sujiba/pihole-unbound-hyperlocal
1
0
Fork 0
mirror of https://github.com/sujiba/pihole-unbound-hyperlocal.git synced 2025-07-09 21:35:13 +02:00
Code Issues Releases Activity

Merge pull request #13 from sujiba/dev

Browse source 
Dev
This commit is contained in:
sujiba 2025-03-23 23:43:55 +01:00 committed by GitHub
commit 6bf3a0d4ab
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
18 changed files with 217 additions and 245 deletions
Download patch file Download diff file Expand all files Collapse all files

52
.github/workflows/build_dev.yml vendored Executable file
View file

@ -0,0 +1,52 @@
name: build dev image
on:
push:
branches: [ dev ]
jobs:
build-dev:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GHCR_ACCESS_TOKEN }}
- name: Set up variables
run: |
VER=$(cat ./docker-build/VERSION)
echo "VERSION=$VER" >> $GITHUB_ENV
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push
uses: docker/build-push-action@v6
with:
context: ./docker-build
file: ./docker-build/Dockerfile
platforms: |
linux/arm/v7
linux/arm64
linux/amd64
push: true
tags: |
${{ secrets.DOCKER_USER }}/pihole-unbound-hyperlocal:${{ env.VERSION }}-dev
${{ secrets.DOCKER_USER }}/pihole-unbound-hyperlocal:dev
ghcr.io/${{ secrets.DOCKER_USER }}/pihole-unbound-hyperlocal:${{ env.VERSION }}-dev
ghcr.io/${{ secrets.DOCKER_USER }}/pihole-unbound-hyperlocal:dev

9
.github/workflows/docker_build_push_main.yml → .github/workflows/build_main.yml vendored
View file

@ -17,6 +17,13 @@ jobs:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GHCR_ACCESS_TOKEN }}
- name: Set up variables
run: |
VER=$(cat ./docker-build/VERSION)
@ -41,3 +48,5 @@ jobs:
tags: |
${{ secrets.DOCKER_USER }}/pihole-unbound-hyperlocal:${{ env.VERSION }}
${{ secrets.DOCKER_USER }}/pihole-unbound-hyperlocal:latest
ghcr.io/${{ secrets.DOCKER_USER }}/pihole-unbound-hyperlocal:${{ env.VERSION }}
ghcr.io/${{ secrets.DOCKER_USER }}/pihole-unbound-hyperlocal:latest

43
.github/workflows/docker_build_push_dev.yml vendored
View file

@ -1,43 +0,0 @@
name: Build and push pihole-unbound-hyperlocal with tag dev
on:
push:
branches: [ dev ]
jobs:
build:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v2
-
name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
-
name: Set up variables
run: |
VER=$(cat ./docker-build/VERSION)
echo "VERSION=$VER" >> $GITHUB_ENV
-
name: Set up QEMU
uses: docker/setup-qemu-action@v1
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
-
name: Build and push
uses: docker/build-push-action@v2
with:
context: ./docker-build
file: ./docker-build/Dockerfile
platforms: |
linux/arm/v7
linux/arm64
linux/amd64
push: true
tags: |
${{ secrets.DOCKER_USER }}/pihole-unbound-hyperlocal:${{ env.VERSION }}
${{ secrets.DOCKER_USER }}/pihole-unbound-hyperlocal:dev

