From 21237b64c01fa4fc5ad0ffe211d98d165074d3f6 Mon Sep 17 00:00:00 2001
From: Thomas Kleinendorst <thomas@kleinendorst.info>
Date: Sat, 13 Apr 2024 15:26:45 +0200
Subject: [PATCH] Install Pi-hole with some existing problems

There is an error telling that dnsmasq doesn't start, this might have
to do with the user having to be root.
The DNS service also isn't exposed yet as it needs some ufw forwarding
(there's a TODO in the code mentioning this).
---
 roles/pi-hole/handlers/main.yml         |  6 ++
 roles/pi-hole/tasks/main.yml            | 75 ++++++++++++++++++++++++-
 roles/pi-hole/templates/pi-hole.conf.j2 | 25 +++++++++
 roles/pi-hole/vars/main/defaults.yml    |  2 +
 roles/pi-hole/vars/main/vault.yml       | 11 ++++
 5 files changed, 116 insertions(+), 3 deletions(-)
 create mode 100644 roles/pi-hole/handlers/main.yml
 create mode 100644 roles/pi-hole/templates/pi-hole.conf.j2
 create mode 100644 roles/pi-hole/vars/main/defaults.yml
 create mode 100644 roles/pi-hole/vars/main/vault.yml

diff --git a/roles/pi-hole/handlers/main.yml b/roles/pi-hole/handlers/main.yml
new file mode 100644
index 0000000..d78a686
--- /dev/null
+++ b/roles/pi-hole/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart Nginx
+  become: true
+  ansible.builtin.systemd:
+    name: nginx.service
+    state: restarted
diff --git a/roles/pi-hole/tasks/main.yml b/roles/pi-hole/tasks/main.yml
index 311fbde..93d2338 100644
--- a/roles/pi-hole/tasks/main.yml
+++ b/roles/pi-hole/tasks/main.yml
@@ -4,6 +4,75 @@
   ansible.builtin.apt:
     name: podman
     state: present
-# TODO: I'll have to come back to this configuration, it appears there's a problem.
-#       We're going to need to reuse web ports in order to serve multiple websites from
-#       the Raspberry Pi, this will probably necesitate installing Nginx or another reverse proxy.
+- name: Create a user for running the pi-hole podman container
+  ansible.builtin.include_role:
+    name: user
+  vars:
+    user_username: "{{ pi_hole_username }}"
+    user_password: "{{ pi_hole_password }}"
+- name: Create the /etc-pihole directory in the home directory (will be mounted to the container)
+  become: true
+  become_user: "{{ pi_hole_username }}"
+  ansible.builtin.file:
+    path: "/home/{{ pi_hole_username }}/etc-pihole"
+    state: directory
+    mode: '0700'
+  register: command_result
+  failed_when:
+    - command_result.rc != 0
+    # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
+    # changes the user of the folder to a UID only known within the container. This command basically doesn't need to
+    # change anything at this point so we'll ignore the error for now.
+    - "'set_mode_if_different' not in command_result.module_stdout"
+- name: Create the /etc-dnsmasq.d directory in the home directory (will be mounted to the container)
+  become: true
+  become_user: "{{ pi_hole_username }}"
+  ansible.builtin.file:
+    path: "/home/{{ pi_hole_username }}/etc-dnsmasq.d"
+    state: directory
+    mode: '0700'
+  failed_when:
+    - command_result.rc != 0
+    # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
+    # changes the user of the folder to a UID only known within the container. This command basically doesn't need to
+    # change anything at this point so we'll ignore the error for now.
+    - "'set_mode_if_different' not in command_result.module_stdout"
+- name: Start the Pi-hole container
+  become: true
+  become_user: "{{ pi_hole_username }}"
+  containers.podman.podman_container:
+    name: pi-hole
+    image: docker.io/pihole/pihole:2024.03.2
+    restart_policy: on-failure
+    publish:
+    # It seems we can't use authbind in combination with Podman, see: https://github.com/containers/podman/issues/13426.
