Fix pi-hole to work with new setup
This commit is contained in:
Thomas Kleinendorst
parent
e4bdd81823
commit
c8a8af9c18
9 changed files with 54 additions and 137 deletions
|
|
@ -19,12 +19,12 @@
|
||||||
- role: cloudflare-ddns
|
- role: cloudflare-ddns
|
||||||
- role: cloudflared
|
- role: cloudflared
|
||||||
- role: nginx
|
- role: nginx
|
||||||
# - role: actual
|
- role: pi-hole
|
||||||
# - role: changedetection
|
- role: actual
|
||||||
# - role: pi-hole
|
|
||||||
# - role: monitoring
|
|
||||||
# - role: postgres
|
# - role: postgres
|
||||||
# - role: wedding
|
# - role: wedding
|
||||||
|
# - role: changedetection
|
||||||
|
# - role: monitoring
|
||||||
vars:
|
vars:
|
||||||
# devsec.hardening.ssh_hardening vars:
|
# devsec.hardening.ssh_hardening vars:
|
||||||
ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
|
ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,7 @@
|
||||||
mounts:
|
mounts:
|
||||||
- source: actual_data
|
- source: actual_data
|
||||||
target: /data
|
target: /data
|
||||||
|
restart_policy: always
|
||||||
- name: Include simple-reverse-proxy role
|
- name: Include simple-reverse-proxy role
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: simple-reverse-proxy
|
name: simple-reverse-proxy
|
||||||
|
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
||||||
---
|
|
||||||
- name: Restart Nginx
|
|
||||||
become: true
|
|
||||||
ansible.builtin.systemd:
|
|
||||||
name: nginx.service
|
|
||||||
state: restarted
|
|
||||||
- name: Restart ufw
|
|
||||||
become: true
|
|
||||||
ansible.builtin.systemd:
|
|
||||||
name: ufw.service
|
|
||||||
state: restarted
|
|
||||||
|
|
@ -1,93 +1,39 @@
|
||||||
---
|
---
|
||||||
- name: Create a user for running the pi-hole podman container
|
- name: Create a volume for DNS data
|
||||||
ansible.builtin.include_role:
|
become: true
|
||||||
name: user
|
community.docker.docker_volume:
|
||||||
vars:
|
name: pihole_data
|
||||||
user_username: "{{ pi_hole_username }}"
|
- name: Create a volume for Dnsmasq data
|
||||||
user_password: "{{ pi_hole_password }}"
|
become: true
|
||||||
- name: Create the pi-hole container
|
community.docker.docker_volume:
|
||||||
ansible.builtin.include_role:
|
name: dnsmasq_data
|
||||||
name: podman-container
|
- name: Install the container
|
||||||
apply:
|
become: true
|
||||||
become: true
|
community.docker.docker_container:
|
||||||
become_user: "{{ pi_hole_username }}"
|
name: pi-hole
|
||||||
vars:
|
image: "docker.io/pihole/pihole:{{ pi_hole_version }}"
|
||||||
podman_container_name: pi-hole
|
ports:
|
||||||
podman_container_image: docker.io/pihole/pihole
|
- "53:53/tcp"
|
||||||
podman_container_tag: "{{ pi_hole_version }}"
|
- "53:53/udp"
|
||||||
podman_container_publish:
|
- "127.0.0.1:8080:80/tcp"
|
||||||
- 127.0.0.1:5053:53/tcp
|
mounts:
|
||||||
- 127.0.0.1:5053:53/udp
|
- source: pihole_data
|
||||||
- 127.0.0.1:8080:80
|
target: /etc/pihole
|
||||||
podman_simple_container_volumes:
|
- source: dnsmasq_data
|
||||||
- name: etc-pihole
|
target: /etc/dnsmasq.d
|
||||||
mnt: /etc/pihole
|
restart_policy: always
|
||||||
- name: etc-dnsmasq.d
|
env:
|
||||||
mnt: /etc/dnsmasq.d
|
|
||||||
podman_container_env:
|
|
||||||
TZ: 'Europe/Amsterdam'
|
TZ: 'Europe/Amsterdam'
|
||||||
WEBPASSWORD: "{{ pi_hole_web_password }}"
|
WEBPASSWORD: "{{ pi_hole_web_password }}"
|
||||||
# VIRTUAL_HOST: 'pi-hole.kleinendorst.info'
|
# VIRTUAL_HOST: 'pi-hole.kleinendorst.info'
|
||||||
# FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}"
|
# FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}"
|
||||||
PIHOLE_DNS_: 1.1.1.1;1.0.0.1
|
PIHOLE_DNS_: 1.1.1.1;1.0.0.1
|
||||||
DNSMASQ_USER: root
|
DNSMASQ_USER: root
|
||||||
INTERFACE: tap0
|
DNSMASQ_LISTENING: all
|
||||||
- name: Install certificate for pi-hole.kleinendorst.info
|
- name: Include simple-reverse-proxy role
|
||||||
become: true
|
ansible.builtin.include_role:
|
||||||
ansible.builtin.command:
|
name: simple-reverse-proxy
|
||||||
cmd: register_certbot_domain.sh pi-hole.kleinendorst.info
|
vars:
|
||||||
creates: /etc/letsencrypt/live/pi-hole.kleinendorst.info # The certificate directory
|
simple_reverse_proxy_internal_port: 8080
|
||||||
- name: Set Nginx configuration
|
simple_reverse_proxy_internal_subdomain: pi-hole
|
||||||
become: true
|
simple_reverse_proxy_redirect_to: /admin
|
||||||
ansible.builtin.template:
|
|
||||||
src: pi-hole.conf.j2
|
|
||||||
dest: /etc/nginx/conf.d/pi-hole.conf
|
|
||||||
mode: '0644'
|
|
||||||
notify: Restart Nginx
|
|
||||||
- name: Debug
|
|
||||||
ansible.builtin.debug:
|
|
||||||
msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}."
