Docker-Compose for adblocking DoH with WireGuard

docker-compose.yml

version: "3"
services:
  # pihole
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    restart: always
    privileged: true
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "80:80/tcp"
      - "443:443/tcp"
    environment:
      DNS1: '10.0.0.2#5054'
      DNS2: ''
      WEBPASSWORD: ${WEBPASSWORD}
      ServerIP: 192.168.0.253
      DNSMASQ_LISTENING: all
      TZ: ${TZ}
    networks:
      dns:
        ipv4_address: 10.0.0.3
    volumes:
      - './pihole/etc-pihole/:/etc/pihole/'
      - './pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
    dns:
      - 127.0.0.1
      - 1.1.1.1

  # cloudflared
  cloudflared:
    container_name: cloudflared
    image: visibilityspots/cloudflared
    restart: always
    networks:
      dns:
        ipv4_address: 10.0.0.2

  # wireguard
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    restart: always
    networks:
      dns:
        ipv4_address: 10.0.0.4
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
        ### optional ###
      - SERVERURL=gideonshaked.com
      - SERVERPORT=51820
      - PEERS=2
      - PEERDNS=10.0.0.3
      - INTERNAL_SUBNET=10.13.13.0 # default
    volumes:
      - ${USERDIR}/docker/wireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1


networks:
  dns:
    driver: bridge
    ipam:
     config:
       - subnet: 10.0.0.0/29

instructions.md

1. Spin up the docker-compose.yml.
2. Run docker logs wireguard to view Wireguard's logs.
3. In the Wireguard app, add a new tunnel with one of the QR codes shown in the log.
4. Manually edit Allowed IPs in the app to 10.0.0.3/29.