Initial commit
commit
698e8bc5f7
|
@ -0,0 +1 @@
|
||||||
|
.idea/
|
|
@ -0,0 +1,34 @@
|
||||||
|
stages:
|
||||||
|
- test
|
||||||
|
- release
|
||||||
|
|
||||||
|
# Test if the image can be built
|
||||||
|
test:build:
|
||||||
|
stage: test
|
||||||
|
tags:
|
||||||
|
- test
|
||||||
|
- build
|
||||||
|
image: docker:latest
|
||||||
|
script:
|
||||||
|
- docker build .
|
||||||
|
interruptible: true
|
||||||
|
only:
|
||||||
|
- master
|
||||||
|
|
||||||
|
# Push images of tags to private registry
|
||||||
|
release:image:
|
||||||
|
stage: release
|
||||||
|
tags:
|
||||||
|
- release
|
||||||
|
- build
|
||||||
|
image: docker:latest
|
||||||
|
script:
|
||||||
|
- docker login -u "${DOCKER_USERNAME}" -p "${DOCKER_PASSWORD}" "${DOCKER_REGISTRY_HOST}"
|
||||||
|
- echo "Building image..."
|
||||||
|
- docker build -t "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:"${CI_COMMIT_TAG}" -t "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:latest .
|
||||||
|
- echo "Pushing tags..."
|
||||||
|
- docker push "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:"${CI_COMMIT_TAG}"
|
||||||
|
- docker push "${DOCKER_REGISTRY_HOST}"/gkcld/unbound:latest
|
||||||
|
interruptible: false
|
||||||
|
only:
|
||||||
|
- tags
|
|
@ -0,0 +1,27 @@
|
||||||
|
FROM alpine:3.15.0
|
||||||
|
|
||||||
|
# Install required dependencies to build unbound (and bind-tools for dig in healthcheck)
|
||||||
|
RUN apk update && apk add --no-cache alpine-sdk bind-tools expat-dev git libressl-dev
|
||||||
|
|
||||||
|
# Clone and build unbound source (https://github.com/NLnetLabs/unbound)
|
||||||
|
RUN mkdir -p /tmp/unbound
|
||||||
|
RUN git clone --depth 1 --branch 'release-1.14.0' https://github.com/NLnetLabs/unbound.git /tmp/unbound
|
||||||
|
RUN cd /tmp/unbound && ./configure && make && make install
|
||||||
|
|
||||||
|
# Cleanup build tools
|
||||||
|
RUN apk del alpine-sdk expat-dev git
|
||||||
|
RUN rm -rf /tmp/*
|
||||||
|
|
||||||
|
# Prepare unbound files
|
||||||
|
COPY entrypoint.sh /
|
||||||
|
RUN mkdir -p /srv/unbound
|
||||||
|
COPY unbound.conf /srv/unbound/unbound.conf
|
||||||
|
|
||||||
|
# Prepare
|
||||||
|
RUN adduser unbound --disabled-password
|
||||||
|
|
||||||
|
# Health
|
||||||
|
HEALTHCHECK --interval=60s --timeout=3s --retries=2 \
|
||||||
|
CMD dig ns1.gkcld.net @127.0.0.1 +dnssec || exit 1
|
||||||
|
|
||||||
|
ENTRYPOINT ["sh", "/entrypoint.sh"]
|
|
@ -0,0 +1,3 @@
|
||||||
|
# A recursive, caching DNS resolver with some optimizations
|
||||||
|
|
||||||
|
Needs to run with `--privileged` to allow increased cache size
|
|
@ -0,0 +1,10 @@
|
||||||
|
# Changelog
|
||||||
|
All notable changes to this project will be documented in this file.
|
||||||
|
|
||||||
|
## [Unreleased]
|
||||||
|
|
||||||
|
## [1.14.0]
|
||||||
|
- Initial release with `unbound 1.14.0` [major]
|
||||||
|
|
||||||
|
## [0.0.1] - 2022-01-22
|
||||||
|
- Birth of the project! [patch]
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
echo 'Starting unbound...'
|
||||||
|
unbound -V
|
||||||
|
unbound -c /srv/unbound/unbound.conf -d
|
|
@ -0,0 +1,55 @@
|
||||||
|
# https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
|
||||||
|
server:
|
||||||
|
# If no logfile is specified, syslog is used
|
||||||
|
#logfile: "/var/log/unbound/unbound.log"
|
||||||
|
verbosity: 0
|
||||||
|
|
||||||
|
interface: 0.0.0.0
|
||||||
|
port: 53
|
||||||
|
do-ip4: yes
|
||||||
|
do-ip6: no
|
||||||
|
do-udp: yes
|
||||||
|
do-tcp: yes
|
||||||
|
|
||||||
|
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
|
||||||
|
# Terredo tunnels your web browser should favor IPv4 for the same reasons
|
||||||
|
prefer-ip6: no
|
||||||
|
|
||||||
|
# Use this when you want to maually add/update the root.hints file
|
||||||
|
# Otherwise, the hints included in the unbound package at the time the image was built will be used
|
||||||
|
#root-hints: "/var/lib/unbound/root.hints"
|
||||||
|
|
||||||
|
# Trust glue only if it is within the server's authority
|
||||||
|
harden-glue: yes
|
||||||
|
|
||||||
|
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
|
||||||
|
harden-dnssec-stripped: yes
|
||||||
|
|
||||||
|
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
|
||||||
|
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
|
||||||
|
use-caps-for-id: no
|
||||||
|
|
||||||
|
# Reduce EDNS reassembly buffer size.
|
||||||
|
# Suggested by the unbound man page to reduce fragmentation reassembly problems
|
||||||
|
edns-buffer-size: 1472
|
||||||
|
|
||||||
|
# Perform prefetching of close to expired message cache entries
|
||||||
|
# This only applies to domains that have been frequently queried
|
||||||
|
prefetch: yes
|
||||||
|
|
||||||
|
# Reduce latency by serving the outdated record before updating it
|
||||||
|
serve-expired: yes
|
||||||
|
|
||||||
|
# more cache memory, rrset=msg*2
|
||||||
|
rrset-cache-size: 64m
|
||||||
|
msg-cache-size: 32m
|
||||||
|
|
||||||
|
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
|
||||||
|
num-threads: 1
|
||||||
|
|
||||||
|
# Larger socket buffer. OS may need config.
|
||||||
|
so-rcvbuf: 2m
|
||||||
|
so-sndbuf: 2m
|
||||||
|
|
||||||
|
# Allow from adguard subnet (see docker-compose adguard network)
|
||||||
|
access-control: 0.0.0.0/0 allow
|
Loading…
Reference in New Issue