Created
November 29, 2018 23:17
-
-
Save goofball222/8ea5fef4d3c031395c55430b3dfee487 to your computer and use it in GitHub Desktop.
Pi-Hole stack docker-compose.yml for Android Private DNS ad filtering
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: '3' | |
services: | |
dns-over-https-client: | |
image: goofball222/dns-over-https | |
container_name: dns-over-https-client | |
restart: unless-stopped | |
networks: | |
external: | |
internal: | |
ipv4_address: 10.192.168.2 | |
volumes: | |
- /etc/localtime:/etc/localtime:ro | |
# DNS-over-HTTPS requires a mapped volume for persistent configuration storage, both client and server. | |
- ./dns-over-https:/opt/dns-over-https/conf | |
environment: | |
- TZ=UTC | |
# Override image default command to start in DNS-over-HTTPS client mode. | |
command: [doh-client] | |
pihole: | |
image: pihole/pihole | |
container_name: pihole | |
restart: unless-stopped | |
networks: | |
external: | |
internal: | |
# Configure specific, known address on "internal" stack network | |
ipv4_address: 10.192.168.3 | |
volumes: | |
- /etc/localtime:/etc/localtime:ro | |
# Pi-Hole requires two persistent mapped volumes for configuration and data storage. | |
- ./pihole:/etc/pihole | |
- ./dnsmasq.d:/etc/dnsmasq.d | |
environment: | |
# Configure to forward all requests received to only 10.192.168.2:5380 (dns-over-https-client) | |
- DNS1=10.192.168.2#5380 | |
- DNS2='' | |
# Insure internal processes know correct Docker Host external addresses | |
- ServerIP=192.168.1.1 | |
- ServerIPv6=2001:db8:192:168::1 | |
# Configure virtual host name, and port. Reverse proxy to web interface will not work without these | |
- VIRTUAL_HOST=<pihole.host.name> | |
- VIRTUAL_PORT=80 | |
# Set a known web admin password | |
- WEBPASSWORD=<pihole admin password> | |
- TZ=UTC | |
labels: | |
- traefik.backend=pihole | |
# Note that this frontend rule hostname should match the configured VIRTUAL_HOST above. | |
- traefik.frontend.rule=Host:<pihole.host.name> | |
- traefik.port=80 | |
- traefik.docker.network=proxy | |
- traefik.enable=true | |
dns-over-tls: | |
image: goofball222/stunnel | |
container_name: dns-over-tls | |
restart: unless-stopped | |
networks: | |
external: | |
internal: | |
# Configure specific, known address on "internal" stack network | |
ipv4_address: 10.192.168.4 | |
ports: | |
- 853:853/tcp | |
- 853:853/udp | |
volumes: | |
- /etc/localtime:/etc/localtime:ro | |
# STunnel needs a valid certificate and private key to use to encrypt the TLS connections. | |
# Pull in LetsEncrypt cert and key **READ ONLY** for DNS-over-TLS hostname(s). | |
# Requested by certbot directly on the Docker host. Kept up-to-date via scripted CRON job. | |
- /etc/letsencrypt/live/<le-dns.host.name>/fullchain.pem.crt:/etc/stunnel/stunnel.pem:ro | |
- /etc/letsencrypt/live/<le-dns.host.name>/privkey.pem:/etc/stunnel/stunnel.key:ro | |
environment: | |
- STUNNEL_ACCEPT=853 | |
- STUNNEL_CONNECT=pihole:53 | |
- STUNNEL_DEBUG=4 | |
- STUNNEL_SERVICE=dns-over-tls | |
- TZ=UTC | |
dns-over-https: | |
image: goofball222/dns-over-https | |
container_name: dns-over-https | |
restart: unless-stopped | |
networks: | |
external: | |
internal: | |
# Configure specific, known address on "internal" stack network | |
ipv4_address: 10.192.168.5 | |
volumes: | |
- /etc/localtime:/etc/localtime:ro | |
# DNS-over-HTTPS requires a mapped volume for persistent configuration storage, both client and server. | |
- ./dns-over-https:/opt/dns-over-https/conf | |
environment: | |
- TZ=UTC | |
labels: | |
- traefik.backend=dns-over-https | |
# Note: best practices would be to have the frontend hostname(s) below match with what is configured for DNS-over-TLS, although it is not required. | |
- traefik.frontend.rule=Host:<le-dns.host.name>,<alternate-le-dns.host.name> | |
- traefik.port=8053 | |
- traefik.docker.network=proxy | |
- traefik.enable=true | |
# Stack network setup | |
networks: | |
# Attach stack to external "proxy" network for Traefik | |
external: | |
external: | |
name: proxy | |
# Configure stack internal network | |
internal: | |
# This is a standard "bridge" network | |
driver: bridge | |
# This network is for internal communications between containers only | |
internal: true | |
# Configure IP address management to specify 10.192.168.0/29 subnet | |
ipam: | |
driver: default | |
config: | |
- subnet: 10.192.168.0/29 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment