feat: add lightweight Alpine Unbound DNS container

- Multi-arch support (x86_64 and ARM64) - ~50MB image size vs ~500MB for Ubuntu version - DNSSEC validation with root hints - Health checks and resource limits - Security hardening (hide identity/version, harden-glue, etc.) - Build script for easy single/multi-arch builds
2025-12-17 03:20:52 +00:00
parent eb42caf579
commit 827f8bbf9d
7 changed files with 553 additions and 0 deletions
--- a/builds/alpine-unbound/Dockerfile.arm64
+++ b/builds/alpine-unbound/Dockerfile.arm64
@@ -0,0 +1,58 @@
+# Alpine Unbound DNS Server - ARM64/aarch64 Edition
+FROM --platform=linux/arm64 alpine:3.19
+
+LABEL maintainer="homelab"
+LABEL description="Lightweight Unbound DNS resolver for ARM64"
+LABEL architecture="arm64"
+
+# Set timezone (can be overridden at runtime)
+ENV TZ=UTC
+
+# Install only essential packages for Unbound DNS
+RUN apk add --no-cache \
+    # Core DNS
+    unbound \
+    # DNS utilities for debugging
+    drill \
+    bind-tools \
+    # Basic networking tools
+    curl \
+    ca-certificates \
+    # Timezone data
+    tzdata \
+    # Process management (lightweight alternative to supervisor)
+    tini \
+    && rm -rf /var/cache/apk/*
+
+# Create necessary directories
+RUN mkdir -p /etc/unbound/unbound.conf.d \
+    /var/lib/unbound \
+    /var/log/unbound \
+    /config
+
+# Download root hints for DNSSEC validation
+RUN curl -sSL https://www.internic.net/domain/named.root -o /etc/unbound/root.hints
+
+# Set proper permissions
+RUN chown -R unbound:unbound /var/lib/unbound /var/log/unbound
+
+# Copy default configuration
+COPY unbound.conf /etc/unbound/unbound.conf
+
+# Create healthcheck script
+RUN echo '#!/bin/sh' > /usr/local/bin/healthcheck.sh && \
+    echo 'drill @127.0.0.1 -p 5335 google.com > /dev/null 2>&1' >> /usr/local/bin/healthcheck.sh && \
+    chmod +x /usr/local/bin/healthcheck.sh
+
+# Expose DNS port
+EXPOSE 5335/tcp 5335/udp
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD /usr/local/bin/healthcheck.sh
+
+# Use tini as init system for proper signal handling
+ENTRYPOINT ["/sbin/tini", "--"]
+
+# Run unbound in foreground
+CMD ["unbound", "-d", "-c", "/etc/unbound/unbound.conf"]