├── heimdall ├── .env.template ├── README.md └── docker-compose.yml ├── Uptime-kuma ├── .env.template ├── README.md └── docker-compose.yml ├── tailscale ├── .env.template ├── README.md └── docker-compose.yml ├── pihole ├── .env.template ├── README.md ├── docker-compose.yml └── config files │ └── unbound.conf ├── Grass ├── docker-compose.yml └── README.md ├── nexcloud ├── README.md ├── .env.template └── docker-compose.yml ├── HomeAssistant └── docker-compose.yml ├── LICENSE └── README.md /heimdall/.env.template: -------------------------------------------------------------------------------- 1 | HEIMDALL_CONFIG_VOLUME = # Host directory for Heimdall configuration files -------------------------------------------------------------------------------- /Uptime-kuma/.env.template: -------------------------------------------------------------------------------- 1 | KUMA_CONFIG_VOLUME = # Host directory for Uptime-kuma configuration files 2 | -------------------------------------------------------------------------------- /tailscale/.env.template: -------------------------------------------------------------------------------- 1 | TAILSCALE_CONFIG_VOLUME= # Host directory for Nextcloud configuration files 2 | TAILSCALE_STATIC_IP= # Static IP for Tailscale container 3 | TS_AUTHKEY= # Tailscale Authkey 4 | -------------------------------------------------------------------------------- /heimdall/README.md: -------------------------------------------------------------------------------- 1 | Paste the Docker Compose File In the **Web editor** tab: 2 | - Enter a name for your stack in the **Name** field (e.g., `my-stack`). 3 | - Copy and paste your `docker-compose.yml` content into the editor below. 4 | - Insert .env variables (view env.template for more informations) 5 | -------------------------------------------------------------------------------- /tailscale/README.md: -------------------------------------------------------------------------------- 1 | Paste the Docker Compose File In the **Web editor** tab: 2 | - Enter a name for your stack in the **Name** field (e.g., `my-stack`). 3 | - Copy and paste your `docker-compose.yml` content into the editor below. 4 | - Insert .env variables (view env.template for more informations 5 | 6 | Pihole Tailscale implementation: https://tailscale.com/kb/1114/pi-hole 7 | -------------------------------------------------------------------------------- /Uptime-kuma/README.md: -------------------------------------------------------------------------------- 1 | Paste the Docker Compose File In the **Web editor** tab: 2 | - Enter a name for your stack in the **Name** field (e.g., `my-stack`). 3 | - Copy and paste your `docker-compose.yml` content into the editor below. 4 | - Insert .env variables (view env.template for more informations) 5 | 6 | Set up notifications video https://www.youtube.com/watch?v=py68mv_vyi8&t=583s 7 | -------------------------------------------------------------------------------- /pihole/.env.template: -------------------------------------------------------------------------------- 1 | TZ= # Add yopur timezone here 2 | WEBPASSWORD= # Add your password here 3 | PIHOLE_CONFIG_VOLUME= # Add your pihole config here 4 | PIHOLE_CONFIG_VOLUME_DNSMASQ= # Add your pihole config dnsmasq here 5 | PIHOLE_STATIC_IP= # Add your pihole static ip here 6 | UNBOUND_CONFIG_VOLUME= # Add your unbound config here DO NOT FORGET TO ADD THE unbound.conf FILE IN THE CONFIG FOLDER 7 | UNBOUND_STATIC_IP= # Add your unbound static ip here 8 | -------------------------------------------------------------------------------- /Uptime-kuma/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.7" 2 | 3 | services: 4 | uptime-kuma: 5 | image: louislam/uptime-kuma:latest 6 | container_name: uptime-kuma 7 | restart: always 8 | ports: 9 | - "3001:3001" 10 | networks: 11 | - non-expose 12 | volumes: 13 | - ${KUMA_CONFIG_VOLUME}:/app/data 14 | - /var/run/docker.sock:/var/run/docker.sock # Mount Docker socket for access 15 | 16 | networks: 17 | non-expose: 18 | driver: bridge 19 | -------------------------------------------------------------------------------- /pihole/README.md: -------------------------------------------------------------------------------- 1 | Paste the Docker Compose File In the **Web editor** tab: 2 | - Enter a name for your stack in the **Name** field (e.g., `my-stack`). 