Install Pi-hole with some existing problems

There is an error telling that dnsmasq doesn't start, this might have
to do with the user having to be root.
The DNS service also isn't exposed yet as it needs some ufw forwarding
(there's a TODO in the code mentioning this).

roles/pi-hole/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Restart Nginx
+  become: true
+  ansible.builtin.systemd:
+    name: nginx.service
+    state: restarted

roles/pi-hole/tasks/main.yml

@@ -4,6 +4,75 @@
   ansible.builtin.apt:
     name: podman
     state: present
-# TODO: I'll have to come back to this configuration, it appears there's a problem.
-#       We're going to need to reuse web ports in order to serve multiple websites from
-#       the Raspberry Pi, this will probably necesitate installing Nginx or another reverse proxy.
+- name: Create a user for running the pi-hole podman container
+  ansible.builtin.include_role:
+    name: user
+  vars:
+    user_username: "{{ pi_hole_username }}"
+    user_password: "{{ pi_hole_password }}"
+- name: Create the /etc-pihole directory in the home directory (will be mounted to the container)
+  become: true
+  become_user: "{{ pi_hole_username }}"
+  ansible.builtin.file:
+    path: "/home/{{ pi_hole_username }}/etc-pihole"
+    state: directory
+    mode: '0700'
+  register: command_result
+  failed_when:
+    - command_result.rc != 0
+    # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
+    # changes the user of the folder to a UID only known within the container. This command basically doesn't need to
+    # change anything at this point so we'll ignore the error for now.
+    - "'set_mode_if_different' not in command_result.module_stdout"
+- name: Create the /etc-dnsmasq.d directory in the home directory (will be mounted to the container)
+  become: true
+  become_user: "{{ pi_hole_username }}"
+  ansible.builtin.file:
+    path: "/home/{{ pi_hole_username }}/etc-dnsmasq.d"
+    state: directory
+    mode: '0700'
+  failed_when:
+    - command_result.rc != 0
+    # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
+    # changes the user of the folder to a UID only known within the container. This command basically doesn't need to
+    # change anything at this point so we'll ignore the error for now.
+    - "'set_mode_if_different' not in command_result.module_stdout"
+- name: Start the Pi-hole container
+  become: true
+  become_user: "{{ pi_hole_username }}"
+  containers.podman.podman_container:
+    name: pi-hole
+    image: docker.io/pihole/pihole:2024.03.2
+    restart_policy: on-failure
+    publish:
+    # It seems we can't use authbind in combination with Podman, see: https://github.com/containers/podman/issues/13426.
+    # Instead we'll map to a higher port number and install and use the ufw firewall to forward packets to the local port.
+      - 127.0.0.1:5053:53/tcp
+      - 127.0.0.1:5053:53/udp
+      - 127.0.0.1:8080:80
+    env:
+      TZ: 'Europe/Amsterdam'
+      WEBPASSWORD: "{{ pi_hole_web_password }}"
+      FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}"
+      PIHOLE_DNS_: 1.1.1.1;1.0.0.1
+      DNSMASQ_USER: "{{ pi_hole_username }}"
+    volumes:
+      - "/home/{{ pi_hole_username }}/etc-pihole:/etc/pihole"
+      - "/home/{{ pi_hole_username }}/etc-dnsmasq.d:/etc/dnsmasq.d"
+    state: started
+- name: Install certificate for pi-hole.kleinendorst.info
+  become: true
+  ansible.builtin.command:
+    cmd: register_certbot_domain.sh pi-hole.kleinendorst.info
+    creates: /etc/letsencrypt/live/pi-hole.kleinendorst.info # The certificate directory
+- name: Set Nginx configuration
+  become: true
+  ansible.builtin.template:
+    src: pi-hole.conf.j2
+    dest: /etc/nginx/conf.d/pi-hole.conf
+    mode: '0644'
+  notify: Restart Nginx
+- name: Debug
+  ansible.builtin.debug:
+    msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}."
+# TODO: Install and configure ufw to forward the DNS port (53) to the 5053 podman container port.

roles/pi-hole/templates/pi-hole.conf.j2

@@ -0,0 +1,25 @@
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name pi-hole.kleinendorst.info;
+
+  # SSL via Let's Encrypt
+  ssl_certificate /etc/letsencrypt/live/pi-hole.kleinendorst.info/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/pi-hole.kleinendorst.info/privkey.pem; # managed by Certbot
+  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+  ssl_ciphers         HIGH:!aNULL:!MD5;
+
+  location = / {
+    return 301 https://pi-hole.kleinendorst.info/admin;
+  }
+
+  location / {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+
+    set $upstream_address 127.0.0.1;
+    set $upstream_port 8080;
+    set $upstream_proto http;
+    proxy_pass $upstream_proto://$upstream_address:$upstream_port;
+  }
+}

roles/pi-hole/vars/main/defaults.yml

@@ -0,0 +1,2 @@
+---
+pi_hole_username: pi-hole

roles/pi-hole/vars/main/vault.yml

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+38343333306431366465313835386337326366336363336265326563306363646131636566616339
+6661613931366263333039346530356336323932383236380a636638343531383731613930353033
+37643532353933323633353539366637653565643539613262623037366333316361346462393133
+6431633163333931360a626130653537633962326363306630306264356330646637373236393334
+32383131396439393761343363353763356632333039303962633561663661323739393862353237
+39343739333663656337396530366263386166323730353839393039313932323165333532616264
+62393733386138616330383962666166373361313064313631353337343966623763326635666261
+62343736366666623236303638346337656564313931353634633535353037666565653965646162
+65626361623862643262346663633532643365306362666335626432633763333861326533353631
+3963343336313630663366356638656465613735633930393534