---
- name: Install Podman
  become: true
  ansible.builtin.apt:
    name: podman
    state: present
- name: Create a user for running the pi-hole podman container
  ansible.builtin.include_role:
    name: user
  vars:
    user_username: "{{ pi_hole_username }}"
    user_password: "{{ pi_hole_password }}"
- name: Create the /etc-pihole directory in the home directory (will be mounted to the container)
  become: true
  become_user: "{{ pi_hole_username }}"
  ansible.builtin.file:
    path: "/home/{{ pi_hole_username }}/etc-pihole"
    state: directory
    mode: '0700'
  register: command_result
  failed_when:
    - command_result.changed == false
    - command_result.rc != 0
    # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
    # changes the user of the folder to a UID only known within the container. This command basically doesn't need to
    # change anything at this point so we'll ignore the error for now.
    - "'set_mode_if_different' not in command_result.module_stdout"
- name: Create the /etc-dnsmasq.d directory in the home directory (will be mounted to the container)
  become: true
  become_user: "{{ pi_hole_username }}"
  ansible.builtin.file:
    path: "/home/{{ pi_hole_username }}/etc-dnsmasq.d"
    state: directory
    mode: '0700'
  failed_when:
    - command_result.changed == false
    - command_result.rc != 0
    # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
    # changes the user of the folder to a UID only known within the container. This command basically doesn't need to
    # change anything at this point so we'll ignore the error for now.
    - "'set_mode_if_different' not in command_result.module_stdout"
- name: Start the Pi-hole container
  become: true
  become_user: "{{ pi_hole_username }}"
  containers.podman.podman_container:
    name: pi-hole
    image: docker.io/pihole/pihole:2024.03.2
    restart_policy: on-failure # TODO: Doesn't restart containers on reboot for some reason...
    publish:
    # It seems we can't use authbind in combination with Podman, see: https://github.com/containers/podman/issues/13426.
    # Instead we'll map to a higher port number and install and use the ufw firewall to forward packets to the local port.
      - 127.0.0.1:5053:53/tcp
      - 127.0.0.1:5053:53/udp
      - 127.0.0.1:8080:80
    env:
      TZ: 'Europe/Amsterdam'
      WEBPASSWORD: "{{ pi_hole_web_password }}"
      # VIRTUAL_HOST: 'pi-hole.kleinendorst.info'
      # FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}"
      PIHOLE_DNS_: 1.1.1.1;1.0.0.1
      DNSMASQ_USER: root
      INTERFACE: tap0
    volumes:
      - "/home/{{ pi_hole_username }}/etc-pihole:/etc/pihole"
      - "/home/{{ pi_hole_username }}/etc-dnsmasq.d:/etc/dnsmasq.d"
    state: started
- name: Install certificate for pi-hole.kleinendorst.info
  become: true
  ansible.builtin.command:
    cmd: register_certbot_domain.sh pi-hole.kleinendorst.info
    creates: /etc/letsencrypt/live/pi-hole.kleinendorst.info # The certificate directory
- name: Set Nginx configuration
  become: true
  ansible.builtin.template:
    src: pi-hole.conf.j2
    dest: /etc/nginx/conf.d/pi-hole.conf
    mode: '0644'
  notify: Restart Nginx
- name: Debug
  ansible.builtin.debug:
    msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}."
- name: Install ufw
  become: true
  ansible.builtin.apt:
    name: ufw
    state: present
- name: Set default policy (incoming)
  become: true
  community.general.ufw:
    direction: incoming
    policy: deny
- name: Set default policy (outgoing)
  become: true
  community.general.ufw:
    direction: outgoing
    policy: allow
- name: Allow forwarding in ufw
  become: true
  ansible.builtin.lineinfile:
    path: /etc/ufw/sysctl.conf
    regexp: '^#net/ipv4/ip_forward=1$'
    line: 'net/ipv4/ip_forward=1'
- name: Configure firewall to allow forward requests
  become: true
  ansible.builtin.lineinfile:
    path: /etc/default/ufw
    regexp: '^DEFAULT_FORWARD_POLICY="DROP"$'
    line: 'DEFAULT_FORWARD_POLICY="ACCEPT"'
  notify: Restart ufw
- name: Add forwarding rules for ufw
  become: true
  ansible.builtin.blockinfile:
    path: /etc/ufw/before.rules
    insertafter: "^COMMIT$"
    block: |-
      *nat
      :PREROUTING ACCEPT [0:0]
      -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 5053
      -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 5053
      COMMIT
  notify: Restart ufw
- name: Allow all access to ssh
  become: true
  community.general.ufw:
    rule: allow
    port: ssh
    proto: tcp
  notify: Restart ufw
- name: Allow all access to https
  become: true
  community.general.ufw:
    rule: allow
    port: https
    proto: tcp
  notify: Restart ufw
- name: Allow all access to port 53 (udp)
  become: true
  community.general.ufw:
    rule: allow
    port: '53'
    proto: udp
  notify: Restart ufw
- name: Allow all access to port 53 (tcp)
  become: true
  community.general.ufw:
    rule: allow
    port: '53'
    proto: tcp
  notify: Restart ufw
- name: Enable ufw
  become: true
  community.general.ufw:
    state: enabled