3 | - Copy and paste your `docker-compose.yml` content into the editor below. 4 | - Insert .env variables (view env.template for more informations) 5 | 6 | Explanatory video on pihole and unbound 7 | - Pi Hole Unbound https://www.youtube.com/watch?v=FnFtWsZ8IP0&t=9s 8 | - Pi Hole Unbound DoT https://www.youtube.com/watch?v=8ENLZmzm5vc&t=1250s 9 | -------------------------------------------------------------------------------- /heimdall/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.7" 2 | 3 | services: 4 | heimdall: 5 | image: lscr.io/linuxserver/heimdall:latest 6 | container_name: heimdall 7 | environment: 8 | - PUID=1000 9 | - PGID=1000 10 | - TZ=Etc/UTC 11 | volumes: 12 | - ${HEIMDALL_CONFIG_VOLUME}:/config 13 | ports: 14 | - 880:80 15 | - 4443:443 16 | networks: 17 | - non-expose 18 | restart: unless-stopped 19 | 20 | networks: 21 | non-expose: 22 | driver: bridge 23 | -------------------------------------------------------------------------------- /Grass/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | grass: 3 | image: 217heidai/grass:latest 4 | container_name: grass 5 | restart: unless-stopped 6 | ports: 7 | - "5800:5800" 8 | volumes: 9 | - "(path-to-config-files-for-grass)/grass:/config" 10 | environment: 11 | - USER_ID= #user id 12 | - GROUP_ID= #grooup id 13 | networks: 14 | myMacvlan: 15 | ipv4_address: x.x.x.x # Static IP for the service 16 | 17 | networks: 18 | myMacvlan: 19 | external: true 20 | -------------------------------------------------------------------------------- /nexcloud/README.md: -------------------------------------------------------------------------------- 1 | Paste the Docker Compose File In the **Web editor** tab: 2 | - Enter a name for your stack in the **Name** field (e.g., `my-stack`). 3 | - Copy and paste your `docker-compose.yml` content into the editor below. 4 | - Insert .env variables (view env.template for more informations) 5 | 6 | Documentation on how to resolve common errors and warnings and additional informations 7 | - https://docs.nextcloud.com/server/30/admin_manual/configuration_server/security_setup_warnings.html 8 | - https://help.nextcloud.com/t/nextcloud-docker-container-best-way-to-run-cron-job/157734/2 9 | 10 | -------------------------------------------------------------------------------- /HomeAssistant/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.8" 2 | 3 | services: 4 | homeassistant: 5 | image: ghcr.io/home-assistant/home-assistant:stable 6 | container_name: home-assistant 7 | restart: unless-stopped 8 | volumes: 9 | - /path/to/your/config/folder:/config 10 | environment: 11 | - #add your environment variables here 12 | networks: 13 | myMacvlan: 14 | ipv4_address: #add your desired static IP address here 15 | privileged: true 16 | 17 | #add your macvlan network configuration here if not already created 18 | networks: 19 | myMacvlan: 20 | external: true 21 | -------------------------------------------------------------------------------- /nexcloud/.env.template: -------------------------------------------------------------------------------- 1 | # MariaDB Configuration 2 | DB_ROOT_PASSWORD= # Root password for MariaDB 3 | DB_PASSWORD= # Password for Nextcloud user 4 | DB_NAME= # Database name used by Nextcloud 5 | DB_USER= # Username for Nextcloud in MariaDB 6 | DB_DATA_VOLUME= # Host directory for MariaDB data 7 | DB_STATIC_IP= # Static IP for MariaDB container 8 | 9 | # Nextcloud Configuration 10 | NEXTCLOUD_PORT= # Host port mapped to Nextcloud container's port 80 11 | NEXTCLOUD_CONFIG_VOLUME= # Host directory for Nextcloud configuration files 12 | NEXTCLOUD_DATA_VOLUME= # Host directory for Nextcloud user data 13 | NEXTCLOUD_STATIC_IP= # Static IP for Nextcloud container 14 | 15 | -------------------------------------------------------------------------------- /tailscale/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | tailscale: 3 | image: tailscale/tailscale 4 | container_name: tailscale 5 | cap_add: 6 | - NET_ADMIN 