Standarize unbound, prepare for setup inclusion

- Use jinja template for configuration file (start.py)
- Limit access to the Mailu subnet
- Implement health checks
master
Tim Möhlmann 6 years ago
parent 40d8e65762
commit bcfce27ee2
No known key found for this signature in database
GPG Key ID: AFABC30066A39335

@ -1,14 +0,0 @@
FROM alpine:3.8
RUN apk add --no-cache unbound curl \
&& curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \
&& chown root:unbound /etc/unbound \
&& chmod 775 /etc/unbound \
&& apk del --no-cache curl \
&& /usr/sbin/unbound-anchor -a /etc/unbound/trusted-key.key | true
COPY unbound.conf /etc/unbound/unbound.conf
EXPOSE 53/udp 53/tcp
CMD /usr/sbin/unbound

@ -0,0 +1,18 @@
FROM python:3-alpine
RUN apk add --no-cache unbound curl bind-tools \
&& pip3 install jinja2 \
&& curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \
&& chown root:unbound /etc/unbound \
&& chmod 775 /etc/unbound \
&& apk del --no-cache curl \
&& /usr/sbin/unbound-anchor -a /etc/unbound/trusted-key.key | true
COPY start.py /start.py
COPY unbound.conf /unbound.conf
EXPOSE 53/udp 53/tcp
CMD /start.py
HEALTHCHECK CMD dig @127.0.0.1 || exit 1

@ -0,0 +1,9 @@
#!/usr/local/bin/python3
import jinja2
import os
convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ))
convert("/unbound.conf", "/etc/unbound/unbound.conf")
os.execv("/usr/sbin/unbound", ["-c /etc/unbound/unbound.conf"])

@ -8,9 +8,9 @@ server:
do-udp: yes
do-tcp: yes
do-daemonize: no
access-control: 0.0.0.0/0 allow
access-control: {{ SUBNET }} allow
directory: "/etc/unbound"
username: unbound
username: root
auto-trust-anchor-file: trusted-key.key
root-hints: "/etc/unbound/root.hints"
hide-identity: yes

@ -6,8 +6,8 @@ services:
image: ${DOCKER_ORG:-mailu}/nginx:${VERSION:-local}
build: ../core/nginx
unbound:
image: $DOCKER_ORG/unbound:$VERSION
resolver:
image: ${DOCKER_ORG:-mailu}/unbound:${VERSION:-local}
build: ../core/unbound
imap:

Loading…
Cancel
Save