chalk-hwang/udm-pro

UDM Pro tools

Abstract

The UDM Pro repo contains configuration for the UDM Pro which makes it easier to manage and more performant. It is based on udm-utilities.

The customizations built on top of the utilities provide the following services:

• DDNS updater: periodic service and web dashboard to update the DDNS record in DuckDNS;
• Node exporter: Prometheus node exporter allowing the Prometheus server on the NAS to retrieve metrics;
• Unbound: Fully recursive DNS caching + verifying resolver to serve as the upstream resolver for Pi-hole. Includes periodic prefetching of most used DNS records;
• Unbound exporter: exporter on TCP port 9167 allowing the Prometheus server on the NAS to retrieve metrics about Unbound on TCP port 8953;
• Pi-hole: Ad-blocking recursive caching DNS provider which delegates the DNS queries to Unbound on UDP port 5335.

Prometheus Node Exporter

Install with apt-get:

apt install -y prometheus-node-exporter

Edit the /etc/systemd/system/multi-user.target.wants/prometheus-node-exporter.service file to disable a couple of unsupported exports:

ExecStart=/usr/bin/prometheus-node-exporter $ARGS --no-collector.pressure --no-collector.rapl

Reload the unit:

systemctl daemon-reload && systemctl restart prometheus-node-exporter.service

Create VM for Pi-hole/Unbound

SSH into the UDM Pro, and follow the instructions in https://github.com/unifi-utilities/unifios-utilities/tree/main/nspawn-container (including the MACVLAN steps).

apt install -y prometheus-node-exporter # Install the Prometheus Node Exporter
mkdir -p /volume1/pihole

Inside the debian-dns container:

echo 'pihole' > /etc/hostname
# Allow SQLite to create a journal file for changes inside the same directory as the gravity.db file
chmod g+w /external/etc/pihole
chown -R pihole:pihole /external/etc/pihole

apt -y install curl
curl -sSL https://install.pi-hole.net | PIHOLE_SKIP_OS_CHECK=true bash

Unbound

Inside the debian-dns container (machinectl shell debian-dns):

# https://docs.pi-hole.net/guides/dns/unbound/#setting-up-pi-hole-as-a-recursive-dns-server-solution

apt-get install unbound unbound-anchor
chown -R unbound:unbound /var/lib/unbound
curl -s https://www.internic.net/domain/named.root | sudo -h pihole -u unbound tee /var/lib/unbound/root.hints
sudo -h pihole -u unbound unbound-control-setup

# Generate root trust anchor for DNSSEC validation
sudo -h pihole -u unbound unbound-anchor -a "/var/lib/unbound/root.key"

sudo -h pihole service unbound restart

systemctl enable unbound-exporter
systemctl start unbound-exporter

At the end, run apt clean to remove caches from installed packages.

Knowledge base

If you see the following error:

Failed to get shell PTY: Unit container-shell@1.service was already loaded or has a fragment file.

It means that a shell session was not properly terminated. Run the following command on the host to restart the unit:

systemctl -M debian-dns try-restart container-shell@1.service