7 | - SYS_MODULE 8 | privileged: true # Grants elevated permissions 9 | volumes: 10 | - ${TAILSCALE_CONFIG_VOLUME}:/var/lib/tailscale 11 | - /dev/net/tun:/dev/net/tun 12 | environment: 13 | - TS_AUTHKEY=${TS_AUTHKEY} # Replace with your auth key 14 | - TS_HOSTNAME=HomeServer 15 | - TS_ROUTES=192.168.1.0/24 # Advertise the macvlan subnet 16 | - TS_EXTRA_ARGS=--accept-routes 17 | - TS_STATE_DIR=/var/lib/tailscale # Persistent state storage 18 | - TS_USERSPACE=true # Use userspace networking (default) 19 | - TS_ACCEPT_DNS=true # Optional, if you want Tailscale DNS 20 | networks: 21 | myMacvlan: 22 | ipv4_address:${TAILSCALE_STATIC_IP} # Static IP for Tailscale 23 | 24 | networks: 25 | myMacvlan: # Define your macvlan network 26 | external: true 27 | -------------------------------------------------------------------------------- /Grass/README.md: -------------------------------------------------------------------------------- 1 | For those who are intresting in crypto here is a docker compose file for grass node. 2 | The image i used is from https://github.com/217heidai/grass-desktop-node 3 | you just set up a config file location and set an ip and bam! you open a new tab at your-container-ip:5800 4 | you use your credentials for grass and you start farming! 5 | 6 | # important note! 7 | # this is not a financial advice this project is about exploring 8 | # How you can make your server do more fun and exciting things 9 | # Don't trust random people on the web this is only for research purposes! 10 | 11 | # For those who wannt to run a grass node the node has problems and once in a while is disconected the problem seems to be from grass itself 12 | # If you want to learn more thing about grass here is a link to their documentation https://grass-foundation.gitbook.io/grass-docs 13 | # If you are intrested in running a node for yourself and you wnat to support me and provide you with more exciting project 14 | # here is my referal link https://app.getgrass.io/register/?referralCode=w6vNjwQTGQgGJeD 15 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Mateo Rubati 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Welcome to My Home Server Repo 2 | 3 | This Repo documents the setup and management of my home server, focusing on simplicity, security, and efficiency. The server is designed to host essential services with easy remote access while maintaining a clean network architecture. 4 | 5 | ## Key Features 6 | - **Nextcloud**: Private cloud storage for files, calendars, and more. 7 | - **Macvlan Network**: Avoids port conflicts by assigning unique IPs to services. 8 | - **Tailscale**: Provides secure remote access to your homeserver services. 9 | - **Pihole**: Your own Dns resolver with wide network adblocking 10 | - **Unbound**: Dns resolver that will work along with pihole for recursive DoT 11 | - **Uptime-Kuma**: Monitor your services throught uptime-kuma dashboard and get real time notifications 12 | - **Heimdall** :Your own dashboard to view directly your selfhosted services 13 | - **Grass Node** : Run your own grass node and start earning money **not a finacial advice!** 14 | - **HomeAssistant** : Run your own Home Assistant and manage your smart home appliances 15 | 16 | ## Contribute and Improve 17 | This server is a work in progress, with plans to add more services in the future. Your feedback and ideas are welcome! If you have suggestions for new services, tips for improving reliability, or ways to optimize the setup, feel free to share. Contributions via pull requests (PRs) are also encouraged. Let’s collaborate to make this server even better! 18 | 19 | Contact me anytime to share your thoughts or suggestions. 