20220118 networking - master branch - PR 1 of 2

This PR follows on from [Issue 422](#422 (comment)) and the networking scheme proposed therein to support remote WireGuard clients obtaining DNS from ad-blockers (eg PiHole) running in another container on the same RPi as the WireGuard server.

This PR implements:

1. Two internal networks:

	* "default" (`iotstack_default` at runtime).
	* "nextcloud" (`iotstack_nextcloud` at runtime).

2. Docker allocates all IP addressing, dynamically, from 172.16/12 (reverting from 10/8 subnets).
3. NextCloud *explicitly* joins both internal networks.
4. NextCloud_DB *explicitly* joins "nextcloud".
5. All other containers *implicitly* join "default".
6. No networking differences between old and new menus (full harmonisation).
7. Resolves all remaining new-menu inconsistencies first raised in [Issue 245](#245).

Adds `use-container-dns.sh` to WireGuard service template folder to support WireGuard forwarding DNS requests to ad-blockers running on the same RPi. This is based on work done by @ukkopahis. This change is related to the networking changes which deviate from the scheme proposed in Issue 422.

Documentation:

1. Adds "significant change to networking" to main README.md.
2. Updates WireGuard to explain how to forward DNS requests to ad-blockers running on the same RPi.

Signed-off-by: Phill Kelley <[email protected]>

.templates/adguardhome/service.yml

@@ -30,6 +30,4 @@ adguardhome:
   volumes:
      - ./volumes/adguardhome/workdir:/opt/adguardhome/work
      - ./volumes/adguardhome/confdir:/opt/adguardhome/conf
-  networks:
-    - iotstack_nw
-    - vpn_nw
+

.templates/adminer/service.yml

@@ -4,5 +4,4 @@ adminer:
   restart: unless-stopped
   ports:
     - "9080:8080"
-  networks:
-    - iotstack_nw
+

.templates/blynk_server/service.yml

@@ -16,5 +16,4 @@ blynk_server:
   volumes:
     - ./volumes/blynk_server/data:/data
     - ./volumes/blynk_server/config:/config
-  networks:
-    - iotstack_nw
+

.templates/chronograf/service.yml

@@ -17,5 +17,4 @@ chronograf:
   depends_on:
     - influxdb
   # - kapacitor
-  networks:
-    - iotstack_nw
+

.templates/dashmachine/service.yml

@@ -6,3 +6,4 @@ dashmachine:
   ports:
     - 5000:5000
   restart: unless-stopped
+

.templates/deconz/service.yml

@@ -18,6 +18,5 @@ deconz:
     - DEBUG_ZCL=0
     - DEBUG_ZDP=0
     - DEBUG_OTAU=0
-  networks:
-    - iotstack_nw
+
 

.templates/diyhue/service.yml

@@ -12,5 +12,4 @@ diyhue:
   volumes:
       - ./volumes/diyhue:/opt/hue-emulator/export
   restart: unless-stopped
-  networks:
-    - iotstack_nw
+

.templates/domoticz/service.yml

@@ -14,3 +14,4 @@ domoticz:
     - PGID=1000
     # - TZ=
     # - WEBROOT=domoticz
+

.templates/dozzle/service.yml

@@ -7,3 +7,4 @@ dozzle:
   # - "8888:8080"
   volumes:
     - /var/run/docker.sock:/var/run/docker.sock
+

.templates/env.yml

@@ -1,42 +1,13 @@
 networks:
-  iotstack_nw: # Exposed by your host.
-    # external: true
-    name: IOTstack_Net
+
+  default:
     driver: bridge
     ipam:
       driver: default
-      config:
-        - subnet: 10.77.60.0/24
-        # - gateway: 10.77.60.1
 
