169 lines
6.5 KiB
YAML
169 lines
6.5 KiB
YAML
# =============================================================================
|
|
# PI-HOLE - NETWORK-WIDE AD BLOCKING AND DNS FILTERING
|
|
# =============================================================================
|
|
#
|
|
# SERVICE OVERVIEW:
|
|
# - Network-wide ad blocking and DNS filtering
|
|
# - Custom DNS server with blacklist/whitelist management
|
|
# - DHCP server capability (if needed)
|
|
# - Query logging and analytics dashboard
|
|
# - Local DNS resolution for homelab services
|
|
#
|
|
# DISASTER RECOVERY PRIORITY: HIGH
|
|
# - Critical for network functionality and security
|
|
# - Provides DNS resolution for homelab services
|
|
# - Blocks malicious domains and ads network-wide
|
|
# - Essential for maintaining network performance
|
|
#
|
|
# RECOVERY TIME OBJECTIVE (RTO): 15 minutes
|
|
# RECOVERY POINT OBJECTIVE (RPO): 24 hours (DNS logs and settings)
|
|
#
|
|
# DEPENDENCIES:
|
|
# - Volume1 for configuration and logs
|
|
# - Host network access for DNS (port 53)
|
|
# - Router configuration to use Pi-hole as DNS server
|
|
# - Internet connectivity for blocklist updates
|
|
#
|
|
# NETWORK IMPACT:
|
|
# - All devices use Pi-hole for DNS resolution
|
|
# - Router DNS settings: 192.168.1.100 (primary)
|
|
# - Fallback DNS: 1.1.1.1, 8.8.8.8 (if Pi-hole fails)
|
|
#
|
|
# =============================================================================
|
|
|
|
version: '3.3'
|
|
|
|
services:
|
|
pihole:
|
|
# CONTAINER IMAGE:
|
|
# - pihole/pihole: Official Pi-hole image
|
|
# - Includes DNS server, web interface, and FTL (Faster Than Light) daemon
|
|
# - Regular updates with new blocklists and security patches
|
|
image: pihole/pihole
|
|
|
|
# CONTAINER IDENTIFICATION:
|
|
# - pihole: Clear identification for logs and management
|
|
# - Used in network configuration and monitoring
|
|
container_name: pihole
|
|
|
|
environment:
|
|
# WEB INTERFACE CONFIGURATION:
|
|
# - WEB_PORT=9000: Custom web interface port (default 80)
|
|
# - Avoids conflicts with other web services
|
|
# - Accessible at: http://atlantis.vish.local:9000/admin
|
|
- WEB_PORT=9000
|
|
|
|
# ADMIN PASSWORD:
|
|
# - WEBPASSWORD: "REDACTED_PASSWORD" for Pi-hole admin interface
|
|
# - SECURITY WARNING: Change this password immediately
|
|
# - TODO: Move to secrets management or environment file
|
|
- WEBPASSWORD="REDACTED_PASSWORD" # pragma: allowlist secret # TODO: CHANGE THIS PASSWORD
|
|
|
|
# NETWORK CONFIGURATION:
|
|
# - FTLCONF_LOCAL_IPV4: Pi-hole's IP address for DNS responses
|
|
# - NOTE: This should match the actual NAS IP (192.168.1.100)
|
|
# - TODO: Update to correct IP address
|
|
- FTLCONF_LOCAL_IPV4=10.0.0.250 # TODO: Fix IP address
|
|
|
|
# TIMEZONE CONFIGURATION:
|
|
# - TZ: Timezone for logs and query timestamps
|
|
# - NOTE: Typo in timezone (should be America/Los_Angeles)
|
|
# - Used for accurate log timestamps and statistics
|
|
- TZ=American/Los_Angeles # TODO: Fix timezone typo
|
|
|
|
# DNS DAEMON CONFIGURATION:
|
|
# - DNSMASQ_USER=root: User for dnsmasq DNS server
|
|
# - DNSMASQ_LISTENING=local: Listen only on local interfaces
|
|
# - Security: Prevents DNS amplification attacks
|
|
- DNSMASQ_USER=root
|
|
- DNSMASQ_LISTENING=local
|
|
|
|
volumes:
|
|
# DNSMASQ CONFIGURATION:
|
|
# - /volume1/docker/pihole/dnsmasq.d:/etc/dnsmasq.d
|
|
# - Contains: Custom DNS configurations, local DNS entries
|
|
# - Used for: Local domain resolution (*.vish.local)
|
|