|
|
||||||
- name: Setup udp port forwarding (53 > 5053) in nginx
|
|
||||||
become: true
|
|
||||||
ansible.builtin.blockinfile:
|
|
||||||
path: /etc/nginx/nginx.conf
|
|
||||||
insertbefore: '^http \{$'
|
|
||||||
block: |
|
|
||||||
stream {
|
|
||||||
server {
|
|
||||||
listen 53;
|
|
||||||
proxy_pass 127.0.0.1:5053;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 53 udp;
|
|
||||||
proxy_pass 127.0.0.1:5053;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
notify: Restart Nginx
|
|
||||||
# - name: Add forwarding rules for ufw
|
|
||||||
# become: true
|
|
||||||
# ansible.builtin.blockinfile:
|
|
||||||
# path: /etc/ufw/before.rules
|
|
||||||
# insertbefore: "^\\*filter$"
|
|
||||||
# block: |
|
|
||||||
# *nat
|
|
||||||
# :PREROUTING ACCEPT [0:0]
|
|
||||||
# -A PREROUTING -p tcp -i eth0 --dport 53 -j DNAT \ --to-destination 127.0.0.1:5053
|
|
||||||
# -A PREROUTING -p udp -i eth0 --dport 53 -j DNAT \ --to-destination 127.0.0.1:5053
|
|
||||||
# COMMIT
|
|
||||||
# notify: Restart ufw
|
|
||||||
# - name: Allow all access to port 53 (udp)
|
|
||||||
# become: true
|
|
||||||
# community.general.ufw:
|
|
||||||
# rule: allow
|
|
||||||
# port: '53'
|
|
||||||
# proto: udp
|
|
||||||
# notify: Restart ufw
|
|
||||||
# - name: Allow all access to port 53 (tcp)
|
|
||||||
# become: true
|
|
||||||
# community.general.ufw:
|
|
||||||
# rule: allow
|
|
||||||
# port: '53'
|
|
||||||
# proto: tcp
|
|
||||||
# notify: Restart ufw
|
|
||||||
|
|
|
||||||
|
|
@ -1,25 +0,0 @@
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
server_name pi-hole.kleinendorst.info;
|
|
||||||
|
|
||||||
# SSL via Let's Encrypt
|
|
||||||
ssl_certificate /etc/letsencrypt/live/pi-hole.kleinendorst.info/fullchain.pem; # managed by Certbot
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/pi-hole.kleinendorst.info/privkey.pem; # managed by Certbot
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
||||||
|
|
||||||
location = / {
|
|
||||||
return 301 https://pi-hole.kleinendorst.info/admin;
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
|
|
||||||
set $upstream_address 127.0.0.1;
|
|
||||||
set $upstream_port 8080;
|
|
||||||
set $upstream_proto http;
|
|
||||||
proxy_pass $upstream_proto://$upstream_address:$upstream_port;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,3 +1,2 @@
|
||||||
---
|
---
|
||||||
pi_hole_username: pi-hole
|
|
||||||
pi_hole_version: 2024.07.0
|
pi_hole_version: 2024.07.0
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,9 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
38343333306431366465313835386337326366336363336265326563306363646131636566616339
|
31623263303861666139376462643866323437386464323334666434343837373031386462313536
|
||||||
6661613931366263333039346530356336323932383236380a636638343531383731613930353033
|
3538306437346465346466376639666339353137333366660a383164666539373635663263326264
|
||||||
37643532353933323633353539366637653565643539613262623037366333316361346462393133
|
35353533313564336432646566346261313633333837663235643438333462343039353462663831
|
||||||
6431633163333931360a626130653537633962326363306630306264356330646637373236393334
|
3637316430363666650a663932306561373333316666376337666264373737383037653531363861
|
||||||
32383131396439393761343363353763356632333039303962633561663661323739393862353237
|
30636539323361643365613139663137313137373265313266396337666237396437663433633032
|
||||||
39343739333663656337396530366263386166323730353839393039313932323165333532616264
|
34373561373262333034636136346130333631626139346535663034613830323363336461366363
|
||||||
62393733386138616330383962666166373361313064313631353337343966623763326635666261
|
37343535376138653163363833616335653566373031393131383764623636393032396165383938
|
||||||
62343736366666623236303638346337656564313931353634633535353037666565653965646162
|
34386539373261313333
|
||||||
65626361623862643262346663633532643365306362666335626432633763333861326533353631
|
|
||||||
3963343336313630663366356638656465613735633930393534
|
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,14 @@ server {
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
|
|
||||||
|
{% if simple_reverse_proxy_redirect_to != "" %}
|
||||||
|
|
||||||
|
location = / {
|
||||||
|
return 301 https://{{ simple_reverse_proxy_internal_subdomain }}.kleinendorst.info{{ simple_reverse_proxy_redirect_to }};
|
||||||
|
}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,3 @@
|
||||||
---
|
---
|
||||||
|
simple_reverse_proxy_redirect_to: ''
|
||||||
simple_reverse_proxy_external_port: 443
|
simple_reverse_proxy_external_port: 443
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue