--- - name: Create a user for running the pi-hole podman container ansible.builtin.include_role: name: user vars: user_username: "{{ pi_hole_username }}" user_password: "{{ pi_hole_password }}" - name: Create the /etc-pihole directory in the home directory (will be mounted to the container) become: true become_user: "{{ pi_hole_username }}" ansible.builtin.file: path: "/home/{{ pi_hole_username }}/etc-pihole" state: directory mode: '0700' register: command_result failed_when: - command_result.changed == false - command_result.rc != 0 # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume # changes the user of the folder to a UID only known within the container. This command basically doesn't need to # change anything at this point so we'll ignore the error for now. - "'set_mode_if_different' not in command_result.module_stdout" - name: Create the /etc-dnsmasq.d directory in the home directory (will be mounted to the container) become: true become_user: "{{ pi_hole_username }}" ansible.builtin.file: path: "/home/{{ pi_hole_username }}/etc-dnsmasq.d" state: directory mode: '0700' failed_when: - command_result.changed == false - command_result.rc != 0 # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume # changes the user of the folder to a UID only known within the container. This command basically doesn't need to # change anything at this point so we'll ignore the error for now. - "'set_mode_if_different' not in command_result.module_stdout" - name: Start the Pi-hole container become: true become_user: "{{ pi_hole_username }}" containers.podman.podman_container: name: pi-hole image: docker.io/pihole/pihole:2024.03.2 restart_policy: on-failure publish: # It seems we can't use authbind in combination with Podman, see: https://github.com/containers/podman/issues/13426. # Instead we'll map to a higher port number and install and use the ufw firewall to forward packets to the local port. - 127.0.0.1:5053:53/tcp - 127.0.0.1:5053:53/udp - 127.0.0.1:8080:80 env: TZ: 'Europe/Amsterdam' WEBPASSWORD: "{{ pi_hole_web_password }}" # VIRTUAL_HOST: 'pi-hole.kleinendorst.info' # FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}" PIHOLE_DNS_: 1.1.1.1;1.0.0.1 DNSMASQ_USER: root INTERFACE: tap0 volumes: - "/home/{{ pi_hole_username }}/etc-pihole:/etc/pihole" - "/home/{{ pi_hole_username }}/etc-dnsmasq.d:/etc/dnsmasq.d" state: started - name: Install certificate for pi-hole.kleinendorst.info become: true ansible.builtin.command: cmd: register_certbot_domain.sh pi-hole.kleinendorst.info creates: /etc/letsencrypt/live/pi-hole.kleinendorst.info # The certificate directory - name: Set Nginx configuration become: true ansible.builtin.template: src: pi-hole.conf.j2 dest: /etc/nginx/conf.d/pi-hole.conf mode: '0644' notify: Restart Nginx - name: Debug ansible.builtin.debug: msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}." - name: Add forwarding rules for ufw become: true ansible.builtin.blockinfile: path: /etc/ufw/before.rules insertbefore: "^\\*filter$" block: | *nat :PREROUTING ACCEPT [0:0] -A PREROUTING -p tcp -i eth0 --dport 53 -j DNAT \ --to-destination 127.0.0.1:5053 -A PREROUTING -p udp -i eth0 --dport 53 -j DNAT \ --to-destination 127.0.0.1:5053 COMMIT notify: Restart ufw - name: Allow all access to port 53 (udp) become: true community.general.ufw: rule: allow port: '53' proto: udp notify: Restart ufw - name: Allow all access to port 53 (tcp) become: true community.general.ufw: rule: allow port: '53' proto: tcp notify: Restart ufw