A read only mirror of the original lollipop cloud sources. This repo was mirrored from the original home on GitLab (https://gitlab.com/kemonine/lolipop_lan_cloud/)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

5.3 KiB

Pi Hole

Ad blocking at the DNS level. Save yourself that precious transfer while on the go.

This was chosen as it’s designed to run on a Raspberry Pi and... this project is all about that kind of hardware.

NOTE: You may want to use a filesystem on a USB disk instead of /var for the volumes setup in the below Docker command(s) to help reduce writes to the micro sd card

Inspiration / Further Reading

Update Unbound

Setup unbound to listen on the Docker LAN so it can be the upstream of Pi Hole

Add a 2nd interface line to /etc/unbound/unbound.conf


Restart unbound with systemctl restart unbound

Setup Unbound to start after Docker

See here (link) for more details.

This is mainly here to ensure that unbound starts after the Docker network comes up as it’s configured to listen on the Docker network. It’ll fail to load/restart if the bind address isn’t present when it is started.

mkdir -p /etc/systemd/system/unbound.service.d
cat > /etc/systemd/system/unbound.service.d/10-after-docker.conf <<EOF
systemctl daemon-reload

Setup Initial Run & Update Script

A simple update script that will pull the latest Pi Hole Docker image, configure it for auto-run, etc. Note the settings under the docker run command. You need/want to tweak them lightly.

Full docs on run time parms can be found in the Pi Hole docs (link).

mkdir /var/pihole /var/pihole/data /var/pihole/dnsmasq.d
cat > /root/docker/pi-hole.sh <<EOF


# Cleanup arch/container image here
if [ \$ARCH == "aarch64" ]
    echo "64bit arm"
    echo "32bit arm"

echo "Updating"

docker pull \$UPSTREAM

# Cleanup existing container
docker stop pi-hole
docker rm pi-hole

# Re-run/create container with latest image
docker run \\
    --name pi-hole \\
    --restart unless-stopped \\
    --memory=128m \\
    --net docker-private \\
    --ip \\
    -e ServerIP= \\
    -e DNS1= \\
    -e TZ=UTC \\
    -e WEBPASSWORD=[adecentpassword] \\
    -e DEBUG=1 \\
    -v /var/pihole/data:/etc/pihole \\
    -v /var/pihole/dnsmasq.d:/etc/dnsmasq.d \\


chmod a+x /root/docker/pi-hole.sh

Run Pi Hole

Simply execute /root/docker/pi-hole.sh to update/run Pi Hole.

Update LAN(s) to Use Pi Hole

Note: Do NOT update the WAN connections to use Pi Hole. The only ‘thing’ using the WAN dns (unbound) should be the main board which should not be affected by ads. This also simplifies troubleshooting and failure modes (the board won’t need working Docker/Pi Hole to fix problems with Docker/Pi Hole).

# Ensure *ALL* shared connections use pi hole (creative trick with NetworkManager)
cat > /etc/NetworkManager/dnsmasq-shared.d/pi-hole.conf <<EOF

# Bounce LAN's to pickup changes
nmcli con down mgmt && nmcli con up mgmt
nmcli con down wifi-ap-50 && nmcli con up wifi-ap-50
nmcli con down wifi-ap-24 && nmcli con up wifi-ap-24

Update Unbound

cat > /etc/unbound/local_zone/pi-hole.conf <<EOF
local-data: "pi-hole A"
local-data-ptr: " pi-hole"
local-data: "pi-hole.domain.tld A"
local-data-ptr: " pi-hole.domain.tld"

local-data-ptr: " pi-hole-gui"
local-data-ptr: " pi-hole-gui.domain.tld"
local-data: "pi-hole-gui A"
local-data: "pi-hole-gui.domain.tld A"

Serving Via Caddy

cat > /etc/caddy/services/pi-hole.conf <<EOF
# Pi Hole proxy
#    This is only so good
#    Pi Hole assumes everything is http. Bump it over to http instead of https, because Pi Hole is stupid at life
pi-hole-gui:80, pi-hole-gui:443, pi-hole-gui.domain.tld:80 pi-hole-gui.domain.tld:443 {
    redir 301 {
        if {scheme} is https
        /  http://pi-hole-gui.domain.tld{uri}

    log /var/log/caddy/pi-hole.log
    proxy / {

    # Use acme.sh Let's Encrypt SSL cert setup
    tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key

Admin Interface

Once the container is online you can get to the Pi Hole admin interface at http://pi-hole.domain.tld/admin.

First Run Config

Upon first run Pi Hole will be using a Google DNS server as a secondary to the locally hosted Unbound instance. You’ll likely want to disable this functionality.