docker-stafwag-unbound v2.1.0 released: Use unbound as an DNS-over-TLS resolver and authoritative DNS server

May 4, 2025 4 minute read

Unbound is a popular DNS resolver, that has native DNS-over-TLS support.
 

Unbound and Stubby were among the first resolvers to implement DNS-over-TLS.

I wrote a few blog posts on how to use Stubby on GNU/Linux and FreeBSD.

• https://stafwag.github.io/blog/blog/2018/09/09/dns-privacy-with-stubby-part1-gnulinux/
• https://stafwag.github.io/blog/blog/2018/10/07/dns-privacy-with-stubby-part-2-freebsd/

The implementation status of DNS-over-TLS and other DNS privacy options is available at: https://dnsprivacy.org/.

See https://dnsprivacy.org/implementation_status/ for more details.

It’s less known that it can also be used as authoritative DNS server (aka a real DNS server). Since I discovered this feature and Unbound got native DNS-over-TLS support I started to it as my DNS server.

I created a docker container for it a couple of years back to use it as an authoritative DNS server.

I recently updated the container, the latest version (2.1.0) is available at: https://github.com/stafwag/docker-stafwag-unbound

ChangeLog

Version 2.1.0

Upgrade to debian:bookworm

• Updated BASE_IMAGE to debian:bookworm
• Add ARG DEBIAN_FRONTEND=noninteractive
• Run unbound-control-setup to generate the default certificate
• Documentation updated

docker-stafwag-hello_nginx v1.0.0 released

April 27, 2025 less than 1 minute read

While the code ( if you call YAML “code” ) is already more than 5 years old. I finally took the take the make a proper release of my test “hello” OCI container.

I use this container to demo a container build and how to deploy it with helm on a Kubernetes cluster. Some test tools (ping, DNS, curl, wget) are included to execute some tests on the deployed pod.

It also includes a Makefile to build the container and deploy it on a Red Hat OpenShift Local (formerly Red Hat CodeReady Containers) cluster.

To deploy the container with the included helm charts to OpenShift local (Code Ready Containers), execute make crc_deploy.

This will:

1. Build the container image
2. Login to the internal OpenShift registry
3. Push the image to the internal OpenShift register
4. Deploy the helm chart in the tsthelm namespace, the helm chart will also create a route for the application.

I might include support for other Kubernetes in the future when I find the time.

Ansible k3s on vms 1.2.0 and delegated_vm_install 2.0.3 released

April 6, 2025 1 minute read

I prepared a few update releases of some ansible roles related to provision virtual machines with libvirt over the last weeks.

Mainly clean up releases and makes sure that everything works on different GNU/Linux distributions out of the box.

One “big” change is the removal of the dependency on the cloud-localds utility to provision virtual machines with cloud-init. This enables the usage of the roles on Linux distributions that don’t provide this utility.

Ansible-k3s-on-vms v1.2.0

An Ansible playbook to deploy virtual machines and deploy K3s.

https://github.com/stafwag/ansible-k3s-on-vms

Best wishes 2025!

January 2, 2025 less than 1 minute read

Use a GPG smartcard with Thunderbird. Part 3: Setup Thunderbird

September 10, 2024 5 minute read

In previous blog posts, we discussed setting up a GPG smartcard on GNU/Linux and FreeBSD.

In this blog post, we will configure Thunderbird to work with an external smartcard reader and our GPG-compatible smartcard.

Before Thunderbird 78, if you wanted to use OpenPGP email encryption, you had to use a third-party add-on such as https://enigmail.net/.

Thunderbird’s recent versions natively support OpenPGP. The Enigmail addon for Thunderbird has been discontinued. See: https://enigmail.net/index.php/en/home/news.

I didn’t find good documentation on how to set up Thunderbird with a GnuPG smartcard when I moved to a new coreboot laptop, so this was the reason I created this blog post series.