-  iotstack_nw_internal: # For interservice communication. No access to outside
-    name: IOTstack_Net_Internal
+  nextcloud:
     driver: bridge
     internal: true
     ipam:
       driver: default
-      config:
-        - subnet: 10.77.76.0/24
-        # - gateway: 10.77.76.1
-
-  vpn_nw: # Network specifically for VPN
-    name: IOTstack_VPN
-    driver: bridge
-    ipam:
-      driver: default
-      config:
-        - subnet: 10.77.88.0/24
-        # - gateway: 192.18.200.1
-
-  nextcloud_internal: # Network for NextCloud service
-    name: IOTstack_NextCloud
-    driver: bridge
-    internal: true
-
-  # default:
-  #   external: true
-  #   name: iotstack_nw
 
-  # hosts_nw:
-  #   driver: hosts
-

.templates/espruinohub/service.yml

@@ -4,3 +4,4 @@ espruinohub:
   network_mode: host
   privileged: true
   restart: unless-stopped
+

.templates/example_template/example_service.yml

@@ -9,3 +9,4 @@ containerNameGoesHere:
       - ./services/example_template.env
     volumes:
        - ./volumes/example_template/:/opt/example_template/
+

.templates/gitea/service.yml

@@ -11,5 +11,4 @@ gitea:
   volumes:
     - ./volumes/gitea/data:/data
     - /etc/timezone:/etc/timezone:ro
-  networks:
-    - iotstack_nw
+

.templates/grafana/service.yml

@@ -6,11 +6,10 @@ grafana:
   ports:
     - "3000:3000"
   environment:
+    - TZ=Etc/UTC
     - GF_PATHS_DATA=/var/lib/grafana
     - GF_PATHS_LOGS=/var/log/grafana
   volumes:
     - ./volumes/grafana/data:/var/lib/grafana
     - ./volumes/grafana/log:/var/log/grafana
-  networks:
-    - iotstack_nw
 

.templates/heimdall/service.yml

@@ -11,3 +11,4 @@ heimdall:
     - 8880:80
     - 8883:443
   restart: unless-stopped
+

.templates/home_assistant/service.yml

@@ -8,3 +8,4 @@ home_assistant:
   volumes:
     - /etc/localtime:/etc/localtime:ro
     - ./volumes/home_assistant:/config
+

.templates/homebridge/service.yml

@@ -13,3 +13,4 @@ homebridge:
   #ports:
   #  - "4040:4040"
   network_mode: host
+

.templates/homer/service.yml

@@ -9,3 +9,4 @@ homer:
   ports:
     - "8881:8080"
   restart: unless-stopped
+

.templates/influxdb/service.yml

@@ -5,17 +5,17 @@ influxdb:
   ports:
     - "8086:8086"
   environment:
+    - TZ=Etc/UTC
     - INFLUXDB_HTTP_FLUX_ENABLED=false
     - INFLUXDB_REPORTING_DISABLED=false
     - INFLUXDB_HTTP_AUTH_ENABLED=false
-    - INFLUX_USERNAME=dba
-    - INFLUX_PASSWORD=supremo
-    - INFLUXDB_UDP_ENABLED=false
-    - INFLUXDB_UDP_BIND_ADDRESS=0.0.0.0:8086
-    - INFLUXDB_UDP_DATABASE=udp
+    - INFLUXDB_MONITOR_STORE_ENABLED=FALSE
+  # - INFLUX_USERNAME=dba
+  # - INFLUX_PASSWORD=supremo
+  # - INFLUXDB_UDP_ENABLED=false
+  # - INFLUXDB_UDP_BIND_ADDRESS=0.0.0.0:8086
+  # - INFLUXDB_UDP_DATABASE=udp
   volumes:
     - ./volumes/influxdb/data:/var/lib/influxdb
     - ./backups/influxdb/db:/var/lib/influxdb/backup
-  networks:
-    - iotstack_nw
 

.templates/kapacitor/service.yml

@@ -17,5 +17,4 @@ kapacitor:
     - ./volumes/kapacitor:/var/lib/kapacitor
   depends_on:
     - influxdb
-  networks:
-    - iotstack_nw
+