+    # Instead we'll map to a higher port number and install and use the ufw firewall to forward packets to the local port.
+      - 127.0.0.1:5053:53/tcp
+      - 127.0.0.1:5053:53/udp
+      - 127.0.0.1:8080:80
+    env:
+      TZ: 'Europe/Amsterdam'
+      WEBPASSWORD: "{{ pi_hole_web_password }}"
+      FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}"
+      PIHOLE_DNS_: 1.1.1.1;1.0.0.1
+      DNSMASQ_USER: "{{ pi_hole_username }}"
+    volumes:
+      - "/home/{{ pi_hole_username }}/etc-pihole:/etc/pihole"
+      - "/home/{{ pi_hole_username }}/etc-dnsmasq.d:/etc/dnsmasq.d"
+    state: started
+- name: Install certificate for pi-hole.kleinendorst.info
+  become: true
+  ansible.builtin.command:
+    cmd: register_certbot_domain.sh pi-hole.kleinendorst.info
+    creates: /etc/letsencrypt/live/pi-hole.kleinendorst.info # The certificate directory
+- name: Set Nginx configuration
+  become: true
+  ansible.builtin.template:
+    src: pi-hole.conf.j2
+    dest: /etc/nginx/conf.d/pi-hole.conf
+    mode: '0644'
+  notify: Restart Nginx
+- name: Debug
+  ansible.builtin.debug:
+    msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}."
+# TODO: Install and configure ufw to forward the DNS port (53) to the 5053 podman container port.
diff --git a/roles/pi-hole/templates/pi-hole.conf.j2 b/roles/pi-hole/templates/pi-hole.conf.j2
new file mode 100644
index 0000000..4f8f751
--- /dev/null
+++ b/roles/pi-hole/templates/pi-hole.conf.j2
@@ -0,0 +1,25 @@
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name pi-hole.kleinendorst.info;
+
+  # SSL via Let's Encrypt
+  ssl_certificate /etc/letsencrypt/live/pi-hole.kleinendorst.info/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/pi-hole.kleinendorst.info/privkey.pem; # managed by Certbot
+  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+  ssl_ciphers         HIGH:!aNULL:!MD5;
+
+  location = / {
+    return 301 https://pi-hole.kleinendorst.info/admin;
+  }
+
+  location / {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+
+    set $upstream_address 127.0.0.1;
+    set $upstream_port 8080;
+    set $upstream_proto http;
+    proxy_pass $upstream_proto://$upstream_address:$upstream_port;
+  }
+}
diff --git a/roles/pi-hole/vars/main/defaults.yml b/roles/pi-hole/vars/main/defaults.yml
new file mode 100644
index 0000000..762fd91
--- /dev/null
+++ b/roles/pi-hole/vars/main/defaults.yml
@@ -0,0 +1,2 @@
+---
+pi_hole_username: pi-hole
diff --git a/roles/pi-hole/vars/main/vault.yml b/roles/pi-hole/vars/main/vault.yml
new file mode 100644
index 0000000..81462a9
--- /dev/null
+++ b/roles/pi-hole/vars/main/vault.yml
@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+38343333306431366465313835386337326366336363336265326563306363646131636566616339
+6661613931366263333039346530356336323932383236380a636638343531383731613930353033
+37643532353933323633353539366637653565643539613262623037366333316361346462393133
+6431633163333931360a626130653537633962326363306630306264356330646637373236393334
+32383131396439393761343363353763356632333039303962633561663661323739393862353237
+39343739333663656337396530366263386166323730353839393039313932323165333532616264
+62393733386138616330383962666166373361313064313631353337343966623763326635666261
+62343736366666623236303638346337656564313931353634633535353037666565653965646162
+65626361623862643262346663633532643365306362666335626432633763333861326533353631
+3963343336313630663366356638656465613735633930393534