1
.gitignore vendored
View file

@ -1,2 +1,3 @@
.env
etc-pihole/
pihole.env

85
README.md
View file

@ -1,19 +1,48 @@
# Pihole + Unbound + Hyperlocal
**IMPORTANT**: When using this Docker image, please report any bugs or suggestions to this repository directly.
> [!NOTE]
>
> **IMPORTANT**: When using this Docker image, please report any bugs or suggestions to this repository directly.
## Overview
## Upgrade Notes
> [!CAUTION]
>
> ## !!! THE LATEST VERSION CONTAINS BREAKING CHANGES
>
> **Pi-hole v6 has been entirely redesigned from the ground up and contains many breaking changes.**
>
> Read https://github.com/pi-hole/docker-pi-hole
> [!tip]
> Firstly pull the new image with `docker pull ghcr.io/sujiba/pihole-unbound-hyperlocal:latest`.
> Next stop the old container with `docker compose down`.
> Follow the steps described under [First startup](#first-startup).
> For the upgrade transition you're going to have two folders
> - old: pihole-unbound-hyperlocal
> - new: pihole-unbound-hyperlocal-v6
>
> You can delete the old folder if everything is up and running.
## Overview
- [Pihole + Unbound + Hyperlocal](#pihole--unbound--hyperlocal)
- [Overview](#overview)
- [Acknowledgement](#acknowledgement)
- [Introduction](#introduction)
- [Prerequisites](#prerequisites)
- [First startup](#first-startup)
- [resolv.conf](#resolvconf)
- [Testing](#testing)
- [DNS problems](#dns-problems)
- [Blocklists](#blocklists)
- [Acknowledgement](#acknowledgement)
## Acknowledgement
- [Docker Pi-hole](https://github.com/pi-hole/docker-pi-hole)
- [Unbound](https://nlnetlabs.nl/projects/unbound/about/)
- [Pi-hole Unbound](https://docs.pi-hole.net/guides/dns/unbound/)
- [mpgirro/docker-pihole-unbound](https://github.com/mpgirro/docker-pihole-unbound)
- [Pi-hole: Einrichtung und Konfiguration mit unbound AdBlocker Teil2](https://www.kuketz-blog.de/pi-hole-einrichtung-und-konfiguration-mit-unbound-adblocker-teil2/)
## Introduction
**Pi-hole**:
@ -28,46 +57,33 @@
## Prerequisites
- Install [Docker](https://docs.docker.com/get-docker/)
- Install [Docker-Compose](https://docs.docker.com/compose/install/)
- Download the repository to your favored directory
## First startup
Copy example.env to .env and change the parameters
Clone the repository to your favored location and change the config.
```
cp example.env .env
vi .env
git clone -b main https://github.com/sujiba/pihole-unbound-hyperlocal.git pihole-unbound-hyperlocal-v6
# Change the timezone, password and other pi-hole settings
cp example.pihole.env pihole.env
vi pihole.env
# Change the ports if you're running a reverse proxy on ports 80 and 443
vi docker-compose.yml
```
Start the container
```
docker-compose up -d
docker compose up -d
```
Check the logs
```
docker-compose logs -f
```
### resolv.conf
If you get the following error
```
pihole | Starting unbound
pihole | [✗] DNS resolution is currently unavailable
```
uncomment the following line in the docker-compose.yaml
```
#- ./resolv.conf:/etc/resolv.conf
```
and restart the container
```
docker-compose up -d --force-recreate
docker compose logs -f
```
### Testing
```
docker exec -it pihole-unbound bash
docker compose exec -it pihole-unbound sh
dig github.com @127.0.0.1 +short
dig sigfail.verteiltesysteme.net @127.0.0.1 | grep status
dig sigok.verteiltesysteme.net @127.0.0.1 | grep status
@ -96,10 +112,3 @@ See also [StackExchange](https://unix.stackexchange.com/questions/647996/docker-
- [mmotti Pi-hole RegEx](https://raw.githubusercontent.com/mmotti/pihole-regex/master/regex.list)
- [Privacy-Handbuch Windows 10 Telemetry](https://www.privacy-handbuch.de/handbuch_90a2.htm)
- [hagezi dns-blocklists](https://github.com/hagezi/dns-blocklists)