20 | -------------------------------------------------------------------------------- /pihole/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | # Pi-hole service 5 | pihole: 6 | image: pihole/pihole:latest 7 | container_name: pihole 8 | environment: 9 | - TZ= ${TZ} # Change to your timezone 10 | - WEBPASSWORD= # Set your Pi-hole web password 11 | - PIHOLE_DOCKER_TAG=v5.0 12 | ports: 13 | - "53:53/tcp" 14 | - "53:53/udp" 15 | - "80:80" # Web interface port 16 | - "443:443" # Web interface SSL port 17 | volumes: 18 | - ${PIHOLE_CONFIG_VOLUME}:/etc/pihole # Pi-hole configurations 19 | - ${PIHOLE_CONFIG_VOLUME_DNSMASQ}:/etc/dnsmasq.d # Pi-hole DNS settings 20 | networks: 21 | myMacvlan: 22 | ipv4_address: ${PIHOLE_STATIC_IP} # Set Pi-hole static IP (adjust as needed) 23 | restart: unless-stopped 24 | 25 | # Unbound service 26 | unbound: 27 | image: mvance/unbound:latest 28 | container_name: unbound 29 | environment: 30 | - TZ=${TZ} # Change to your timezone 31 | volumes: 32 | - ${UNBOUND_CONFIG_VOLUME}:/opt/unbound/etc/unbound # Unbound configuration folder 33 | ports: 34 | - "5053:53/tcp" 35 | - "5053:53/udp" 36 | healthcheck: 37 | test: ["NONE"] 38 | networks: 39 | myMacvlan: 40 | ipv4_address: ${UNBOUND_STATIC_IP} # Set Unbound static IP (adjust as needed) 41 | restart: unless-stopped 42 | 43 | 44 | networks: 45 | # Use the existing external macvlan network 46 | myMacvlan: 47 | external: true 48 | -------------------------------------------------------------------------------- /nexcloud/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.8" 2 | 3 | services: 4 | # MariaDB Database Container for Nextcloud 5 | mariadb: 6 | image: mariadb:11.4 7 | container_name: nextcloud-db 8 | command: > 9 | --transaction-isolation=READ-COMMITTED 10 | --binlog-format=ROW 11 | --innodb-file-per-table=1 12 | --skip-innodb-read-only-compressed 13 | volumes: 14 | # MariaDB data directory - stores database files 15 | - ${DB_DATA_VOLUME}:/var/lib/mysql 16 | environment: 17 | # Environment variables for MariaDB configuration 18 | - MYSQL_ROOT_PASSWORD=${DB_ROOT_PASSWORD} 19 | - MYSQL_PASSWORD=${DB_PASSWORD} 20 | - MYSQL_DATABASE=${DB_NAME} 21 | - MYSQL_USER=${DB_USER} 22 | networks: 23 | myMacvlan: 24 | # Static IP address for the MariaDB container 25 | ipv4_address: ${DB_STATIC_IP} 26 | 27 | # Nextcloud Application Container 28 | nextcloud: 29 | image: nextcloud:latest 30 | container_name: nextcloud 31 | ports: 32 | # Map external port to Nextcloud's internal port 80 33 | - ${NEXTCLOUD_PORT}:80 34 | volumes: 35 | # Configuration directory for Nextcloud - stores config.php and other settings 36 | - ${NEXTCLOUD_CONFIG_VOLUME}:/config 37 | # Data directory for Nextcloud - stores uploaded files and user data 38 | - ${NEXTCLOUD_DATA_VOLUME}:/var/www/html 39 | environment: 40 | # Environment variables for database connection 41 | - MYSQL_PASSWORD=${DB_PASSWORD} 42 | - MYSQL_DATABASE=${DB_NAME} 43 | - MYSQL_USER=${DB_USER} 44 | - MYSQL_HOST=${DB_STATIC_IP} # Database host IP address 45 | restart: unless-stopped 46 | networks: 47 | myMacvlan: 48 | # Static IP address for the Nextcloud container 49 | ipv4_address: ${NEXTCLOUD_STATIC_IP} 50 | 51 | networks: 52 | # External macvlan network to avoid port conflicts and assign static IPs 53 | myMacvlan: 54 | external: true 55 | -------------------------------------------------------------------------------- /pihole/config files/unbound.conf: -------------------------------------------------------------------------------- 1 | server: 2 | ########################################################################### 3 | # BASIC SETTINGS 4 | ########################################################################### 5 | # Time to live maximum for RRsets and messages in the cache. If the maximum 6 | # kicks in, responses to clients still get decrementing TTLs based on the 7 | # original (larger) values. When the internal TTL expires, the cache item 8 | # has expired. Can be set lower to force the resolver to query for data 9 | # often, and not trust (very large) TTL values. 10 | cache-max-ttl: 86400 11 | logfile: "/var/log/unbound/unbound.log" 12 | # Time to live minimum for RRsets and messages in the cache. If the minimum 13 | # kicks in, the data is cached for longer than the domain owner intended, 14 | # and thus less queries are made to look up the data. Zero makes sure the 15 | # data in the cache is as the domain owner intended, higher values, 16 | # especially more than an hour or so, can lead to trouble as the data in 17 | # the cache does not match up with the actual data any more. 18 | cache-min-ttl: 300 19 | 20 | # Set the working directory for the program. 