About container:

Container combining AdGuard Home and Unbound. I don't like the fact you cannot use 127.0.0.1 as an Upstream DNS server when trying to combine these two programs as seperate containers. The only way I found was using the Docker container IP address, which to me isn't reliable enough.

Base: alpine:latest
Unbound: latest from alpine:latest
AdGuard Home: v0.107.53

Use the same volumemappings as the original AdGuardHome container. In fact, you can just swap in this image and everything still works. You only have to update your Upstream DNS server to 127.0.0.1:5053, which enables Unbound.

As with the original AdGuardHome image, this exposes the following:
Volumes:
/opt/adguardhome/work
/opt/adguardhome/conf

For Unbound:
/opt/unbound (Needs unbound.conf)

Ports: 53/tcp 53/udp 67/udp 68/udp 80/tcp 443/tcp 443/udp 3000/tcp 853/tcp 853/udp 5443/tcp 5443/udp 6060/tcp 5053/tcp 5053/udp

hestia cp, certbot with cloudflare, docker compose adguard home + unbound

Steps:

1. Install DNSSEC key and root hints (not required as it is already present in the image)

sudo apt update && sudo apt install dns-root-data

2. for QUIC

cat << EOF >> /etc/sysctl.conf
net.core.rmem_max = 7500000
net.core.wmem_max = 7500000
EOF
sysctl -p

3. In hestia cp create with cli new user, for example dns, then add your domain, for example dns.example.com:

v-add-user dns P4$$w@rD dns@example.com
v-add-domain dns dns.example.com

4. Create folders

mkdir -p /home/dns/{agh-conf,unbound-conf,work,nginx,ssl}
chown -R dns:dns /home/dns/{agh-conf,unbound-conf,work,nginx,ssl}

5. Use certbot for generating certificate

• Add dns records in cloudflare dashboard: A and AAAA for dns.example.com, CNAME for *.dns.example.com and don't forget to change example.com to your domain

A dns your_ipv4 DNS only
AAAA dns your_ipv6 DNS only
CNAME *.dns dns.example.com

• Create cloudflare.ini with dns_cloudflare_api_token and don't forget to change your_tocken_here to your value:

echo "dns_cloudflare_api_token = your_tocken_here" > /home/dns/cloudflare.ini && \
chown dns:dns /home/dns/cloudflare.ini && chmod 0600 /home/dns/cloudflare.ini

• Run certbot docker image dns-cloudflare and don't forget to change your_cloudflare_mail@example.com and example.com to your values

sudo docker run -it --rm \
 --name certbot \
 -v "/home/dns/ssl:/etc/letsencrypt" \
 -v "/home/dns/cloudflare.ini:/cloudflare.ini" \
 certbot/dns-cloudflare certonly --dns-cloudflare --dns-cloudflare-credentials /cloudflare.ini \
 -m your_cloudflare_mail@example.com --agree-tos --preferred-chain "ISRG Root X1" \
 --no-eff-email --dns-cloudflare-propagation-seconds 20 \
 --cert-name example.com -d *.dns.example.com -d dns.example.com

• Add renew_dns_cert to /usr/local/hestia/bin and make it executable (don't forget to change example.com to your domain)

nano /usr/local/hestia/bin/renew_dns_cert
chmod +x /usr/local/hestia/bin/renew_dns_cert

• Then add to cron this command sudo /usr/local/hestia/bin/renew_cert in hestia cp for user admin (for example for every 30 days)

6. Put files sb_agh.stpl and sb_agh.tpl in a folder /usr/local/hestia/data/templates/web/nginx/php-fpm/. Then change template for your domain in hestia cp (don't forget to change example.com for your domain)

v-change-web-domain-tpl dns dns.example.com sb_agh

7. If you wish build your own docker image

cd /home/dns/
git clone https://github.com/webstudiobond/adguard-unbound
build --tag sb/adguard-unbound:latest /home/dns/adguard-unbound

8. Create docker-compose.yaml

nano /home/dns/docker-compose.yaml

9. Create unbound.conf

nano /home/dns/unbound-conf/unbound.conf

10. Start and use wiki for configure Adguard Home

Docker compose commands

# create and start
docker compose \
 -f /home/dns/docker-compose.yaml up -d
# stop and remove
docker compose \
 -f /home/dns/docker-compose.yaml down