PHiAX/Raspberry-Pi-IaC
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Raspberry-Pi-IaC/roles/pi-hole/tasks/main.yml
Thomas Kleinendorst f23093d8dc Add UDP forwarding from Nginx 
This is working locally, I can resolve addresses. But there still
seems to be another problem in that Windows is timing out when setting
the Pi as the DNS server.
2024-04-15 10:20:02 +02:00

120 lines
4.4 KiB
YAML
Raw Blame History

---
- name: Create a user for running the pi-hole podman container
ansible.builtin.include_role:
name: user
vars:
user_username: "{{ pi_hole_username }}"
user_password: "{{ pi_hole_password }}"
- name: Create the /etc-pihole directory in the home directory (will be mounted to the container)
become: true
become_user: "{{ pi_hole_username }}"
ansible.builtin.file:
path: "/home/{{ pi_hole_username }}/etc-pihole"
state: directory
mode: '0700'
register: command_result
failed_when:
- command_result.changed == false
- command_result.rc != 0
# This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
# changes the user of the folder to a UID only known within the container. This command basically doesn't need to
# change anything at this point so we'll ignore the error for now.
- "'set_mode_if_different' not in command_result.module_stdout"
- name: Create the /etc-dnsmasq.d directory in the home directory (will be mounted to the container)
become: true
become_user: "{{ pi_hole_username }}"
ansible.builtin.file:
path: "/home/{{ pi_hole_username }}/etc-dnsmasq.d"
state: directory
mode: '0700'
failed_when:
- command_result.changed == false
- command_result.rc != 0
# This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
# changes the user of the folder to a UID only known within the container. This command basically doesn't need to
# change anything at this point so we'll ignore the error for now.
- "'set_mode_if_different' not in command_result.module_stdout"
- name: Start the Pi-hole container
become: true
become_user: "{{ pi_hole_username }}"
containers.podman.podman_container:
name: pi-hole
image: docker.io/pihole/pihole:2024.03.2
restart_policy: on-failure
publish:
# It seems we can't use authbind in combination with Podman, see: https://github.com/containers/podman/issues/13426.
# Instead we'll map to a higher port number and install and use the ufw firewall to forward packets to the local port.
- 127.0.0.1:5053:53/tcp
- 127.0.0.1:5053:53/udp
- 127.0.0.1:8080:80
env:
TZ: 'Europe/Amsterdam'
WEBPASSWORD: "{{ pi_hole_web_password }}"
# VIRTUAL_HOST: 'pi-hole.kleinendorst.info'
# FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}"
PIHOLE_DNS_: 1.1.1.1;1.0.0.1
DNSMASQ_USER: root
INTERFACE: tap0
volumes:
- "/home/{{ pi_hole_username }}/etc-pihole:/etc/pihole"
- "/home/{{ pi_hole_username }}/etc-dnsmasq.d:/etc/dnsmasq.d"
state: started
- name: Install certificate for pi-hole.kleinendorst.info
become: true
ansible.builtin.command:
cmd: register_certbot_domain.sh pi-hole.kleinendorst.info
creates: /etc/letsencrypt/live/pi-hole.kleinendorst.info # The certificate directory
- name: Set Nginx configuration
become: true
ansible.builtin.template:
src: pi-hole.conf.j2
dest: /etc/nginx/conf.d/pi-hole.conf
mode: '0644'
notify: Restart Nginx
- name: Debug
ansible.builtin.debug:
msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}."
- name: Setup udp port forwarding (53 > 5053) in nginx
become: true
ansible.builtin.blockinfile:
path: /etc/nginx/nginx.conf
insertbefore: '^http \{$'
block: |
stream {
server {
listen 53;
proxy_pass 127.0.0.1:5053;
}
server {
listen 53 udp;
proxy_pass 127.0.0.1:5053;
}
}
notify: Restart Nginx
# - name: Add forwarding rules for ufw
# become: true
# ansible.builtin.blockinfile:
# path: /etc/ufw/before.rules
# insertbefore: "^\\*filter$"
# block: |
# *nat
# :PREROUTING ACCEPT [0:0]
# -A PREROUTING -p tcp -i eth0 --dport 53 -j DNAT \ --to-destination 127.0.0.1:5053
# -A PREROUTING -p udp -i eth0 --dport 53 -j DNAT \ --to-destination 127.0.0.1:5053
# COMMIT
# notify: Restart ufw
# - name: Allow all access to port 53 (udp)
# become: true
# community.general.ufw:
# rule: allow
# port: '53'
# proto: udp
# notify: Restart ufw
# - name: Allow all access to port 53 (tcp)
# become: true
# community.general.ufw:
# rule: allow
# port: '53'
# proto: tcp
# notify: Restart ufw
Reference in a new issue View git blame Copy permalink