## Acknowledgement
- [Docker Pi-hole](https://github.com/pi-hole/docker-pi-hole)
- [Unbound](https://nlnetlabs.nl/projects/unbound/about/)
- [Pi-hole Unbound](https://docs.pi-hole.net/guides/dns/unbound/)
- [Pi-Hole + Unbound - 1 Container](https://github.com/chriscrowe/docker-pihole-unbound/tree/master/one-container)
- [[Pi-hole][Unbound] Mit dem Pi zur größtmöglichen Unabhängigkeit DNS](https://forum.kuketz-blog.de/viewtopic.php?f=53&t=8759)

2
docker-build/99-edns.conf
View file

@ -1,2 +1,2 @@
# signal FTL to adhere to this limit
edns-packet-max=1232
edns-packet-max=1232

34
docker-build/Dockerfile
View file

@ -1,34 +1,26 @@
# Get the latest Pi-hole version
FROM pihole/pihole:2024.07.0
FROM pihole/pihole:2025.03.0
# Install necessary programs
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install -y \
unbound \
# Install necessary programs without repository caching
RUN apk upgrade --no-cache && \
apk add --no-cache \
unbound \
wget
# Additional configs
# unbound
COPY unbound-pihole.conf /etc/unbound/unbound.conf.d/pihole.conf
COPY unbound-pihole.conf /etc/unbound/unbound.conf.d/pihole.conf
# Set edns packet limit for dnsmasq
COPY 99-edns.conf /etc/dnsmasq.d/99-edns.conf
# Download DNS-Root-Zone.
# Create the chroot directory and generate root.key.
# Copy / move files and change owner.
RUN wget -O root.hints https://www.internic.net/domain/named.root && \
mv root.hints /var/lib/unbound/ && \
chown -R unbound:unbound /var/lib/unbound/root.hints
# Download DNS-Root-Zone and move file
RUN wget -S https://www.internic.net/domain/named.root -O /etc/unbound/root.hints
# Remove unnecessary programs
RUN apt-get remove -y \
wget
# Create unbound log dir
RUN install -o unbound -g unbound -Dm755 -d /var/log/unbound
# Unbound startup script
RUN mkdir -p /etc/services.d/unbound
COPY unbound-run /etc/services.d/unbound/run
RUN chmod ug+x /etc/services.d/unbound/run
# Add unbound start up script
COPY --chmod=0755 unbound-entrypoint.sh /usr/bin/unbound-entrypoint.sh
ENTRYPOINT ./s6-init
ENTRYPOINT ["unbound-entrypoint.sh"]

20
docker-build/README.md
View file

@ -1,20 +0,0 @@
# Build it yourself
https://docs.docker.com/buildx/working-with-buildx/#work-with-builder-instances
```
# This creates a new builder instance with a single node based on your current configuration.
docker buildx create
# To list all available builders, use
docker buildx ls
# To switch between different builders, use
docker buildx use <name>
# After creating a new instance, you can delete it with
docker buildx rm <name>
```
Build it as a multi-platform image:
```
chmod +x build_and_push.sh
./build_and_push.sh
```

2
docker-build/VERSION
View file

@ -1 +1 @@
2024.07.0
2025.03.0

2
docker-build/build_and_push.sh
View file

@ -1,2 +0,0 @@
docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t sujiba/pihole-unbound-hyperlocal:`cat VERSION` --push .
docker buildx build --platform linux/arm/v7,linux/arm64/v8,linux/amd64 -t sujiba/pihole-unbound-hyperlocal:latest --push .

20
docker-build/unbound-entrypoint.sh Normal file
View file

@ -0,0 +1,20 @@
#!/bin/sh
# Start unbound
echo " [i] Starting Unbound"
/usr/sbin/unbound -d -c /etc/unbound/unbound.conf.d/pihole.conf &
# Get most recent process id for error checking
UNBOUND_PID=$!
# Wait for a second and check if unbound is running
sleep 1
if [ -d "/proc/$UNBOUND_PID" ];
then
echo " [i] Unbound started successfully."
else
echo " [i] Unbound startup failed."
echo " [i] Take a look at /var/log/unbound/unbound.log"
fi
# Start pi-hole
exec /usr/bin/start.sh

25
docker-build/unbound-pihole.conf
View file

@ -2,7 +2,7 @@ server:
# https://manpages.debian.org/bullseye/unbound/unbound.conf.5.en.html
#
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
@ -11,16 +11,27 @@ server:
do-udp: yes
do-tcp: yes
# Maybe set to yes if you have IPv6 connectivity
do-ip6: no
# Maybe set to no if you don't have IPv6 connectivity
do-ip6: yes
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
# If you give "" no privileges are dropped.
username: "unbound"
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
root-hints: "/var/lib/unbound/root.hints"
root-hints: "/etc/unbound/root.hints"
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
# Note this gets out of date, use auto-trust-anchor-file please.
trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
# Trust glue only if it is within the server's authority
harden-glue: yes
@ -65,7 +76,7 @@ server:
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# increase cache size to utilize more RAM
# increase cache size to utilize more RAM | msg * 2 = rrset
msg-cache-size: 128m
rrset-cache-size: 256m
@ -84,5 +95,5 @@ server:
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
#private-address: fd00::/8
#private-address: fe80::/10
private-address: fd00::/8
private-address: fe80::/10

24
docker-build/unbound-run
View file

@ -1,24 +0,0 @@
#!/command/with-contenv bash
s6-echo "Starting unbound"
NAME="unbound"
DESC="DNS server"
DAEMON="/usr/sbin/unbound"
PIDFILE="/run/unbound.pid"
HELPER="/usr/lib/unbound/package-helper"
test -x $DAEMON || exit 0
# Override this variable by editing or creating /etc/default/unbound.
DAEMON_OPTS=""
if [ -f /etc/default/unbound ]; then
. /etc/default/unbound
fi
$HELPER chroot_setup
$HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t unbound-anchor
$DAEMON -d $DAEMON_OPTS

55
docker-compose.yml
View file

@ -1,37 +1,30 @@
version: "3"
services:
---
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole-unbound:
image: ${IMAGE}
container_name: ${NAME}
hostname: ${HOSTNAME}
# You can also use latest | yyyy.mm.x | dev | yyyy.mm.x-dev
image: ghcr.io/sujiba/pihole-unbound-hyperlocal:latest
container_name: pihole-unbound
hostname: raspi-01
ports:
- "53:53/tcp"
- "53:53/udp"
- "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
- "${HTTP_PORT}:80/tcp"
- "53:53/tcp" # DNS Ports
- "53:53/udp" # DNS Ports
- "80:80/tcp" # Default HTTP Port or an alternative port if you use a reverse proxy like nginx.
- "443:443/tcp" # Default HTTPs Port or an alternative port if you use a reverse proxy like nginx. FTL will generate a self-signed certificate
# - "67:67/udp" # Uncomment if you are using Pi-hole as your DHCP server
# - "123:123/udp" # Uncomment if you are using Pi-hole as your NTP server
# - 5335:5335/tcp # For testing purposes, uncomment to enable unbound access on local server
environment:
TZ: ${TZ}
WEBPASSWORD: ${WEBPASSWORD}
PIHOLE_DNS_: ${PIHOLE_DNS}
DNSSEC: ${DNSSEC}
CUSTOM_CACHE_SIZE: ${CUSTOM_CACHE_SIZE}
DNS_BOGUS_PRIV: ${DNS_BOGUS_PRIV}
DNS_FQDN_REQUIRED: ${DNS_FQDN_REQUIRED}
TEMPERATUREUNIT: ${TEMPERATUREUNIT}
WEBTHEME: ${WEBTHEME}
FTLCONF_MAXDBDAYS: ${MAXDBDAYS}
FTLCONF_DBINTERVAL: ${DBINTERVAL}
# Volumes store your data between container upgrades
env_file:
- ./pihole.env
volumes:
- ./etc-pihole/:/etc/pihole/
- ./etc-dnsmasq.d/:/etc/dnsmasq.d/
# You'll need this, if you are using a self-created network
#- ./resolv.conf:/etc/resolv.conf
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
#cap_add:
# - NET_ADMIN
# For persisting Pi-hole's databases and common configuration file
- ./etc-pihole:/etc/pihole
