goofball222/docker-compose.yml

## docker-compose.yml
version: '3'

services:
  dns-over-https-client:
    image: goofball222/dns-over-https
    container_name: dns-over-https-client
    restart: unless-stopped
    networks:
      external:
      internal:
        ipv4_address: 10.192.168.2
    volumes:
      - /etc/localtime:/etc/localtime:ro
      # DNS-over-HTTPS requires a mapped volume for persistent configuration storage, both client and server.
      - ./dns-over-https:/opt/dns-over-https/conf
    environment:
      - TZ=UTC
    # Override image default command to start in DNS-over-HTTPS client mode.
    command: [doh-client]

  pihole:
    image: pihole/pihole
    container_name: pihole
    restart: unless-stopped
    networks:
      external:
      internal:
        # Configure specific, known address on "internal" stack network
        ipv4_address: 10.192.168.3
    volumes:
      - /etc/localtime:/etc/localtime:ro
      # Pi-Hole requires two persistent mapped volumes for configuration and data storage.
      - ./pihole:/etc/pihole
      - ./dnsmasq.d:/etc/dnsmasq.d
    environment:
      # Configure to forward all requests received to only 10.192.168.2:5380 (dns-over-https-client)
      - DNS1=10.192.168.2#5380
      - DNS2=''
      # Insure internal processes know correct Docker Host external addresses
      - ServerIP=192.168.1.1
      - ServerIPv6=2001:db8:192:168::1
      # Configure virtual host name, and port. Reverse proxy to web interface will not work without these
      - VIRTUAL_HOST=<pihole.host.name>
      - VIRTUAL_PORT=80
      # Set a known web admin password
      - WEBPASSWORD=<pihole admin password>
      - TZ=UTC
    labels:
      - traefik.backend=pihole
      # Note that this frontend rule hostname should match the configured VIRTUAL_HOST above.
      - traefik.frontend.rule=Host:<pihole.host.name>
      - traefik.port=80
      - traefik.docker.network=proxy
      - traefik.enable=true

  dns-over-tls:
    image: goofball222/stunnel
    container_name: dns-over-tls
    restart: unless-stopped
    networks:
      external:
      internal:
        # Configure specific, known address on "internal" stack network
        ipv4_address: 10.192.168.4
    ports:
      - 853:853/tcp
      - 853:853/udp
    volumes:
      - /etc/localtime:/etc/localtime:ro
      # STunnel needs a valid certificate and private key to use to encrypt the TLS connections.
      # Pull in LetsEncrypt cert and key **READ ONLY** for DNS-over-TLS hostname(s).
      # Requested by certbot directly on the Docker host. Kept up-to-date via scripted CRON job.
      - /etc/letsencrypt/live/<le-dns.host.name>/fullchain.pem.crt:/etc/stunnel/stunnel.pem:ro
      - /etc/letsencrypt/live/<le-dns.host.name>/privkey.pem:/etc/stunnel/stunnel.key:ro
    environment:
      - STUNNEL_ACCEPT=853
      - STUNNEL_CONNECT=pihole:53
      - STUNNEL_DEBUG=4
      - STUNNEL_SERVICE=dns-over-tls
      - TZ=UTC

  dns-over-https:
    image: goofball222/dns-over-https
    container_name: dns-over-https
    restart: unless-stopped
    networks:
      external:
      internal:
        # Configure specific, known address on "internal" stack network
        ipv4_address: 10.192.168.5
    volumes:
      - /etc/localtime:/etc/localtime:ro
      # DNS-over-HTTPS requires a mapped volume for persistent configuration storage, both client and server.
      - ./dns-over-https:/opt/dns-over-https/conf
    environment:
      - TZ=UTC
    labels:
      - traefik.backend=dns-over-https
      # Note: best practices would be to have the frontend hostname(s) below match with what is configured for DNS-over-TLS, although it is not required.
      - traefik.frontend.rule=Host:<le-dns.host.name>,<alternate-le-dns.host.name>
      - traefik.port=8053
      - traefik.docker.network=proxy
      - traefik.enable=true