.templates/mariadb/service.yml

@@ -15,5 +15,4 @@ mariadb:
   ports:
     - "3306:3306"
   restart: unless-stopped
-  networks:
-    - iotstack_nw
+

.templates/mosquitto/service.yml

@@ -11,5 +11,4 @@ mosquitto:
     - ./volumes/mosquitto/data:/mosquitto/data
     - ./volumes/mosquitto/log:/mosquitto/log
     - ./volumes/mosquitto/pwfile:/mosquitto/pwfile
-  networks:
-    - iotstack_nw
+

.templates/motioneye/service.yml

@@ -9,6 +9,4 @@ motioneye:
     - /etc/localtime:/etc/localtime:ro
     - ./volumes/motioneye/etc_motioneye:/etc/motioneye
     - ./volumes/motioneye/var_lib_motioneye:/var/lib/motioneye
-  networks:
-    - iotstack_nw
 

.templates/n8n/service.yml

@@ -7,8 +7,6 @@ n8n:
     stdin_open: true
     volumes:
         - ./volumes/n8n:/home/node/.n8n
-    networks:
-        - iotstack_nw
 # Optional DB and Timezone configs.
 #        environment:
 #           - DB_TYPE=mysqldb
@@ -28,3 +26,4 @@ n8n:
 #            - PUID=1000
 #            - USBDEVICES=/dev/ttyAMA0
 #            - PACKAGES=mc
+

.templates/nextcloud/service.yml

@@ -14,8 +14,8 @@ nextcloud:
   depends_on:
     - nextcloud_db
   networks:
-    - iotstack_nw
-    - nextcloud_internal
+    - default
+    - nextcloud
 
 nextcloud_db:
   container_name: nextcloud_db
@@ -35,4 +35,5 @@ nextcloud_db:
     - ./volumes/nextcloud/db:/config
     - ./volumes/nextcloud/db_backup:/backup
   networks:
-    - nextcloud_internal
+    - nextcloud
+

.templates/nodered/service.yml

@@ -16,5 +16,4 @@ nodered:
     - "/dev/ttyAMA0:/dev/ttyAMA0"
     - "/dev/vcio:/dev/vcio"
     - "/dev/gpiomem:/dev/gpiomem"
-  networks:
-    - iotstack_nw
+

.templates/octoprint/service.yml

@@ -14,6 +14,4 @@ octoprint:
   # - /dev/video0:/dev/video0
   volumes:
     - ./volumes/octoprint:/octoprint
-  networks:
-    - iotstack_nw
 

.templates/openhab/service.yml

@@ -17,3 +17,4 @@ openhab:
 #   options:
 #     max-size: "5m"
 #     max-file: "3"
+

.templates/pihole/service.yml

@@ -7,20 +7,16 @@ pihole:
     - "53:53/udp"
     - "67:67/udp"
   environment:
+    - TZ=Etc/UTC
     - WEBPASSWORD=%randomAdminPassword%
     - INTERFACE=eth0
   volumes:
-      - ./volumes/pihole/etc-pihole:/etc/pihole
-      - ./volumes/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
+    - ./volumes/pihole/etc-pihole:/etc/pihole
+    - ./volumes/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
   dns:
     - 127.0.0.1
     - 1.1.1.1
   cap_add:
     - NET_ADMIN
   restart: unless-stopped
-  networks:
-    - iotstack_nw
-    - vpn_nw
 
-# Recommended but not required (DHCP needs NET_ADMIN)
-#   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities

.templates/plex/service.yml

@@ -10,3 +10,4 @@ plex:
     - ./volumes/plex/config:/config
     - ./volumes/plex/transcode:/transcode
   restart: unless-stopped
+

.templates/portainer-ce/service.yml

@@ -8,3 +8,4 @@ portainer-ce:
   volumes:
     - /var/run/docker.sock:/var/run/docker.sock
     - ./volumes/portainer-ce/data:/data
+

.templates/portainer_agent/service.yml

@@ -7,3 +7,4 @@
       - /var/run/docker.sock:/var/run/docker.sock
       - /var/lib/docker/volumes:/var/lib/docker/volumes
     restart: unless-stopped
+

