From 53305794569f7014226ed2df02993bd460da5e5d Mon Sep 17 00:00:00 2001 From: Lionel Sambuc Date: Wed, 14 Apr 2021 15:48:15 +0000 Subject: [PATCH] Configuration for Pi-hole --- .gitignore | 4 ++++ README.md | 26 +++++++++++++++++++- docker-compose.yml | 59 ++++++++++++++++++++++++++++++++++++++++++++++ env.example | 1 + 4 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 docker-compose.yml create mode 100644 env.example diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e9f382d --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +.env +conf/ +etc-pihole/ +etc-dnsmasq.d/ diff --git a/README.md b/README.md index 3b4558d..3ed1f71 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,26 @@ -# tpl.docker-compose +# Pi-hole deployment +## Quick Start + +1. Copy `env.example` to `.env` + +2. Edit `.env` to adapt the Fully Qualified Domain Name (FQDN) of the Pi-hole + container. + + This is used by Traefik to redirect requests to the web interface + +3. `docker-compose up -d` + +4. Go to the Web interface, and adapt the settings as needed for your setup. + + For example: + + * **Settings** -> **DNS** -> **Upstream DNS Servers**: + Add at least one upstream server. + + * **Settings** -> **DNS** -> **Upstream DNS Servers**: + Enable **Use Conditional Forwarding** and configure it. + + * **Settings** -> **DHCP**: + Disable **DHCP server enabled** if you are using another DHCP server. + diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..0ec2136 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,59 @@ +version: "3.8" + +networks: + proxy_infra: + external: true + +# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/ +services: + pihole: + image: pihole/pihole:latest + ports: + # LSC: I am not relying on Traefik to proxy DNS, in order to not loose + # name resolution when restarting the reverse proxy. + - "53:53/tcp" + - "53:53/udp" + # LSC: No need for DHCP, already handeld. + # This is for BOOTP, taken over by DHCP. + #- "67:67/udp" + # Web UI handled through Traefik + #- "9000:80/tcp" + environment: + TZ: "Europe/Zurich" + WEBPASSWORD_FILE: "/webpassword" + # Volumes store your data between container upgrades + volumes: + - "./conf/webpassword:/webpassword:ro" + - "./etc-pihole/:/etc/pihole/:rw" + - "./etc-dnsmasq.d/:/etc/dnsmasq.d/:rw" + - "./etc-pihole-updatelists:/etc/pihole-updatelists/:rw" + # Recommended but not required (DHCP needs NET_ADMIN) + # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities + # LSC: Commented out, DHCP already handeld + #cap_add: + # - NET_ADMIN + restart: always + networks: + - proxy_infra + - default + labels: + - "traefik.enable=true" + - "traefik.docker.network=proxy_infra" + - "traefik.http.services.pihole.loadbalancer.server.port=80" + + - "traefik.http.middlewares.pi-hole-redirect.redirectregex.permanent=true" + - "traefik.http.middlewares.pi-hole-redirect.redirectregex.regex=https://${FQDN}/?$$" + - "traefik.http.middlewares.pi-hole-redirect.redirectregex.replacement=https://${FQDN}/admin" + # Priority goes from first in the list to last. + - "traefik.http.middlewares.pihole.chain.middlewares=headers-base@file,headers-sts@file,headers-policy-self@file" + + # Pi-Hole + - "traefik.http.routers.pihole.service=pihole" + - "traefik.http.routers.pihole.entrypoints=web-secure" + # Do not filter on prefix, otherwise the redirect does not work... + - "traefik.http.routers.pihole.rule=Host(`${FQDN}`)" + - "traefik.http.routers.pihole.tls=true" + # Not using Letsencrypt, as this service is not accessible from outside + # the LAN, and no wildcard domain certificate yet. + #- "traefik.http.routers.pihole.tls.certresolver=letsencrypt" + - "traefik.http.routers.pihole.middlewares=pihole,net-home@file,auth-traefik@file,pi-hole-redirect" diff --git a/env.example b/env.example new file mode 100644 index 0000000..4b967c7 --- /dev/null +++ b/env.example @@ -0,0 +1 @@ +FQDN=`pi-hole.example.net`