21 | directory: "/opt/unbound/etc/unbound" 22 | 23 | # Enable or disable whether IPv4 queries are answered or issued. 24 | # Default: yes 25 | do-ip4: yes 26 | 27 | # Enable or disable whether IPv6 queries are answered or issued. 28 | # If disabled, queries are not answered on IPv6, and queries are not sent 29 | # on IPv6 to the internet nameservers. With this option you can disable the 30 | # IPv6 transport for sending DNS traffic, it does not impact the contents 31 | # of the DNS traffic, which may have IPv4 (A) and IPv6 (AAAA) addresses in 32 | # it. 33 | # Default: yes 34 | # May be set to yes if you have IPv6 connectivity 35 | do-ip6: yes 36 | 37 | # Enable or disable whether TCP queries are answered or issued. 38 | # Default: yes 39 | do-tcp: yes 40 | 41 | # Enable or disable whether UDP queries are answered or issued. 42 | # Default: yes 43 | do-udp: yes 44 | 45 | # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer 46 | # size. This is the value put into datagrams over UDP towards peers. 47 | # The actual buffer size is determined by msg-buffer-size (both for TCP and 48 | # UDP). Do not set higher than that value. 49 | # Default is 1232 which is the DNS Flag Day 2020 recommendation. 50 | # Setting to 512 bypasses even the most stringent path MTU problems, but 51 | # is seen as extreme, since the amount of TCP fallback generated is 52 | # excessive (probably also for this resolver, consider tuning the outgoing 53 | # tcp number). 54 | edns-buffer-size: 1232 55 | 56 | # Listen to for queries from clients and answer from this network interface 57 | # and port. 58 | interface: 0.0.0.0@5335 59 | # interface: ::0 60 | port: 53 61 | 62 | # If enabled, prefer IPv6 transport for sending DNS queries to internet 63 | # nameservers. 64 | # Default: yes 65 | # You want to leave this to no unless you have *native* IPv6. With 6to4 and 66 | # Terredo tunnels your web browser should favor IPv4 for the same reasons 67 | prefer-ip6: no 68 | 69 | # Rotates RRSet order in response (the pseudo-random number is taken from 70 | # the query ID, for speed and thread safety). 71 | rrset-roundrobin: yes 72 | 73 | # Drop user privileges after binding the port. 74 | username: "_unbound" 75 | 76 | ########################################################################### 77 | # LOGGING 78 | ########################################################################### 79 | 80 | # Do not print log lines to inform about local zone actions 81 | log-local-actions: no 82 | 83 | # Do not print one line per query to the log 84 | log-queries: no 85 | 86 | # Do not print one line per reply to the log 87 | log-replies: no 88 | 89 | # Do not print log lines that say why queries return SERVFAIL to clients 90 | log-servfail: no 91 | 92 | # If you want to log to a file, use: 93 | # logfile: /opt/unbound/etc/unbound/unbound.log 94 | # Set log location (using /dev/null further limits logging) 95 | logfile: /dev/null 96 | 97 | # Set logging level 98 | # Level 0: No verbosity, only errors. 99 | # Level 1: Gives operational information. 100 | # Level 2: Gives detailed operational information including short information per query. 101 | # Level 3: Gives query level information, output per query. 102 | # Level 4: Gives algorithm level information. 103 | # Level 5: Logs client identification for cache misses. 104 | verbosity: 0 105 | 106 | ########################################################################### 107 | # PERFORMANCE SETTINGS 108 | ########################################################################### 109 | # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ 110 | # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ 111 | 112 | # Number of slabs in the infrastructure cache. Slabs reduce lock contention 113 | # by threads. Must be set to a power of 2. 114 | infra-cache-slabs: 4 115 | 116 | # Number of incoming TCP buffers to allocate per thread. Default 117 | # is 10. If set to 0, or if do-tcp is "no", no TCP queries from 118 | # clients are accepted. For larger installations increasing this 119 | # value is a good idea. 120 | incoming-num-tcp: 10 121 | 122 | # Number of slabs in the key cache. Slabs reduce lock contention by 123 | # threads. Must be set to a power of 2. Setting (close) to the number 124 | # of cpus is a reasonable guess. 