# - BACKUP IMPORTANT: Custom DNS configurations
|
|
- /volume1/docker/pihole/dnsmasq.d:/etc/dnsmasq.d
|
|
|
|
# PI-HOLE CONFIGURATION AND DATA:
|
|
# - /volume1/docker/pihole/pihole:/etc/pihole
|
|
# - Contains: Blocklists, whitelists, query logs, settings
|
|
# - BACKUP CRITICAL: All Pi-hole configuration and history
|
|
# - Size: ~100MB-1GB depending on log retention
|
|
- /volume1/docker/pihole/pihole:/etc/pihole
|
|
|
|
# NETWORK CONFIGURATION:
|
|
# - host: Required for DNS server functionality
|
|
# - Allows Pi-hole to bind to port 53 (DNS)
|
|
# - Enables DHCP server functionality if needed
|
|
# - SECURITY NOTE: Exposes all container ports to host
|
|
network_mode: host
|
|
|
|
# RESTART POLICY:
|
|
# - always: Container restarts automatically on failure or reboot
|
|
# - CRITICAL: DNS service must be always available
|
|
# - Network functionality depends on Pi-hole availability
|
|
restart: unless-stopped
|
|
|
|
# =============================================================================
|
|
# DISASTER RECOVERY PROCEDURES - PI-HOLE
|
|
# =============================================================================
|
|
#
|
|
# BACKUP COMMANDS:
|
|
# # Configuration backup:
|
|
# tar -czf /volume2/backups/pihole-$(date +%Y%m%d).tar.gz /volume1/docker/pihole/
|
|
#
|
|
# # Settings export (via web interface):
|
|
# # Admin > Settings > Teleporter > Backup
|
|
# # Save backup file to secure location
|
|
#
|
|
# RESTORE PROCEDURE:
|
|
# 1. Stop container: docker-compose -f pihole.yml down
|
|
# 2. Restore data: tar -xzf pihole-backup.tar.gz -C /volume1/docker/
|
|
# 3. Fix permissions: chown -R root:root /volume1/docker/pihole/
|
|
# 4. Start container: docker-compose -f pihole.yml up -d
|
|
# 5. Verify DNS: nslookup google.com 192.168.1.100
|
|
# 6. Check web interface: http://atlantis.vish.local:9000/admin
|
|
#
|
|
# NETWORK CONFIGURATION (Post-Recovery):
|
|
# 1. Router DNS settings:
|
|
# Primary DNS: 192.168.1.100 (Pi-hole)
|
|
# Secondary DNS: 1.1.1.1 (Cloudflare backup)
|
|
#
|
|
# 2. Local DNS entries (add to dnsmasq.d/02-local.conf):
|
|
# address=/atlantis.vish.local/192.168.1.100
|
|
# address=/calypso.vish.local/192.168.1.101
|
|
# address=/concord-nuc.vish.local/192.168.1.102
|
|
#
|
|
# 3. Test local resolution:
|
|
# nslookup atlantis.vish.local
|
|
# nslookup plex.vish.local
|
|
#
|
|
# TROUBLESHOOTING:
|
|
# - DNS not working: Check port 53 availability, verify host networking
|
|
# - Web interface inaccessible: Check WEB_PORT setting and firewall
|
|
# - Slow DNS resolution: Check upstream DNS servers and network connectivity
|
|
# - Blocklists not updating: Verify internet connectivity and cron jobs
|
|
#
|
|
# EMERGENCY DNS FALLBACK:
|
|
# If Pi-hole fails completely:
|
|
# 1. Router > DHCP Settings > DNS Servers
|
|
# 2. Change to: 1.1.1.1, 8.8.8.8
|
|
# 3. Restart router DHCP or reboot devices
|
|
# 4. Restore Pi-hole service as soon as possible
|
|
#
|
|
# MONITORING AND HEALTH CHECKS:
|
|
# - DNS test: nslookup google.com 192.168.1.100
|
|
# - Web interface: curl -f http://localhost:9000/admin/
|
|
# - Query logs: docker exec pihole tail -f /var/log/pihole.log
|
|
# - Blocklist status: Check admin interface > Tools > Update Gravity
|
|
#
|
|
# SECURITY CONSIDERATIONS:
|
|
# - Change default admin password immediately
|
|
# - Regularly update blocklists
|
|
# - Monitor query logs for suspicious activity
|
|
# - Consider enabling DNSSEC validation
|
|
#
|
|
# =============================================================================
|