# cap_add:
# See https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
# Required if you are using Pi-hole as your DHCP server, else not needed
# - NET_ADMIN
# Required if you are using Pi-hole as your NTP client to be able to set the host's system time
# - SYS_TIME
# Optional, if Pi-hole should get some more processing time
# - SYS_NICE
restart: unless-stopped

6
etc-dnsmasq.d/10-pihole-extra.conf
View file

@ -1,6 +0,0 @@
# https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
# Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients.
# This is an alternative to having dnsmasq validate DNSSEC,
# but it depends on the security of the network between dnsmasq and the upstream servers,
# and the trustworthiness of the upstream servers.
proxy-dnssec

49
example.env
View file

@ -1,49 +0,0 @@
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
IMAGE=sujiba/pihole-unbound-hyperlocal:latest
NAME=pihole
HOSTNAME=raspi-01
# 80 or an alternative port if you use a reverse proxy like nginx
HTTP_PORT=80
# Set your timezone to make sure logs rotate at local midnight instead of at UTC midnight.
TZ='Europe/Berlin'
# http://pi.hole/admin password. Run docker logs pihole | grep random to find your random pass.
WEBPASSWORD=PASSWORD
# Upstream DNS server(s) for Pi-hole to forward queries to, seperated by a semicolon
# (supports non-standard ports with #[port number]) e.g 127.0.0.1#5053;8.8.8.8;8.8.4.4
# Hardcoded to our Unbound server
PIHOLE_DNS='127.0.0.1#5335'
# We disable DNSSEC because it is done by Unbound
DNSSEC=false
# Set the cache size for dnsmasq.
# Useful for increasing the default cache size or to set it to 0.
# Note that when DNSSEC is "true", then this setting is ignored.
CUSTOM_CACHE_SIZE=10000
# Never forward reverse lookups for private ranges
DNS_BOGUS_PRIV=true
# Never forward non-FQDNs
DNS_FQDN_REQUIRED=true
# Set preferred temperature unit to
# c: Celsius, k: Kelvin, or f Fahrenheit units.
TEMPERATUREUNIT=c
# User interface theme to use.
# default-dark | default-darker | default-light | default-auto | lcars
WEBTHEME=default-dark
# pihole-FTL.conf
# How many days should Pi-hole store requests - discard older entries
MAXDBDAYS=30
# Write FTL database from RAM to SD card every x minutes. - Save SD card
DBINTERVAL=60

31
example.pihole.env Executable file
View file

@ -0,0 +1,31 @@
# Settings that are set via environment variables effectively become read-only,
# meaning that you will not be able to change them in the web interface or CLI.
# This is to ensure a "single source of truth" on the config. If you later unset
# an environment variable, then FTL will revert to the default value for that setting.
# You can find all settings under /etc/pihole/pihole.toml.
# Set your timezone to make sure logs rotate at local midnight instead of at UTC midnight.
# List of timezones https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
TZ=Europe/Berlin
# Set your admin password for https://pi.hole/admin.
FTLCONF_webserver_api_password=Super_Secure_Password
# If using Docker's default `bridge` network setting the dns listening mode should be set to 'all'
FTLCONF_dns_listeningMode=all
# Upstream DNS server(s) for Pi-hole to forward queries to, seperated by a semicolon
# (supports non-standard ports with #[port number]) e.g 127.0.0.1#5053;8.8.8.8;8.8.4.4
# Hardcoded to our Unbound server
FTLCONF_dns_upstreams=127.0.0.1#5335
# Validate DNS replies using DNSSEC?
FTLCONF_dns_dnssec = true
# Theme used by the Pi-hole web interface
# default-dark | default-darker | default-light | high-contrast | high-contrast-dark | default-auto | lcars
FTLCONF_webserver_interface_theme=default-dark
# Which temperature unit should be used for temperatures processed by FTL?
# C | F | K
FTLCONF_webserver_api_temp_unit=C

2
resolv.conf
View file

@ -1,2 +0,0 @@
nameserver 127.0.0.1
options ndots:0