roger/k3s-cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pihole unbound

Browse Source
This commit is contained in:
Roger Oriol
2026-06-28 09:34:43 +02:00
parent d00c6fb63d
commit 22ef2a38b2
2 changed files with 176 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
pihole/pihole.yaml
View File

@@ -5,6 +5,66 @@ metadata:
name: pihole name: pihole
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap
metadata:
name: unbound-config
namespace: pihole
data:
unbound.conf: |
server:
# Listen only on loopback so only the co-located pihole can query it
interface: 127.0.0.1
port: 5335
# IPv4 only for simplicity
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
prefer-ip6: no
# Recursive resolver: do not use any forwarders, start from the root servers
root-hints: "/opt/unbound/etc/unbound/root.hints"
# DNSSEC / hardening
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
# Performance / privacy
prefetch: yes
prefetch-key: yes
qname-minimisation: yes
aggressive-nsec: yes
edns-buffer-size: 1232
num-threads: 1
so-rcvbuf: 1m
# RFC1918 / link-local addresses should never come back from the internet
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
# Hide identity / version
hide-identity: yes
hide-version: yes
---
# Pi-hole config that points dnsmasq at the local unbound sidecar.
# Mounted into /etc/dnsmasq.d so it is read on (re)start.
apiVersion: v1
kind: ConfigMap
metadata:
name: pihole-dnsmasq-config
namespace: pihole
data:
99-unbound.conf: |
# Use the recursive unbound sidecar as the only upstream DNS
server=127.0.0.1#5335
---
apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: pihole-pvc name: pihole-pvc
@@ -16,6 +76,18 @@ spec:
requests: requests:
storage: 1Gi storage: 1Gi
--- ---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: unbound-pvc
namespace: pihole
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
@@ -33,11 +105,31 @@ spec:
labels: labels:
app: pihole app: pihole
spec: spec:
# The pod itself still needs DNS to (e.g.) download blocklists on gravity
# updates. Use the cluster DNS / a public resolver for that - it is NOT
# used to answer client queries, which go through the unbound sidecar.
dnsPolicy: "None" dnsPolicy: "None"
dnsConfig: dnsConfig:
nameservers: nameservers:
- 8.8.8.8 - 8.8.8.8
- 8.8.4.4 - 8.8.4.4
initContainers:
- name: unbound-root-hints
image: curlimages/curl:8.12.1
command:
- /bin/sh
- -c
- |
set -e
if [ ! -s /opt/unbound/etc/unbound/root.hints ]; then
echo "Downloading root hints..."
curl -fsSL https://www.internic.net/domain/named.root -o /opt/unbound/etc/unbound/root.hints
else
echo "Root hints already present, skipping download."
fi
volumeMounts:
- name: unbound-data
mountPath: /opt/unbound/etc/unbound
containers: containers:
- name: pihole - name: pihole
image: pihole/pihole:latest image: pihole/pihole:latest
@@ -72,8 +164,9 @@ spec:
volumeMounts: volumeMounts:
- name: pihole-data - name: pihole-data
mountPath: /etc/pihole mountPath: /etc/pihole
#- name: pihole-dnsmasq - name: pihole-dnsmasq-config
#mountPath: /etc/dnsmasq.d mountPath: /etc/dnsmasq.d/99-unbound.conf
subPath: 99-unbound.conf
resources: resources:
requests: requests:
memory: "256Mi" memory: "256Mi"
@@ -87,12 +180,51 @@ spec:
- NET_ADMIN - NET_ADMIN
- SYS_TIME - SYS_TIME
- SYS_NICE - SYS_NICE
- name: unbound
image: mvance/unbound:latest
ports:
- containerPort: 5335
name: unbound-dns-tcp
protocol: TCP
- containerPort: 5335
name: unbound-dns-udp
protocol: UDP
volumeMounts:
- name: unbound-config
mountPath: /opt/unbound/etc/unbound/unbound.conf
subPath: unbound.conf
- name: unbound-data
mountPath: /opt/unbound/etc/unbound
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "256Mi"
cpu: "500m"
livenessProbe:
tcpSocket:
port: 5335
initialDelaySeconds: 10
periodSeconds: 30
readinessProbe:
tcpSocket:
port: 5335
initialDelaySeconds: 5
periodSeconds: 10
volumes: volumes:
- name: pihole-data - name: pihole-data
persistentVolumeClaim: persistentVolumeClaim:
claimName: pihole-pvc claimName: pihole-pvc
#- name: pihole-dnsmasq - name: unbound-data
#emptyDir: {} persistentVolumeClaim:
claimName: unbound-pvc
- name: unbound-config
configMap:
name: unbound-config
- name: pihole-dnsmasq-config
configMap:
name: pihole-dnsmasq-config
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

40
pihole/unbound/unbound.conf Normal file
View File

@@ -0,0 +1,40 @@
server:
# Listen only on loopback so only the co-located pihole can query it
interface: 127.0.0.1
port: 5335
# IPv4 only for simplicity
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
prefer-ip6: no
# Recursive resolver: do not use any forwarders, start from the root servers
root-hints: "/opt/unbound/etc/unbound/root.hints"
# DNSSEC / hardening
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
# Performance / privacy
prefetch: yes
prefetch-key: yes
qname-minimisation: yes
aggressive-nsec: yes
edns-buffer-size: 1232
num-threads: 1
so-rcvbuf: 1m
# RFC1918 / link-local addresses should never come back from the internet
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
# Hide identity / version
hide-identity: yes
hide-version: yes