# Stack network setup
networks:
  # Attach stack to external "proxy" network for Traefik
  external:
    external:
      name: proxy
  # Configure stack internal network
  internal:
    # This is a standard "bridge" network
    driver: bridge
    # This network is for internal communications between containers only
    internal: true
    # Configure IP address management to specify 10.192.168.0/29 subnet
    ipam:
      driver: default
      config:
        - subnet: 10.192.168.0/29
	version: '3'

	services:
	dns-over-https-client:
	image: goofball222/dns-over-https
	container_name: dns-over-https-client
	restart: unless-stopped
	networks:
	external:
	internal:
	ipv4_address: 10.192.168.2
	volumes:
	- /etc/localtime:/etc/localtime:ro
	# DNS-over-HTTPS requires a mapped volume for persistent configuration storage, both client and server.
	- ./dns-over-https:/opt/dns-over-https/conf
	environment:
	- TZ=UTC
	# Override image default command to start in DNS-over-HTTPS client mode.
	command: [doh-client]

	pihole:
	image: pihole/pihole
	container_name: pihole
	restart: unless-stopped
	networks:
	external:
	internal:
	# Configure specific, known address on "internal" stack network
	ipv4_address: 10.192.168.3
	volumes:
	- /etc/localtime:/etc/localtime:ro
	# Pi-Hole requires two persistent mapped volumes for configuration and data storage.
	- ./pihole:/etc/pihole
	- ./dnsmasq.d:/etc/dnsmasq.d
	environment:
	# Configure to forward all requests received to only 10.192.168.2:5380 (dns-over-https-client)
	- DNS1=10.192.168.2#5380
	- DNS2=''
	# Insure internal processes know correct Docker Host external addresses
	- ServerIP=192.168.1.1
	- ServerIPv6=2001:db8:192:168::1
	# Configure virtual host name, and port. Reverse proxy to web interface will not work without these
	- VIRTUAL_HOST=<pihole.host.name>
	- VIRTUAL_PORT=80
	# Set a known web admin password
	- WEBPASSWORD=<pihole admin password>
	- TZ=UTC
	labels:
	- traefik.backend=pihole
	# Note that this frontend rule hostname should match the configured VIRTUAL_HOST above.
	- traefik.frontend.rule=Host:<pihole.host.name>
	- traefik.port=80
	- traefik.docker.network=proxy
	- traefik.enable=true

	dns-over-tls:
	image: goofball222/stunnel
	container_name: dns-over-tls
	restart: unless-stopped
	networks:
	external:
	internal:
	# Configure specific, known address on "internal" stack network
	ipv4_address: 10.192.168.4
	ports:
	- 853:853/tcp
	- 853:853/udp
	volumes:
	- /etc/localtime:/etc/localtime:ro
	# STunnel needs a valid certificate and private key to use to encrypt the TLS connections.
	# Pull in LetsEncrypt cert and key READ ONLY for DNS-over-TLS hostname(s).
	# Requested by certbot directly on the Docker host. Kept up-to-date via scripted CRON job.
	- /etc/letsencrypt/live/<le-dns.host.name>/fullchain.pem.crt:/etc/stunnel/stunnel.pem:ro
	- /etc/letsencrypt/live/<le-dns.host.name>/privkey.pem:/etc/stunnel/stunnel.key:ro
	environment:
	- STUNNEL_ACCEPT=853
	- STUNNEL_CONNECT=pihole:53
	- STUNNEL_DEBUG=4
	- STUNNEL_SERVICE=dns-over-tls
	- TZ=UTC

	dns-over-https:
	image: goofball222/dns-over-https
	container_name: dns-over-https
	restart: unless-stopped
	networks:
	external:
	internal:
	# Configure specific, known address on "internal" stack network
	ipv4_address: 10.192.168.5
	volumes:
	- /etc/localtime:/etc/localtime:ro
	# DNS-over-HTTPS requires a mapped volume for persistent configuration storage, both client and server.
	- ./dns-over-https:/opt/dns-over-https/conf
	environment:
	- TZ=UTC
	labels:
	- traefik.backend=dns-over-https
	# Note: best practices would be to have the frontend hostname(s) below match with what is configured for DNS-over-TLS, although it is not required.
	- traefik.frontend.rule=Host:<le-dns.host.name>,<alternate-le-dns.host.name>
	- traefik.port=8053
	- traefik.docker.network=proxy
	- traefik.enable=true


	# Stack network setup
	networks:
	# Attach stack to external "proxy" network for Traefik
	external:
	external:
	name: proxy
	# Configure stack internal network
	internal:
	# This is a standard "bridge" network
	driver: bridge
	# This network is for internal communications between containers only
	internal: true
	# Configure IP address management to specify 10.192.168.0/29 subnet
	ipam:
	driver: default
	config:
	- subnet: 10.192.168.0/29