diff --git a/roles/pi-hole/handlers/main.yml b/roles/pi-hole/handlers/main.yml new file mode 100644 index 0000000..d78a686 --- /dev/null +++ b/roles/pi-hole/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart Nginx + become: true + ansible.builtin.systemd: + name: nginx.service + state: restarted diff --git a/roles/pi-hole/tasks/main.yml b/roles/pi-hole/tasks/main.yml index 311fbde..93d2338 100644 --- a/roles/pi-hole/tasks/main.yml +++ b/roles/pi-hole/tasks/main.yml @@ -4,6 +4,75 @@ ansible.builtin.apt: name: podman state: present -# TODO: I'll have to come back to this configuration, it appears there's a problem. -# We're going to need to reuse web ports in order to serve multiple websites from -# the Raspberry Pi, this will probably necesitate installing Nginx or another reverse proxy. +- name: Create a user for running the pi-hole podman container + ansible.builtin.include_role: + name: user + vars: + user_username: "{{ pi_hole_username }}" + user_password: "{{ pi_hole_password }}" +- name: Create the /etc-pihole directory in the home directory (will be mounted to the container) + become: true + become_user: "{{ pi_hole_username }}" + ansible.builtin.file: + path: "/home/{{ pi_hole_username }}/etc-pihole" + state: directory + mode: '0700' + register: command_result + failed_when: + - command_result.rc != 0 + # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume + # changes the user of the folder to a UID only known within the container. This command basically doesn't need to + # change anything at this point so we'll ignore the error for now. + - "'set_mode_if_different' not in command_result.module_stdout" +- name: Create the /etc-dnsmasq.d directory in the home directory (will be mounted to the container) + become: true + become_user: "{{ pi_hole_username }}" + ansible.builtin.file: + path: "/home/{{ pi_hole_username }}/etc-dnsmasq.d" + state: directory + mode: '0700' + failed_when: + - command_result.rc != 0 + # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume + # changes the user of the folder to a UID only known within the container. This command basically doesn't need to + # change anything at this point so we'll ignore the error for now. + - "'set_mode_if_different' not in command_result.module_stdout" +- name: Start the Pi-hole container + become: true + become_user: "{{ pi_hole_username }}" + containers.podman.podman_container: + name: pi-hole + image: docker.io/pihole/pihole:2024.03.2 + restart_policy: on-failure + publish: + # It seems we can't use authbind in combination with Podman, see: https://github.com/containers/podman/issues/13426. + # Instead we'll map to a higher port number and install and use the ufw firewall to forward packets to the local port. + - 127.0.0.1:5053:53/tcp + - 127.0.0.1:5053:53/udp + - 127.0.0.1:8080:80 + env: + TZ: 'Europe/Amsterdam' + WEBPASSWORD: "{{ pi_hole_web_password }}" + FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}" + PIHOLE_DNS_: 1.1.1.1;1.0.0.1 + DNSMASQ_USER: "{{ pi_hole_username }}" + volumes: + - "/home/{{ pi_hole_username }}/etc-pihole:/etc/pihole" + - "/home/{{ pi_hole_username }}/etc-dnsmasq.d:/etc/dnsmasq.d" + state: started +- name: Install certificate for pi-hole.kleinendorst.info + become: true + ansible.builtin.command: + cmd: register_certbot_domain.sh pi-hole.kleinendorst.info + creates: /etc/letsencrypt/live/pi-hole.kleinendorst.info # The certificate directory +- name: Set Nginx configuration + become: true + ansible.builtin.template: + src: pi-hole.conf.j2 + dest: /etc/nginx/conf.d/pi-hole.conf + mode: '0644' + notify: Restart Nginx +- name: Debug + ansible.builtin.debug: + msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}." +# TODO: Install and configure ufw to forward the DNS port (53) to the 5053 podman container port. diff --git a/roles/pi-hole/templates/pi-hole.conf.j2 b/roles/pi-hole/templates/pi-hole.conf.j2 new file mode 100644 index 0000000..4f8f751 --- /dev/null +++ b/roles/pi-hole/templates/pi-hole.conf.j2 @@ -0,0 +1,25 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name pi-hole.kleinendorst.info; + + # SSL via Let's Encrypt + ssl_certificate /etc/letsencrypt/live/pi-hole.kleinendorst.info/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/pi-hole.kleinendorst.info/privkey.pem; # managed by Certbot + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + location = / { + return 301 https://pi-hole.kleinendorst.info/admin; + } + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + + set $upstream_address 127.0.0.1; + set $upstream_port 8080; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_address:$upstream_port; + } +} diff --git a/roles/pi-hole/vars/main/defaults.yml b/roles/pi-hole/vars/main/defaults.yml new file mode 100644 index 0000000..762fd91 --- /dev/null +++ b/roles/pi-hole/vars/main/defaults.yml @@ -0,0 +1,2 @@ +--- +pi_hole_username: pi-hole diff --git a/roles/pi-hole/vars/main/vault.yml b/roles/pi-hole/vars/main/vault.yml new file mode 100644 index 0000000..81462a9 --- /dev/null +++ b/roles/pi-hole/vars/main/vault.yml @@ -0,0 +1,11 @@ +$ANSIBLE_VAULT;1.1;AES256 +38343333306431366465313835386337326366336363336265326563306363646131636566616339 +6661613931366263333039346530356336323932383236380a636638343531383731613930353033 +37643532353933323633353539366637653565643539613262623037366333316361346462393133 +6431633163333931360a626130653537633962326363306630306264356330646637373236393334 +32383131396439393761343363353763356632333039303962633561663661323739393862353237 +39343739333663656337396530366263386166323730353839393039313932323165333532616264 +62393733386138616330383962666166373361313064313631353337343966623763326635666261 +62343736366666623236303638346337656564313931353634633535353037666565653965646162 +65626361623862643262346663633532643365306362666335626432633763333861326533353631 +3963343336313630663366356638656465613735633930393534