125 | key-cache-slabs: 4 126 | 127 | # Number of bytes size of the message cache. 128 | # Unbound recommendation is to Use roughly twice as much rrset cache memory 129 | # as you use msg cache memory. 130 | msg-cache-size: 142768128 131 | 132 | # Number of slabs in the message cache. Slabs reduce lock contention by 133 | # threads. Must be set to a power of 2. Setting (close) to the number of 134 | # cpus is a reasonable guess. 135 | msg-cache-slabs: 4 136 | 137 | # The number of queries that every thread will service simultaneously. If 138 | # more queries arrive that need servicing, and no queries can be jostled 139 | # out (see jostle-timeout), then the queries are dropped. 140 | # This is best set at half the number of the outgoing-range. 141 | # This Unbound instance was compiled with libevent so it can efficiently 142 | # use more than 1024 file descriptors. 143 | num-queries-per-thread: 4096 144 | 145 | # The number of threads to create to serve clients. 146 | # This is set dynamically at run time to effectively use available CPUs 147 | # resources 148 | num-threads: 3 149 | 150 | # Number of ports to open. This number of file descriptors can be opened 151 | # per thread. 152 | # This Unbound instance was compiled with libevent so it can efficiently 153 | # use more than 1024 file descriptors. 154 | outgoing-range: 8192 155 | 156 | # Number of bytes size of the RRset cache. 157 | # Use roughly twice as much rrset cache memory as msg cache memory 158 | rrset-cache-size: 285536256 159 | 160 | # Number of slabs in the RRset cache. Slabs reduce lock contention by 161 | # threads. Must be set to a power of 2. 162 | rrset-cache-slabs: 4 163 | 164 | # Do no insert authority/additional sections into response messages when 165 | # those sections are not required. This reduces response size 166 | # significantly, and may avoid TCP fallback for some responses. This may 167 | # cause a slight speedup. 168 | minimal-responses: yes 169 | 170 | # # Fetch the DNSKEYs earlier in the validation process, when a DS record 171 | # is encountered. This lowers the latency of requests at the expense of 172 | # little more CPU usage. 173 | prefetch: yes 174 | 175 | # Fetch the DNSKEYs earlier in the validation process, when a DS record is 176 | # encountered. This lowers the latency of requests at the expense of little 177 | # more CPU usage. 178 | prefetch-key: yes 179 | 180 | # Have unbound attempt to serve old responses from cache with a TTL of 0 in 181 | # the response without waiting for the actual resolution to finish. The 182 | # actual resolution answer ends up in the cache later on. 183 | serve-expired: yes 184 | 185 | # If not 0, then set the SO_RCVBUF socket option to get more buffer space on 186 | # UDP port 53 incoming queries. So that short spikes on busy servers do not 187 | # drop packets (see counter in netstat -su). Otherwise, the number of bytes 188 | # to ask for, try �4m� on a busy server. 189 | # The OS caps it at a maximum, on linux Unbound needs root permission to 190 | # bypass the limit, or the admin can use sysctl net.core.rmem_max. 191 | # Default: 0 (use system value) 192 | # For example: sysctl -w net.core.rmem_max=4194304 193 | # To persist reboots, edit /etc/sysctl.conf to include: 194 | # net.core.rmem_max=4194304 195 | # Larger socket buffer. OS may need config. 196 | # Ensure kernel buffer is large enough to not lose messages in traffic spikes 197 | #so-rcvbuf: 4m 198 | 199 | # Open dedicated listening sockets for incoming queries for each thread and 200 | # try to set the SO_REUSEPORT socket option on each socket. May distribute 201 | # incoming queries to threads more evenly. 202 | so-reuseport: yes 203 | 204 | # If not 0, then set the SO_SNDBUF socket option to get more buffer space 205 | # on UDP port 53 outgoing queries. 206 | # Specify the number of bytes to ask for, try �4m� on a very busy server. 