Skip to content

Home

Jump to bottom
bfren edited this page Sep 15, 2023 · 5 revisions

I have long been wanting to migrate my setup to Docker, but with Pi-Hole at the heart of my network, there be dragons! The upcoming (presumably) release of Raspberry Pi OS based on Bookworm made me decide to bite the bullet.

So here we have it: a Docker Compose file that will fire up Unbound as the DNS resolver, Pi-Hole for network-level ad blocking, and WireGuard so I can enjoy the benefits of my ad blocking wherever I am in the world.

To make full use of it you need a proxy server (e.g. mine) so you can access the Pi-Hole admin interface over HTTPS.

You also need to map and open up some ports so you can access WireGuard from outside your network. The setup below uses default values but you could very easily change them to be more obscure.

.env

# timezone to share between the containers
TIMEZONE=Europe/London

# the IP range you want the DNS containers to run in
IP_RANGE=10.5.0

# the external IP Address / domain peers will use to connect to WireGuard
WIREGUARD_EXTERNAL_ADDRESS=

# space-separate list of WireGuard peers
WIREGUARD_PEERS=

# the name of the Pi-Hole host (otherwise you get a hash)
PIHOLE_HOST=pihole

# password to secure the Pi-Hole administration site
PIHOLE_ADMIN_PASSWORD=

docker-compose.yml

version: "3.8"

services:
  unbound:
    image: bfren/unbound
    container_name: unbound
    restart: unless-stopped
    environment:
      - TZ=${TIMEZONE}
    networks:
      dns:
        ipv4_address: ${IP_RANGE}.2

  pihole:
    image: pihole/pihole
    container_name: pihole
    depends_on:
      - unbound
    restart: unless-stopped
    ports:
      - "0.0.0.0:53:53/tcp"
      - "0.0.0.0:53:53/udp"
    environment:
      - TZ=${TIMEZONE}
      - VIRTUAL_HOST=${PIHOLE_HOST}
      - WEBPASSWORD=${PIHOLE_ADMIN_PASSWORD}
    volumes:
      - ./v/pihole:/etc/pihole
      - ./v/dnsmasq:/etc/dnsmasq.d
    networks:
      dns:
        ipv4_address: ${IP_RANGE}.3
      proxy:

  wireguard:
    image: bfren/wireguard
    container_name: wireguard
    restart: unless-stopped
    depends_on:
      - pihole
    cap_add:
      - NET_ADMIN
    ports:
      - "0.0.0.0:51820:51820/udp"
    environment:
      - TZ=${TIMEZONE}
      - WIREGUARD_EXTERNAL_ADDRESS=${WIREGUARD_EXTERNAL_ADDRESS}
      - WIREGUARD_PEERS=${WIREGUARD_PEERS}
      - WIREGUARD_DNS=${IP_RANGE}.3
    volumes:
      - ./v/wireguard:/config
    networks:
      dns:
        ipv4_address: ${IP_RANGE}.4

networks:
  dns:
    name: dns
    ipam:
      driver: default
      config:
        - subnet: ${IP_RANGE}.0/16
  proxy:
    external: true
Clone this wiki locally