version: "3"
services:

  # Gluetun is used to connect container to VPN
  invidious-gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP={{ proxy_server_ip }}
      - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
      - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
      - WIREGUARD_PRIVATE_KEY={{ technitium_service_privkey }}
      - WIREGUARD_ADDRESSES=10.0.0.10/32
      - FIREWALL_VPN_INPUT_PORTS=5380,53,5335,5432
    ports:
      - "5380:5380"
      - "53:53"
    networks:
      technitium:
    deploy:
      resources:
        limits:
          cpus: '0.10'
          memory: 512M

  technitium:
    network_mode: "service:invidious-gluetun"
    container_name: technitium
    hostname: technitium
    image: technitium/dns-server:latest
    # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them
    # network_mode: "host"
    #ports:
    #- "5380:5380/tcp" #DNS web console (HTTP)
      # - "53443:53443/tcp" #DNS web console (HTTPS)
    #- "53:53/udp" #DNS service
    #- "53:53/tcp" #DNS service
      # - "853:853/udp" #DNS-over-QUIC service
      # - "853:853/tcp" #DNS-over-TLS service
      # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
      # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
      # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
      # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
      # - "67:67/udp" #DHCP service
    environment:
      - DNS_SERVER_DOMAIN=technitium #The primary domain name used by this DNS Server to identify itself.
      - DNS_SERVER_ADMIN_PASSWORD={{ service_technitium_password }} #DNS web console admin user password.
      # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user.
      # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
      # - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode.
      # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
      # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
      # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
      # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
      # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
      # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL.
      # - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option.
      # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
      # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option.  This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead.
      - DNS_SERVER_ENABLE_BLOCKING=true #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
      # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
      # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs.
      - DNS_SERVER_FORWARDERS=11.2.0.22 #Comma separated list of forwarder addresses.
      # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
      # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging.
    volumes:
      - ./technitium-data:/etc/dns
    sysctls:
      - net.ipv4.ip_local_port_range=1024 65000
    depends_on:
      - technitium-unbound
    restart: unless-stopped

  # Unbound is a validating, recursive, and caching DNS resolver. Technitium will be configured to talk to this instead of a third party.
  technitium-unbound:
    container_name: technitium-unbound
    image: mvance/unbound:latest
    ports:
      - 5335:5335/tcp
      - 5335:5335/udp
    volumes:
      #- ./unbound-data/forward-records.conf:/opt/unbound/etc/unbound/forward-records.conf:ro
      #- ./unbound-data/a-records.conf:/opt/unbound/etc/unbound/a-records.conf:ro
       - ./unbound-data/unbound:/opt/unbound/etc/unbound/
    networks:
      technitium:
       ipv4_address: 11.2.0.22
    restart: unless-stopped

networks:
  technitium:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: technitium 
        #      com.docker.network.driver.enable_ip_masquerade: 0
    ipam:  
      config:
        - subnet: 11.2.0.0/16
          #          gateway: 11.5.0.1