207 | # The OS caps it at a maximum, on linux Unbound needs root permission to 208 | # bypass the limit, or the admin can use sysctl net.core.wmem_max. 209 | # For example: sysctl -w net.core.wmem_max=4194304 210 | # To persist reboots, edit /etc/sysctl.conf to include: 211 | # net.core.wmem_max=4194304 212 | # Default: 0 (use system value) 213 | # Larger socket buffer. OS may need config. 214 | # Ensure kernel buffer is large enough to not lose messages in traffic spikes 215 | #so-sndbuf: 4m 216 | 217 | ########################################################################### 218 | # PRIVACY SETTINGS 219 | ########################################################################### 220 | 221 | # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other 222 | # denials, using information from previous NXDO-MAINs answers. In other 223 | # words, use cached NSEC records to generate negative answers within a 224 | # range and positive answers from wildcards. This increases performance, 225 | # decreases latency and resource utilization on both authoritative and 226 | # recursive servers, and increases privacy. Also, it may help increase 227 | # resilience to certain DoS attacks in some circumstances. 228 | aggressive-nsec: yes 229 | 230 | # Extra delay for timeouted UDP ports before they are closed, in msec. 231 | # This prevents very delayed answer packets from the upstream (recursive) 232 | # servers from bouncing against closed ports and setting off all sort of 233 | # close-port counters, with eg. 1500 msec. When timeouts happen you need 234 | # extra sockets, it checks the ID and remote IP of packets, and unwanted 235 | # packets are added to the unwanted packet counter. 236 | delay-close: 10000 237 | 238 | # Prevent the unbound server from forking into the background as a daemon 239 | do-daemonize: no 240 | 241 | # Add localhost to the do-not-query-address list. 242 | do-not-query-localhost: no 243 | 244 | # Number of bytes size of the aggressive negative cache. 245 | neg-cache-size: 4M 246 | 247 | # Send minimum amount of information to upstream servers to enhance 248 | # privacy (best privacy). 249 | qname-minimisation: yes 250 | 251 | ########################################################################### 252 | # SECURITY SETTINGS 253 | ########################################################################### 254 | # Only give access to recursion clients from LAN IPs 255 | access-control: 127.0.0.1/32 allow 256 | access-control: 192.168.0.0/16 allow 257 | access-control: 172.16.0.0/12 allow 258 | access-control: 10.0.0.0/8 allow 259 | access-control: fc00::/7 allow 260 | access-control: ::1/128 allow 261 | 262 | # File with trust anchor for one zone, which is tracked with RFC5011 263 | # probes. 264 | auto-trust-anchor-file: "var/root.key" 265 | 266 | # Enable chroot (i.e, change apparent root directory for the current 267 | # running process and its children) 268 | chroot: "/opt/unbound/etc/unbound" 269 | 270 | # Deny queries of type ANY with an empty response. 271 | deny-any: yes 272 | 273 | # Harden against algorithm downgrade when multiple algorithms are 274 | # advertised in the DS record. 275 | harden-algo-downgrade: yes 276 | 277 | # RFC 8020. returns nxdomain to queries for a name below another name that 278 | # is already known to be nxdomain. 279 | harden-below-nxdomain: yes 280 | 281 | # Require DNSSEC data for trust-anchored zones, if such data is absent, the 282 | # zone becomes bogus. If turned off you run the risk of a downgrade attack 283 | # that disables security for a zone. 284 | harden-dnssec-stripped: yes 285 | 286 | # Only trust glue if it is within the servers authority. 287 | harden-glue: yes 288 | 289 | # Ignore very large queries. 290 | harden-large-queries: yes 291 | 292 | # Perform additional queries for infrastructure data to harden the referral 293 | # path. Validates the replies if trust anchors are configured and the zones 294 | # are signed. This enforces DNSSEC validation on nameserver NS sets and the 295 | # nameserver addresses that are encountered on the referral path to the 296 | # answer. Experimental option. 297 | harden-referral-path: no 298 | 299 | # Ignore very small EDNS buffer sizes from queries. 