-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathdocker-compose-pihole.yml
93 lines (88 loc) · 2.63 KB
/
docker-compose-pihole.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
version: '3'
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
depends_on:
- unbound
ports:
- "53:53/tcp"
- "53:53/udp"
- "80:80/tcp"
environment:
# ATTENTION: these environment variables assume you are running Pi-hole v6
TZ: "Europe/Paris"
FTLCONF_webserver_api_password: ${PIHOLE_ADMIN_PASSWORD:-password}
# Set unbound as the sole upstream DNS resolver
FTLCONF_dns_upstreams: "unbound"
# Allow Pi-holes DNS to be reached in bridged network mode
FTLCONF_dns_listeningMode: "all"
volumes:
- dnsmasq-d:/etc/dnsmasq.d
- etc-pihole:/etc/pihole
cap_add:
# See https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
- NET_BIND_SERVICE
- SYS_NICE
- SYS_TIME
# Only add these if you intend to use Pi-hole as your DHCP server
# - NET_ADMIN
# - NET_RAW
restart: unless-stopped
networks:
- pihole-net
dns:
- 1.1.1.1 # Used only to fetch blocklists
- 127.0.0.1 # Docker's DNS resolver, used to resolve `unbound`
unbound:
container_name: unbound
image: klutchell/unbound:latest
restart: unless-stopped
networks:
- pihole-net
healthcheck:
test: ["CMD", "dig", "-p", "53", "dnssec.works", "@127.0.0.1"]
interval: 30s
timeout: 30s
retries: 3
start_period: 30s
volumes:
# Only needed if you want a custom configuration, the default one is good enough for most people
- unbound-config:/etc/unbound/custom.conf.d
dnsproxy:
image: axeleroy/dnsproxy:latest
container_name: dnsproxy
depends_on:
- pihole
restart: unless-stopped
ports:
- "853:853/tcp"
- "443:443/tcp"
environment:
# Sets Pi-hole as the upstream DNS resolver, enable DoT and DoH
# Update paths to the certificate and its private key accordingly
- ARGS=-u pihole:53
--tls-port=853
--https-port=443
--http3
--tls-crt=/certificates/fullchain.pem
--tls-key=/certificates/privkey.pem
volumes:
# Certificates can be generated manually or by your reverse proxy (i.e. Caddy or NGINX + Certbot). Update accordingly.
- /path/to/certificates:/certificates:ro
networks:
- pihole-net
healthcheck:
# Tests DNS-over-TLS, you can change it to DNS-over-HTTPS by replacing "+tls" by "+https"
test: [ "CMD", "dig", "+tls", "dnssec.works", "@127.0.0.1" ]
interval: 30s
timeout: 30s
retries: 3
start_period: 30s
networks:
pihole-net:
name: pihole-net
volumes:
dnsmasq-d: {}
etc-pihole: {}
unbound-config: {}