Configuration for Pi-hole

.gitignore

@@ -0,0 +1,4 @@
+.env
+conf/
+etc-pihole/
+etc-dnsmasq.d/

README.md

@@ -1,2 +1,28 @@
-# tpl.docker-compose
+# Pi-hole deployment
 
+## Quick Start
+
+1. Copy `env.example` to `.env`
+
+2. Edit `.env` to adapt the Fully Qualified Domain Name (FQDN) of the Pi-hole
+   container.
+
+   This is used by Traefik to redirect requests to the web interface.
+
+3. `docker-compose up -d`
+
+4. Go to the Web interface at https://pi-hole.example.net, and adapt
+   the settings as needed for your setup.
+
+   For example:
+  
+   * **Settings** -> **DNS** -> **Upstream DNS Servers**:
+     Add at least one upstream server.
+  
+   * **Settings** -> **DNS** -> **Upstream DNS Servers**:
+     Enable **Use Conditional Forwarding** and configure it.
+   
+   * **Settings** -> **DHCP**:
+     Disable **DHCP server enabled** if you are using another DHCP server,
+     which is assumed in this repository.
+   

docker-compose.yml

@@ -0,0 +1,59 @@
+version: "3.8"
+
+networks:
+  proxy_infra:
+    external: true
+
+# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
+services:
+  pihole:
+    image: pihole/pihole:latest
+    ports:
+      # LSC: I am not relying on Traefik to proxy DNS, in order to not loose
+      #      name resolution when restarting the reverse proxy.
+      - "53:53/tcp"
+      - "53:53/udp"
+      # LSC: No need for DHCP, already handeld.
+      #      This is for BOOTP, taken over by DHCP.
+      #- "67:67/udp"
+      # Web UI handled through Traefik
+      #- "9000:80/tcp"
+    environment:
+      TZ: "Europe/Zurich"
+      WEBPASSWORD_FILE: "/webpassword"
+    # Volumes store your data between container upgrades
+    volumes:
+      - "./conf/webpassword:/webpassword:ro"
+      - "./etc-pihole/:/etc/pihole/:rw"
+      - "./etc-dnsmasq.d/:/etc/dnsmasq.d/:rw"
+      - "./etc-pihole-updatelists:/etc/pihole-updatelists/:rw"
+    # Recommended but not required (DHCP needs NET_ADMIN)
+    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
+    # LSC: Commented out, DHCP already handeld
+    #cap_add:
+    #  - NET_ADMIN
+    restart: always
+    networks:
+      - proxy_infra
+      - default
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy_infra"
+      - "traefik.http.services.pihole.loadbalancer.server.port=80"
+
+      - "traefik.http.middlewares.pi-hole-redirect.redirectregex.permanent=true"
+      - "traefik.http.middlewares.pi-hole-redirect.redirectregex.regex=https://${FQDN}/?$$"
+      - "traefik.http.middlewares.pi-hole-redirect.redirectregex.replacement=https://${FQDN}/admin"
+      # Priority goes from first in the list to last.
+      - "traefik.http.middlewares.pihole.chain.middlewares=headers-base@file,headers-sts@file,headers-policy-self@file"
+
+      # Pi-Hole
+      - "traefik.http.routers.pihole.service=pihole"
+      - "traefik.http.routers.pihole.entrypoints=web-secure"
+      # Do not filter on prefix, otherwise the redirect does not work...
+      - "traefik.http.routers.pihole.rule=Host(`${FQDN}`)"
+      - "traefik.http.routers.pihole.tls=true"
+      # Not using Letsencrypt, as this service is not accessible from outside
+      # the LAN, and no wildcard domain certificate yet.
+      #- "traefik.http.routers.pihole.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.pihole.middlewares=pihole,net-home@file,auth-traefik@file,pi-hole-redirect"

env.example

@@ -0,0 +1 @@
+FQDN=`pi-hole.example.net`