300 | harden-short-bufsize: yes 301 | 302 | # If enabled the HTTP header User-Agent is not set. Use with caution 303 | # as some webserver configurations may reject HTTP requests lacking 304 | # this header. If needed, it is better to explicitly set the 305 | # the http-user-agent. 306 | hide-http-user-agent: no 307 | 308 | # Refuse id.server and hostname.bind queries 309 | hide-identity: yes 310 | 311 | # Refuse version.server and version.bind queries 312 | hide-version: yes 313 | 314 | # Set the HTTP User-Agent header for outgoing HTTP requests. If 315 | # set to "", the default, then the package name and version are 316 | # used. 317 | http-user-agent: "DNS" 318 | 319 | # Report this identity rather than the hostname of the server. 320 | identity: "DNS" 321 | 322 | # These private network addresses are not allowed to be returned for public 323 | # internet names. Any occurrence of such addresses are removed from DNS 324 | # answers. Additionally, the DNSSEC validator may mark the answers bogus. 325 | # This protects against DNS Rebinding 326 | private-address: 10.0.0.0/8 327 | private-address: 172.16.0.0/12 328 | private-address: 192.168.0.0/16 329 | private-address: 169.254.0.0/16 330 | private-address: fd00::/8 331 | private-address: fe80::/10 332 | private-address: ::ffff:0:0/96 333 | 334 | # Enable ratelimiting of queries (per second) sent to nameserver for 335 | # performing recursion. More queries are turned away with an error 336 | # (servfail). This stops recursive floods (e.g., random query names), but 337 | # not spoofed reflection floods. Cached responses are not rate limited by 338 | # this setting. Experimental option. 339 | ratelimit: 1000 340 | 341 | # Use this certificate bundle for authenticating connections made to 342 | # outside peers (e.g., auth-zone urls, DNS over TLS connections). 343 | tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt 344 | 345 | # Set the total number of unwanted replies to eep track of in every thread. 346 | # When it reaches the threshold, a defensive action of clearing the rrset 347 | # and message caches is taken, hopefully flushing away any poison. 348 | # Unbound suggests a value of 10 million. 349 | unwanted-reply-threshold: 10000 350 | 351 | # Use 0x20-encoded random bits in the query to foil spoof attempts. This 352 | # perturbs the lowercase and uppercase of query names sent to authority 353 | # servers and checks if the reply still has the correct casing. 354 | # This feature is an experimental implementation of draft dns-0x20. 355 | # Experimental option. 356 | # Don't use Capitalization randomization as it known to cause DNSSEC issues 357 | # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 358 | use-caps-for-id: yes 359 | 360 | # Help protect users that rely on this validator for authentication from 361 | # potentially bad data in the additional section. Instruct the validator to 362 | # remove data from the additional section of secure messages that are not 363 | # signed properly. Messages that are insecure, bogus, indeterminate or 364 | # unchecked are not affected. 365 | val-clean-additional: yes 366 | 367 | ########################################################################### 368 | # FORWARD ZONE 369 | ########################################################################### 370 | 371 | #include: /opt/unbound/etc/unbound/forward-records.conf 372 | 373 | ########################################################################### 374 | # LOCAL ZONE 375 | ########################################################################### 376 | 377 | # Include file for local-data and local-data-ptr 378 | #include: /opt/unbound/etc/unbound/a-records.conf 379 | #include: /opt/unbound/etc/unbound/srv-records.conf 380 | 381 | ########################################################################### 382 | # WILDCARD INCLUDE 383 | ########################################################################### 384 | #include: "/opt/unbound/etc/unbound/*.conf" 385 | 386 | remote-control: 387 | control-enable: no 388 | 389 | forward-zone: 390 | name: "." 391 | forward-tls-upstream: yes 392 | forward-addr: 1.1.1.1@853 # Cloudflare DoT 393 | forward-addr: 1.0.0.1@853 # Cloudflare secondary server --------------------------------------------------------------------------------