZ: ${TZ} # LANG: en # WG_HOST: ${WG_HOST} # PASSWORD_HASH: ${PASSWORD_HASH} # WG_DEFAULT_DNS: 172.22.0.2 # WG_MTU: 1420 networks: dns: ipv4_address: 172.22.0.4 volumes: - /mnt/appdata/wg-easy:/etc/wireguard - /lib/modules:/lib/modules:ro cap_add: - NET_ADMIN - SYS_MODULE sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 - net.ipv6.conf.all.disable_ipv6=0 - net.ipv6.conf.all.forwarding=1 - net.ipv6.conf.default.forwarding=1 restart: unless-stopped networks: dns: external: true
Feel free to just delete the wg-easy service.
irmadlad@lemmy.world 2 months ago
chris@lemmy.grey.fail 2 months ago
I love the portability of running this in Docker. I rsync a backup of this and the Appdata folder every night. When or if this server fails, I can be up and running again in minutes on another machine.
Zanathos@lemmy.world 2 months ago
I do exactly the same thing for all three of these services! My implementation is on podman rather than docker, but basically the same deal.
B0rax@feddit.org 2 months ago
I have all these services in docker as well (although not with the docker compose file here) and they run perfectly fine with a very low resource footprint.
irmadlad@lemmy.world 2 months ago
0K that’s cool. I love docker. I would like to upgrade to k8s but I haven’t yet plumbed the depths of docker. I was just with the overhead of docker, since Pi-Hole/Unbound is a dedicated system, I thought maybe it’d get better thru put baked in. I wouldn’t listen to me tho, I’m medicated.
B0rax@feddit.org 2 months ago
As an anecdote: I have one system (x86) with pi-hole and unbound in a docker, and a secondary raspberry pi with pi-hole running on bare metal. The docker system (although much more performant in general) has a lower latency as the raspberry bare metal install.
Appoxo@lemmy.dbzer0.com 2 months ago
Focker container in host mode is sufficient for most cases requiring bare deployment.
irmadlad@lemmy.world 2 months ago
I’ve heard of Docker, Incus, k8s, VM, but not Focker. Is this some new containerization software?
Octavusss@lemm.ee 2 months ago
Thank you very much.
chris@lemmy.grey.fail 2 months ago
How’d it work out?
Octavusss@lemm.ee 2 months ago
Deleted the WireGuard and modified few other things in docker compose file and so far it’s running fine without any errors. So far do good.
Outwit1294@lemmy.today 2 months ago
You seem knowledgeable. I have a question about this. I have ran this type of setup before. Every time, I ended up ditching unbound because it throws DNSSEC error. I have tried troubleshooting but it doesn’t work.
Zanathos@lemmy.world 2 months ago
I just went through my setup to verify dnssec settings in unbound to troubleshoot strange latency when removing random names while browsing. Did you verify the unbound certificate file was created and had the proper permissions? There are also a couple other configuration items in unbound related to dnssec that can be tweaked to improve the implementation.
Outwit1294@lemmy.today 2 months ago
I tried again today with baremetal and docker install but I always end up with SERVFAIL after some time.
Zanathos@lemmy.world 2 months ago
Instead of port 53, I need to run unbound on 5335 (or another obscure port).I believe I also had to make some host level changed for DNS to operate correctly for incoming requests.
Here’s my podman run commands. These might have changed a bit with Pihole v6, but should still be ok AFAIK.
#PiHole1 Deployment/Upgrade Script podman run -d --name pihole -p 53:53/tcp -p 53:53/udp -p 8080:80/tcp --hostname pihole --cap-add=CAP_AUDIT_WRITE -e FTLCONF_REPLY_ADDR4=192.168.0.201 -e PIHOLE_DNS_=“192.168.0.201#5335;192.168.0.202#5335” -e TZ=“America/New York” -e WEBPASSWORD=" MyPassword" -v /var/pihole/pihole1:/etc/pihole -v /var/pihole/pihole1/piholedns/:/etc/dnsmasq.d --restart=unless-stopped --label=“io.containers.autoupdate=registry” docker.io/pihole/pihole:latest
#UnBound1 Deployment/Upgrade Script podman run -d --name unbound -v /var/pihole/pihole1/unbound:/opt/unbound/etc/unbound/ -v /var/pihole/pihole1/unbound/unbound.log:/var/log/unbound/unbound.log -v /var/pihole/pihole1/unbound/root.hints:/opt/unbound/etc/unbound/root.hints -v /var/pihole/pihole1/unbound/a-records.conf:/opt/unbound/etc/unbound/a-records.conf -p 5335:5335/tcp -p 5335:5335/udp --restart=unless-stopped --label=“io.containers.autoupdate=registry” docker.io/mvance/unbound:latest
chris@lemmy.grey.fail 2 months ago
Is your ISP interfering?
Outwit1294@lemmy.today 2 months ago
Not as far as I know. I have never been throttled or anything ever. I have never seen any charges.
chris@lemmy.grey.fail 2 months ago
I mean in terms of hijacking DNS. Might be worth a look.