Merge pull request #208 from Luzilla/helm-chart

helm chart

.docker/unbound/rootfs/Dockerfile

@@ -1,9 +1,17 @@
 FROM alpinelinux/unbound:latest
 
-RUN apk add --update bind-tools drill
-ADD https://www.internic.net/domain/named.cache /etc/unbound/root.hints
-ADD . /
+RUN apk add --update bind-tools drill \
+    && chown -R unbound:unbound /etc/unbound
 
-RUN unbound-checkconf
+USER unbound
+ADD --chown=unbound:unbound . /
+ADD --chown=unbound:unbound --chmod=0644 https://www.internic.net/domain/named.cache /etc/unbound/root.hints
 
+RUN ls -lah /etc/unbound
+
+RUN /usr/sbin/unbound-checkconf
+
+USER 101:101
 EXPOSE 5353/udp
+
+ENTRYPOINT ["unbound", "-dp"]

.docker/unbound/rootfs/etc/unbound/forward-zone.conf

@@ -0,0 +1,4 @@
+forward-zone:
+    name: "."
+    forward-addr: 9.9.9.9
+    forward-addr: 149.112.112.112

.docker/unbound/rootfs/etc/unbound/server.conf

@@ -0,0 +1,39 @@
+server:
+    username: ""
+    chroot: ""
+    port: 5353
+    verbosity: 1
+    interface: 0.0.0.0@5353
+    do-ip4: yes
+    do-ip6: no
+    do-udp: yes
+    do-tcp: no
+    prefer-ip4: yes
+    prefer-ip6: no
+    do-daemonize: no
+    access-control: 0.0.0.0/0 allow
+    logfile: ""
+    use-syslog: no
+    log-queries: yes
+    hide-identity: yes
+    hide-version: yes
+    harden-glue: yes
+    harden-dnssec-stripped: yes
+    use-caps-for-id: yes
+    cache-min-ttl: 3600
+    cache-max-ttl: 86400
+    prefetch: yes
+    num-threads: 4
+    msg-cache-slabs: 8
+    rrset-cache-slabs: 8
+    infra-cache-slabs: 8
+    key-cache-slabs: 8
+    rrset-cache-size: 256m
+    msg-cache-size: 128m
+    so-rcvbuf: 1m
+    private-address: 192.168.1.0/16
+    unwanted-reply-threshold: 10000
+    do-not-query-localhost: no
+    val-clean-additional: yes
+    val-permissive-mode: yes
+    module-config: "iterator"

.docker/unbound/rootfs/etc/unbound/unbound.conf

@@ -1,41 +1,3 @@
-server:
-    username: unbound
-    port: 5353
-    verbosity: 1
-    interface: 0.0.0.0@5353
-    do-ip4: yes
-    do-ip6: no
-    do-udp: yes
-    do-tcp: no
-    prefer-ip4: yes
-    prefer-ip6: no
-    do-daemonize: no
-    access-control: 0.0.0.0/0 allow
-    logfile: ""
-    use-syslog: no
-    log-queries: yes
-    hide-identity: yes
-    hide-version: yes
-    harden-glue: yes
-    harden-dnssec-stripped: yes
-    use-caps-for-id: yes
-    cache-min-ttl: 3600
-    cache-max-ttl: 86400
-    prefetch: yes
-    num-threads: 4
-    msg-cache-slabs: 8
-    rrset-cache-slabs: 8
-    infra-cache-slabs: 8
-    key-cache-slabs: 8
-    rrset-cache-size: 256m
-    msg-cache-size: 128m
-    so-rcvbuf: 1m
-    private-address: 192.168.1.0/16
-    unwanted-reply-threshold: 10000
-    do-not-query-localhost: no
-    val-clean-additional: yes
+include: "/etc/unbound/server.conf"
 root-hints: "/etc/unbound/root.hints"
-forward-zone:
-    name: "."
-    forward-addr: 9.9.9.9
-    forward-addr: 149.112.112.112
+include: "/etc/unbound/forward-zone.conf"

Makefile

@@ -23,3 +23,9 @@ snapshot:
 .PHONY: test
 test:
 	act "pull_request" -j test
+
+.PHONY: build-unbound
+build-unbound:
+	docker build \
+		-t ghcr.io/luzilla/unbound:dev \
+		.docker/unbound/rootfs