.templates/postgres/service.yml

@@ -10,5 +10,4 @@ postgres:
     - "5432:5432"
   volumes:
     - ./volumes/postgres/data:/var/lib/postgresql/data
-  networks:
-    - iotstack_nw
+

.templates/python/service.yml

@@ -10,5 +10,4 @@ python:
   #   - "external:internal"
   volumes:
     - ./volumes/python/app:/usr/src/app
-  networks:
-    - iotstack_nw
+

.templates/qbittorrent/service.yml

@@ -14,3 +14,4 @@
       - "6881:6881/udp"
       - "15080:15080"
       - "1080:1080"
+

.templates/rtl_433/service.yml

@@ -10,6 +10,5 @@ rtl_433:
     - MQTT_TOPIC=RTL_433
   devices:
     - /dev/bus/usb
-  networks:
-    - iotstack_nw
   restart: unless-stopped
+

.templates/tasmoadmin/service.yml

@@ -6,6 +6,4 @@ tasmoadmin:
     - "8088:80"
   volumes:
     - ./volumes/tasmoadmin/data:/data
-  networks:
-    - iotstack_nw
 

.templates/telegraf/service.yml

@@ -14,6 +14,4 @@ telegraf:
   depends_on:
     - influxdb
     - mosquitto
-  networks:
-    - iotstack_nw
 

.templates/timescaledb/service.yml

@@ -10,5 +10,4 @@ timescaledb:
     - "5432:5432"
   volumes:
     - ./volumes/timescaledb/data:/var/lib/postgresql/data
-  networks:
-    - iotstack_nw
+

.templates/transmission/service.yml

@@ -14,5 +14,4 @@ transmission:
     - "51413:51413"
     - "51413:51413/udp"
   restart: unless-stopped
-  networks:
-    - iotstack_nw
+

.templates/wireguard/service.yml

@@ -10,6 +10,7 @@ wireguard:
   - SERVERPORT=51820
   - PEERS=laptop,phone,tablet
   - PEERDNS=auto
+  # - PEERDNS=172.30.0.1
   - ALLOWEDIPS=0.0.0.0/0
   ports:
   - "51820:51820/udp"
@@ -21,3 +22,4 @@ wireguard:
   - SYS_MODULE
   sysctls:
   - net.ipv4.conf.all.src_valid_mark=1
+

.templates/wireguard/use-container-dns.sh

@@ -0,0 +1,16 @@
+# Forward DNS requests from remote WireGuard clients to the default
+# gateway on the internal bridged network that the WireGuard container
+# is attached to. This results in queries being sent to any other
+# container on the same internal bridged network that is listening
+# on port 53 (eg PiHole, AdGuardHome or bind9).
+#
+# Acknowledgement: @ukkopahis
+
+GW=$(ip route list default | head -1 | cut -d " " -f 3)
+echo Creating Corefile to use DNS at $GW
+echo "# Generated by use-container-dns.sh
+. {
+    loop
+    forward . dns://${GW}
+}" > /config/coredns/Corefile
+

.templates/zigbee2mqtt/service.yml

@@ -12,5 +12,4 @@ zigbee2mqtt:
    #- /dev/ttyACM0:/dev/ttyACM0 # should work if CC2531 connected
    #- /dev/ttyUSB0:/dev/ttyACM0 # Electrolama zig-a-zig-ah! (zzh!) maybe other as well
   restart: unless-stopped
-  networks:
-    - iotstack_nw
+

.templates/zigbee2mqtt_assistant/service.yml

@@ -8,6 +8,4 @@ zigbee2mqtt_assistant:
     - VIRTUAL_HOST=~^zigbee2mqtt_assistant\..*\.xip\.io
     - Z2MA_SETTINGS__MQTTSERVER=mosquitto
     - VIRTUAL_PORT=8880
-  networks:
-    - iotstack_nw